BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] port-knocking

Subject: [Discuss] port-knocking
From: richard.pieri at gmail.com (Rich Pieri)
Date: Wed, 27 Mar 2013 21:16:14 -0400
In-reply-to: <515395FE.4060009@gmail.com>
References: <CADdmjq_jPJ8j6mJVzm2T8Tz6tZPF=cM5rPK7xZAA3gmwJTw-PQ@mail.gmail.com> <5150CE85.9010803@gmail.com> <CADdmjq-tn4x6tT+mRUxv_Km92sNrDsSce5UPX_aMSGieNDFzcQ@mail.gmail.com> <5151B65A.30107@blu.org> <6FE60F8A-B262-40D7-89A8-F2660C74CB66@gmail.com> <CADdmjq-2tr0SLuaOV3fc6S6GSQrdrZXfz2_5Sy8X8MgrgkCDXA@mail.gmail.com> <D1B1A95FBDCF7341AC8EB0A97FCCC4772C965B0C@SN2PRD0410MB372.namprd04.prod.outlook.com> <54DB539F0A2C293772BBDCF8@belldandy.lns.mit.edu> <20130327171346.GE20137@dragontoe.org> <51534868.9000703@horne.net> <54B8A71EBF5006965C91C9F0@belldandy.lns.mit.edu> <5153774D.3000706@gmail.com> <B43C041D2216AFE348340A80@[192.168.1.208]> <515395FE.4060009@gmail.com>

--On Wednesday, March 27, 2013 8:59 PM -0400 Tom Metro 
<tmetro+blu at gmail.com> wrote:

> Not merely workarounds...it's trivial to design a port knocking scheme
> that is resistant to DoS attacks.

Perhaps, but it isn't as easy to implement such a system such that use is 
transparent to users. That's not me saying that security is a tradeoff with 
usability. That's me saying that you're using the wrong tool.

> Of course any public facing server is subject to DoS attacks if the
> sender can overwhelm your inbound bandwidth.

That's orthogonal to the point: your port knocking "security" wall and my 
IP spoofing can subject you to DoS attacks with a handful of packets unless 
you implement workarounds for the lockout. If you have to work around a 
basic function of the security system just to make it usable then you're 
using the wrong tool for the job.

But I repeat myself.

-- 
Rich P.

References:
- [Discuss] DNS question about DNSENUM.PL
  - From: omegahalo at gmail.com (Chris O'Connell)
- [Discuss] DNS question about DNSENUM.PL
  - From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] DNS question about DNSENUM.PL
  - From: omegahalo at gmail.com (Chris O'Connell)
- [Discuss] DNS question about DNSENUM.PL
  - From: gaf at blu.org (Jerry Feldman)
- [Discuss] DNS question about DNSENUM.PL
  - From: abreauj at gmail.com (John Abreau)
- [Discuss] DNS question about DNSENUM.PL
  - From: omegahalo at gmail.com (Chris O'Connell)
- [Discuss] DNS question about DNSENUM.PL
  - From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] DNS question about DNSENUM.PL
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] DNS question about DNSENUM.PL
  - From: invalid at pizzashack.org (Derek Martin)
- [Discuss] DNS question about DNSENUM.PL
  - From: bill at horne.net (Bill Horne)
- [Discuss] DNS question about DNSENUM.PL
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] port-knocking
  - From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] port-knocking
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] port-knocking
  - From: tmetro+blu at gmail.com (Tom Metro)

Prev by Date: [Discuss] Security through obscurity
Next by Date: [Discuss] pseudo-off-site backup
Previous by thread: [Discuss] port-knocking
Next by thread: [Discuss] DNS question about DNSENUM.PL
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org