[rescue] A perverse thought (SGI security division)
Sheldon T. Hall
shel at cmhcsys.com
Thu Mar 11 15:35:39 CST 2004
Caleb Shay suggests ...
> How about this:
> 1. Unauthorized connection logged
> 2. SGI tells firewall to add a tarpit on all ports for offending IP
> 3. Script kiddie now gets uncloseable sockets when they try to ssh in
> 4. Potentially they get uncloseable sockets during the portscan
> depending on how fast the rules get updated. The portscan never
> finishes AND it likely forces them to reboot to free up the sockets
> No fiddling with stopping/restarting sshd/inetd and keeping valid
> users from connecting.
> Handles case where somebody runs a ip/portscan all night and then
> tries to connect to anything interesting it found in the morning. You
> never need to remove the tarpit rules.
> Script kiddie's scanner now hangs the next time they scan your machine
Yeah, I like that even better!
I just have to get a better firewall than a "DSL router" to implement that
sort of thing!
Hmmm. That brings up another idea ... what if the "standard" response for a
closed port was a fake "open" response? I.e. if port 23 on every IP address
on the planet replied with
and just ignored the input, port-scanning pimply-faced script-kiddies would
find the going a lot tougher. Looking for an open port, instead of being
like looking for a needle in a haystack, would be like looking for a
curare-dipped needle in a needle factory: it would take some work to know if
the one you found was the one you wanted.
More information about the rescue