Hi All, Still no connection from my work computer to my host home computer. Am I missing some setting on my host computer that could be blocking this specific ip address. Or would the problem more likely be on the viewer computer? Thanks, Lee
On 6/2/05, Scott C. Best <[EMAIL PROTECTED]> wrote: > > Wez: > I agree that exponential back-off for failed authentication > attempts is a good way to prevent dictionary attacks from being > viable. Here's my concern: your software's blacklisting isn't > actually "tripped" by failed authentication attempts -- it's tripped > by *any connection at all*. That's not the best solution, IMO, > for two reasons: > > 1. It makes things tricker for (ahem) ISV's who write 3rd > party tools that, say, auto-detect VNC Servers on a LAN. > Of course, I understand that making their lives easier is > pretty low on your list of concerns, but it's worth a > mention. > > 2. It overly exposes VNC to DoS attacks. With nmap running on > a PC with access to raw sockets, I could: > > % nmap -sT -p 5900 my.lan.ip.address/24 -S ip.address.to.block > % <repeat once a minute> > > This will transmit spoofed packets to all RealVNC servers on > the LAN, effectively blacklisting any IP address I choose. > > I'm hopeful for those 2 reasons, you'll at least consider > modifying the blacklist "trip" mechanism in your future releases, > so that it activates *after* multiple password attempts have > actually failed. That's much more resilient to spoofed connections, > as it actually requires a real protocol exchange. > > cheers, > Scott > > > The blacklisting algorithm uses exponential back-off, so it really > *does* > > prevent dictionary attacks from being viable. > > > > As regards the possibility of DoS attacks - yes, they are possible but > the > > DoS attack you describe prevents anyone on the attacking host from > accessing > > it, while a dictionary attack would actually grant the attacker access > to > > that server, which is clearly worse! > <snip> > _______________________________________________ > VNC-List mailing list > [email protected] > To remove yourself from the list visit: > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
