Developer Forum

Just sharing...

http://www.yqcomputer.com/



--

To reply by e-mail, remove the "-nospam-" from the reply to address

On Fri, 9 Apr 2004 09:17:54 -0400, Jim Orfanakos spoketh



"David Berlind's Reality Check"?

Seriously, the one who needs a reality check may be David Berlind
himself. Complaining about port 113 being closed as opposed to stealth
while considering UPnP for firewall devices is a good thing clearly
shows how David Berlind doesn't know enough about the topic at hand to
be considered an expert giving advice to others.



Lars M. Hansen
http://www.yqcomputer.com/
(replace 'badnews' with 'news' in e-mail address)

http://www.yqcomputer.com/

If you have a quantitative viewpoint on the article, I for one will be
happy to read what you have to say.

Q

I thought the port 113 problem was mostly a mail problem and that is the
reason Linksys left it closed by default. I'm not a super techie and only
learn from what I read but this is the first I have heard of the IDENT
problem being an IRC issue. However I don't use IRC.
As far as Linksys having bad firmware releases, I hear the others might
actually be worse.

Lars M. Hansen < XXXX@XXXXX.COM > wrote in



I agree. He seems to be getting all e *** d about something he knows little
about. Complaining about using a port closed in one breath then suggesting
UPnP to be used the next.

Lots of people are using the Linksys routers and getting better than
average security compared to people who've got nothing. And I've seen just
as many Zone Alarm misconfigurations to know that it's not really any
"safer". I spent an entire weekened trying to remotely get my sister's
Zone Alarm config to work properly with VNC before we finally uninstalled
it. Not that I'm bashing a free product but seriously, they all have their
issues.

Anyone who is willing to spend the low price to put one of these cheap DSL
/ cable routers on in front of their PC is getting at least some basic
level of security that the majority of users out there simply don't have or
are not using (ie XP / 2003 internet security). I found it laughable that
the author suggests he'd be going with Netgear, as if their support is
somehow so much better. All the support in this price range leaves
something to be desired, but in my opinion these hardware devices require
less support than the comparable software solutions.

http://www.yqcomputer.com/

Three ad hominem replies about why Berlind knows nothing, but nothing
quantitative about why he is incorrect. Suspect the posters themselves
know nothing.

Q

thanks for keeping count and adding nothing.

--

n Fri, 9 Apr 2004 09:23:18 -0600, Quaoar spoketh


David Berlind (DB) writes: "To the extent that national security relies
on the vitality of the economy, I consider the mDDoS a significant
threat to our national security."
http://techupdate.zdnet.com/techupdate/stories/main/defenses_against_MDDoS_attacks.html

Seriously? A script-kiddies ability to use two servers to knock out a
cheap NAT router is a threat to national security? Wouldn't such a
"mini-DDoS" attack on multiple servers be considered an actual DDoS
attack? And, just because two servers where used to knock out one
router, it's suddenly classified "mini"?. Sounds like someone want's to
be another Steve Gibson and "invent" some totally nonsensical term for
something internet related in order to get their name written down in
the annals of the internet.

DB writes: "Firewall ports have three modes: open, closed, and stealth."
http://techupdate.zdnet.com/techupdate/stories/main/Linksys_routers_and_DDoS.html

Ports only have two states: Open or closed. "Stealth" is not a normal
state of any port, firewalled or not. "Stealth" is an open port that
doesn't send a RST after receiving a SYN. In Mr. Berlind's brush with
his "mDDoS", having port 113 being "stealth" rather than closed probably
wouldn't have made any difference, as I suspect the attacker really
didn't care if there was any ACKs or RSTs being returned (a simple SYN
flood).

DB writes: "The stealth mode hides a port's existence altogether (if all
ports are stealthed, the existence of the entire Internet connection is
basically hidden)"
http://techupdate.zdnet.com/techupdate/stories/main/Linksys_routers_and_DDoS.html

Actually, the complete lack of responses are a loud and clear "I'm here,
and I have firewall dropping your packets" response. There's nothing
stealthy about that at all.

DB quotes Steve Gibson: "When a user connects to an IRC server, that
server turns around and makes an IDENT query back to the user's system."

"But that practice, which dates back to the early 90's, has long since
stopped."
http://techupdate.zdnet.com/techupdate/stories/main/Linksys_routers_and_DDoS.html

If that were only true. IRC is not the only service that uses IDENT.
Many SMTP servers still uses IDENT, including those of several large
ISPs. Stealthing port 113 may cause significant delays when sending
e-mails, as the mail server has to wait for it's IDENT connection to
time out rather than simply getting an "RST" from you.

Can't argue with Gibsons' thoughts on UPnP, though. Hopefully, Mr.
Berlind will soon share that opinion as well.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

The article tries to explain and advise on too many issues. I couldn't get
past 3 or 4 paragraphs, and I'm a tech writer.

Myself, I downgraded to the next to last firmware, and have not had a
problem since then.

I'm not forwarding port 113 either.

Not that I'm extending an invitation or anything like that!

Ed

on Fri, 9 Apr 2004 13:44:33 -0600, Quaoar spoketh


Wrong #1: Ports have 3 states: open, closed, stealth.
Wrong #2: mini-DDoS is a "national security issue".
Wrong #3: UPnP is good.
Wrong #4: mini-DDoS.
Wrong #5: Stealth makes your computer "basically hidden".
Wrong #6: Stealth would have solved his "mDDoS" issue.

That pretty much sums up the quantitive part of his three articles
regarding this "mDDoS" that he's invented.

Now, maybe you can do a "quantative" on why he's right...


Lars M. Hansen
http://www.yqcomputer.com/
(replace 'badnews' with 'news' in e-mail address)

I couldn't agree more...

The rambling on and on about closed versus "stealth" on port 113 is almost
nonsense...

In article < XXXX@XXXXX.COM >,



MANY irc servers require ident still, but as many don't. IOW, having
that port forwarded is nice - and permits you to dump the ~ off your id
in the ulist, but it's simply not a necessity.

- Dan.
--
- Psychoceramic Emeritus
- South Jersey, USA, Earth

My D-Link DI-624 wireless router also closes port 113 rather than 'stealth'
the port as confirmed by Shields Up and Symantec port scans to my router.
Maybe this is a widespread 'problem'. Any others you know of that do this?
If so, Mr. Berlind should be notified so he can remove all of them from the
'short list'. I wonder who is on the short list? Microsoft OS products
certainly should have been removed from the short list long ago.