On 04/04/2000 at 20:46:56 EST, James Proffer <[EMAIL PROTECTED]>
wrote:
> A rejected packet tells the sender there ia an actual machine at the IP
> address. A dropped packet gives no feedback at all. The target machine
> behaves as if it were powered off or disconnected from the network.
There are a number of ways that a connection attempt can be refused, but
assuming the target machine exists, the most common are:
1. Reaches target, but is rejected because it's not listening on that port.
ICMP 3,3 - Port unreachable.
2. Doesn't reach target, is rejected by a router/firewall. ICMP 3,13 -
Administratively prohibited.
3. Is silently dropped.
With 1, you know you found the target, but (temporarily at least) the wrong
port.
With 2, you only know that a firewall blocked you. You don't know if the
target exists or whether it's listening.
With 3, I'd have to reach the same conclusion as 2. It normally wouldn't
occur unless someone is trying to be obscure (yes, I know you can setup
some firewalls to act this way) or its ICMP response is not making it back
to you.
The only advantage I see with 3 is that you make the scanner wait longer to
find out the disposition of the port it was scanning. With 1 and 2, he
gets an immediate signal to give up on that port and go on. When no
reponse is returned, he has to wait a few seconds to see if it's just slow
in coming back.
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
