Now that is a truly interesting question, if a bit off-topic. What is the best way to handle recon? Is it best to comply and hope your network looks un-interesting? Is it best to try and make scanning as costly as possible (aka Tarpitting)? Is it best to make everything appear open, thereby polluting the results of the scans? Personally, I go for a mix of the latter two. I'd like to make recon take absolutely forever AND return false information. Particularly randomly false information - to make the prospect of rescanning unpalatable. One down side is, I wind up making my network more 'interesting' than my neighbors. I'm not quite sure if it is worth the extra interest... Bob -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone Sent: Thursday, December 11, 2003 9:44 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: mangle + TCP Flags On Thursday 11 December 2003 3:32 pm, Jean-Marie Orset wrote: > > Well, you could just: > > -p tcp -j REJECT --reject-with tcp-reset (uses tcp rst) > > -p udp -j REJECT (uses icmp port-unreach) > >That makes nmap say: ports closed. > > Yes, that's what I should do but My idea was to answer false SYN,ACK > even if the ports are closed. In that way a scan would declare all my ports > open but in reality, they would be closed. Why is that better for security? Antony. -- G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? !X- !R K--? Please reply to the list; please don't CC me.
