On Thu, 10 Apr 2003 waltdnes@xxxxxxxxxxxx wrote: > I'm sure every here has seens lots of SYN-packets in their logs, > trying to connect to various ports they shouldn't be talking to. I > don't run any public servers, and I use passive ftp, so I simply block > all connection attempts. The general procedure is to drop the packet, > and ignore it. What would be the effect of sending back a SYN-ACK > packet (and anything else necessary?) to fake the setting up of a > connection... and then dropping the packet and ignoring it ? > > Would an infected machine scanning the net eventually run into > resource limits and DOS itself ? I'm sure that professional crackers > can work around this, but if we can make things a bit more painful for > skiddies and automatic worms, then let's do it. > > Can such trickery be pulled off with a current bog-standard iptables, > or does someone need to write a new "target"? This is sort of similar to the NAPTHA program I wrote a couple of years ago to demonstrate a resource DoS attack. http://razor.bindview.com/publish/advisories/adv_NAPTHA.html http://packetstormsecurity.org/0101-exploits/naptha-1.1.tgz (I have a more recent version if anyone cares) The program could easily be run with command line options to accomplish exactly what you are proposing. However it is also fairly easy to defeat this sort of attack by not keeping state. I have written a port scanner that does exactly that, it is very fast and effective. An interesting attack might be to hang all IDENT queries sent back by an IDS that tries to find out who is scanning them.
