by Lars M. Ha » Sun, 11 Apr 2004 05:15:24
n Fri, 9 Apr 2004 09:23:18 -0600, Quaoar spoketh
David Berlind (DB) writes: "To the extent that national security relies
on the vitality of the economy, I consider the mDDoS a significant
threat to our national security."
Seriously? A script-kiddies ability to use two servers to knock out a
cheap NAT router is a threat to national security? Wouldn't such a
"mini-DDoS" attack on multiple servers be considered an actual DDoS
attack? And, just because two servers where used to knock out one
router, it's suddenly classified "mini"?. Sounds like someone want's to
be another Steve Gibson and "invent" some totally nonsensical term for
something internet related in order to get their name written down in
the annals of the internet.
DB writes: "Firewall ports have three modes: open, closed, and stealth."
Ports only have two states: Open or closed. "Stealth" is not a normal
state of any port, firewalled or not. "Stealth" is an open port that
doesn't send a RST after receiving a SYN. In Mr. Berlind's brush with
his "mDDoS", having port 113 being "stealth" rather than closed probably
wouldn't have made any difference, as I suspect the attacker really
didn't care if there was any ACKs or RSTs being returned (a simple SYN
DB writes: "The stealth mode hides a port's existence altogether (if all
ports are stealthed, the existence of the entire Internet connection is
Actually, the complete lack of responses are a loud and clear "I'm here,
and I have firewall dropping your packets" response. There's nothing
stealthy about that at all.
DB quotes Steve Gibson: "When a user connects to an IRC server, that
server turns around and makes an IDENT query back to the user's system."
"But that practice, which dates back to the early 90's, has long since
If that were only true. IRC is not the only service that uses IDENT.
Many SMTP servers still uses IDENT, including those of several large
ISPs. Stealthing port 113 may cause significant delays when sending
e-mails, as the mail server has to wait for it's IDENT connection to
time out rather than simply getting an "RST" from you.
Can't argue with Gibsons' thoughts on UPnP, though. Hopefully, Mr.
Berlind will soon share that opinion as well.
Lars M. Hansen
(replace 'badnews' with 'news' in e-mail address)