-----Original Message----- From: Marc Samendinger [mailto:marc.samendinger@sp-online.de] Sent: 09 January 2004 13:50
-----Original Message----- From: Tom Knight [mailto:thomas.knight@ahds.ac.uk] Sent: Friday, January 09, 2004 1:52 PM
Trying to ftp to (say): 196.30.15.82 I get a "connection refused" immediately. Oh ho, a machine is there, what else can I try?
In this case it doesn't matter if you DROP or REJECT the packet (except the connection timeout vs the connection refusal)
If theres no response you know theres a firewall in place otherwise another (properly configured) host would have send a icmp host/network unreachable. Your machine is not invisible just because you DROP IP connections.
True, but if you're in control of a network, and everyone's equally "hidden", then it makes it a little harder for an attacker to find a real machine. After all, it's rare for all the IP addresses on your class B to be used...
If the attacker tries port 1 against 196.30.15.1, port 2 against 196.30.15.2 etc, he'll find your machine and attack. This is one of the port scans I've seen in use against my old work.
If you drop everything (except for externally available ports), then there's a good chance the attacher won't try (say) port 21 against 196.30.15.82, and so won't see that that machine exists.
What prevents the attacker from starting multiple scans at once?
Nothing at all. Sometimes a scan is for all ports on one IP address, or for one port on all IP addresses, sometimes it's the method I described. It seems to depend on the tool the attacker's using.
Dropping packets is actually a line of defense, and you really should use it.
again there are different opinions about this topic, everyone should decide on his own if DROP or REJECT is his choice.
I guess I'll read up some more on this. I'd always been told (and it seemed reasonable to me) that dropping's a good idea. Thanks for helping open my mind! Tom.