[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: grouped tcp flags



[list added again, I think this is public interest and should be archived]
On 01/04/2003, HKSPKS@aol.com <HKSPKS@aol.com> wrote To pb@openbsd.de:
> I just wanted to drop all nmap and/or other harmful packets... I found half 
> of this list of flags @ nmap's forums by a guy saying which to block to stop 
> nmap, the other half I found on a sans.org site... I'll try to dig up a link 
> if you want it.  Which flags do you recommend blocking?
First off:
nmap is dumb
Furthermore, *most* people using nmap are completly clueless about
what is happening - and to make it worse: nmap interprets packets
coming back (or not) in a very "special" way. Let's say, it tries
to think for the user.
After all they see an output of closed/open/filtered ports which
is *way often* not even *close* to reality.
Please think it through .. all this 'hiding' is totally silly and useless.
Think about they get a response (or not) which is interpreted as
XYZ/tcp  filtered
Now what? Can they do something harmful w/ FUP on port XYZ there?
Can they even create a *valid* connection to there for carrying 
payload UP THE STACK WHERE IT WOULD HURT?
Geeez..
If you dont want port XYZ being reached. Block it. Completly. No
matter what fuxxored flag ever is set. Period.
//pb