North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: FW: Re: Is there a line of defense against Distributed Reflectiveattacks?
- From: Vadim Antonov
- Date: Mon Jan 20 23:01:24 2003
On Mon, 20 Jan 2003, Avleen Vig wrote:
> On Mon, 20 Jan 2003, Christopher L. Morrow wrote:
> > > I was refering specifically to end user workstations. For example home
> > > machines on dial up or broadband connections.
> > > A lot of broadband providers already prohibit running servers and block
> > > certain inbound ports (eg 21 and 80).
> > > *shrug* just seems like it would make more sense to block all incoming
> > > 'syn' packets.
> Indeed it does break that. P2P clients: Mostly transfer illegal content.
> As much as a lot of people love using these, I'm sure most realise they're
> on borrowed time in their current state.
Well, blocking TCP SYNs is not a way to block establishment of sessions
between _cooperating_ hosts.
Simply make a small hack in TCP stack to leave SYN flag clear, and use
some other bit instead.
To really block something you need an application proxy... and then there
are always ways to subvert those. Elimination of covert channels is one of
the hardest problems. In any case, no sane provider will restrict traffic
only to applications which can be served by its proxies.
Going further, the growing awareness of the importance of security will
cause more and more legitimate apps to create totally indiscriminate
encrypted traffic... and it is a good idea to routinely encrypt all
traffic, to avoid revealing importance of particular communications.
Leaving identity of applications (different port #s) in the clear is also
a bad idea, security-wise.