In a typical systems, when we try to connect to a close port, a reset is given back to he client under most Unixes.
It would be represented by the following;
A pcap dump would show the following;
You notice those Reset+ACKs being sent back to the client? That's what generates the immediated "Unable to connect to remote host" message.
This is a tell-tale sign that the port is closed. But we have another way to mask this give away , by using the tcp-blackhole
Take this display;
The "Trying" will continue until the application quits & times out. And no resets are ever sent back to the client from the server that he/she was trying to access.
So how do you accomplish the above?
Easy,
We deploy tcp.blackholes, using system controls ( systcl ) and on the fly modify our kernel.
So this is how we hide our close ports & from outside lookers :)
Apply a value of 2, will drop all packets sent to a closed port.
Ken Felix
Freelance Network/Security Engineer
kfelix -a-t socpuppets -d-o-t- com
^ ^
= ( * @ ) =
o
/ \
nice
ReplyDelete