Evan Martin (evan) wrote in evan_tech,
Evan Martin

hax0rs / knock

Today Matt, annoyed at our latent connection, was looking at a tcpdump and shouted down the hall, "Are you on IRC?"
I looked at his screen and pointed out those packets were coming from his computer. Whoops. Turns out he'd forwarded a port through the NAT to his desktop, his desktop had had a "test" account from way back, and some IRC kids from Italy (?) had figured this out. Double whoops. At least the DoS mystery is solved.

I stuck my Ruby NAT-PMP library into version control to check in simple program for ssh "knocking". The idea is that you send a UDP packet to a special port to get the real ssh forwarded port open. So now there are no "open" ports, in that you don't get any response to your UDP "knock". It's easy to imagine more complicated variations on this (like sending a pre-password "open sesame" bit in the UDP packet so that an attacker couldn't just spray UDP at the machine and then port-scan TCP), but that's expecting a lot out of people.

Does anyone know how to get netcat to send a UDP packet and quit? The "-z" option sends two for some reason, while "echo foo | nc ..." has to be ctl-C'd to quit.
Tags: project

  • blog moved

    As described elsewhere, I've quit LiveJournal. If you're interested in my continuing posts, you should look at one of these (each contains feed…

  • dremel

    They published a paper on Dremel, my favorite previously-unpublished tool from the Google toolchest. Greg Linden discusses it: "[...] it is capable…

  • treemaps

    I finally wrote up my recent adventures in treemapping, complete with nifty clickable visualizations.

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.