On Wed, 8 May 1996, Peter da Silva wrote:
> > > If your bastion host has klaxon, or something similar, on every port
> > > from 1 to 1000 it's unlikely that your attacker would be able to do
> > > anything useful with the information he gets from his scan, no?
> > I do not agree. First off, by using a connection monitor you allow an
> > attacker to scan your entire network for vulnerable machines without any fear
> > of being noticed.
> No he can't. He can only scan the bastion host and other systems in the
> DMZ, all of which have all ports returning a SYN/ACK to his SYN. So what
> he'll get back is "YES" for every port on every machine, which tells him
> nothing he can use.
> Like the bloke in the story, he'll come to the forest with his wagon, and
> see a yellow ribbon around the trunk of every tree. He knows no more about
> the location of any pot of gold than if he'd never searched in the first
I see I have made an error. You are quite correct if the machine is
a bastion host. As there is little else to scan on the network, you have
essentially "tied ribbons on all of the trees". A good idea. However,
I would probably only lay klaxon on popular ports, whether they are active or
not to pass along misleading information.
Jeff Thompson(jwthomp @
edu) Argus Systems Group
http://www.uiuc.edu/ph/www/jwthomp - Trusted Network Kernel Developer
ACM at UIUC Vice Chair / SigNET Chair Member *The Guild