Sujet : Re: Chinese downloads overloading my website
De : blockedofcourse (at) *nospam* foo.invalid (Don Y)
Groupes : sci.electronics.designDate : 15. Mar 2024, 15:00:23
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <ut1gpg$29itn$2@dont-email.me>
References : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
User-Agent : Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
On 3/15/2024 5:34 AM, Carlos E.R. wrote:
On 2024-03-15 12:33, Peter wrote:
>
Don Y <blockedofcourse@foo.invalid> wrote:
>
I operate a server in stealth mode; it won't show up on
network probes so robots/adversaries just skip over the
IP and move on to others. Folks who *should* be able to
access it know how to "get its attention".
What is "stealth mode", what do you do?
It's what you *don't* do that is important.
When you receive a packet, you extract all of the
information indicating sender, intended destination
port, payload, etc.
Then, DON'T acknowledge the packet. Pretend the network
cable is terminated in dead air.
The *determined* "caller" sends another packet, some time later
(with limits on how soon/late this can be).
Again, you extract the information in the packet -- and
ignore it.
Repeat this some number of times for a variety of
different ports, payloads -- all traced back to the
same sender.
Then, on the *important* packet that arrives, subsequently,
acknowledge it with the service that is desired.
If the sequence is botched at any time -- like a sender doing
a sequential port scan -- then you reset the DFA that is
tracking THAT sender's progress through the automaton.
Note that you can handle multiple clients attempting to
connect simultaneously -- "hiding" from each of them
until and unless they complete their required sequences.
Anyone with a packet sniffer can be thwarted by ensuring
that the sequence is related to source IP, time of day,
service desired, etc. (though security by obscurity)
Because you don't react to most (all?) packets, a systematic
probe of your IP will not turn up a "live machine" at your
end.
Once you actually acknowledge a packet, all of the
regular authentication/encryption/etc. mechanisms come
into play. You just don't want to reveal your presence
unless you are reasonably sure the client is someone
that you *want* to have access...
Port knocking ;)
I was thinking of using a high port. I do that.
But a port scanner can stumble on that. Or, it can be leaked
by a malevolent user.
The "knock sequence" can be customized per sender IP address,
per client identity, per service, etc. So, it's less vulnerable
than something (anything!) static.
Chinese downloads overloading my website
Re: Chinese downloads overloading my website
