Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Don Y <blockedofcourse@foo.invalid>
Newsgroups: sci.electronics.design
Subject: Re: Chinese downloads overloading my website
Date: Fri, 15 Mar 2024 13:05:45 -0700
Organization: A noiseless patient Spider
Lines: 50
Message-ID: <ut29n3$2epl6$2@dont-email.me>
References: <u14quid1e74r81n0ajol0quthaumsd65md@4ax.com>
 <usjiog$15kaq$1@solani.org> <t7rrui5ohh07vlvn5vnl277eec6bmvo4p9@4ax.com>
 <usm6v6$17e2c$1@solani.org> <gabuui56k0fn9iovps09um30lhiqhvc61t@4ax.com>
 <usqjih$h74g$1@dont-email.me> <afq1viha37gjs37sprgfb30dfm0m1ok5jh@4ax.com>
 <ustdn0$176f7$1@dont-email.me> <usv8fu$1nhtm$1@dont-email.me>
 <usvu8g$1slrq$2@dont-email.me> <ut1bm8$28gvp$1@dont-email.me>
 <gsrdckxea6.ln2@Telcontar.valinor> <ut1gpg$29itn$2@dont-email.me>
 <ut1r44$2bmvo$3@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 15 Mar 2024 20:05:56 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="c86af28dc75bef790d14c8cfb4054056";
	logging-data="2582182"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18sTtZFQhOfqaXqNC32T2X1"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.2
Cancel-Lock: sha1:608SLeYwqhKKB8Ref49d7S95ntg=
Content-Language: en-US
In-Reply-To: <ut1r44$2bmvo$3@dont-email.me>
Bytes: 3523

On 3/15/2024 8:56 AM, Peter wrote:
> 
>   Don Y <blockedofcourse@foo.invalid> wrote:
> 
>> Then, DON'T acknowledge the packet.  Pretend the network
>> cable is terminated in dead air.
> 
> Can you actually do that, with a standard server? Normally every
> TCP/IP packet is acked. This is deep in the system.

You have to rewrite your stack.  *You* have to handle raw
packets instead of letting services (or the "super server")
handle them for you.

[And, you can't have an active proxy upstream that blindly
intercepts them]

The server effectively does a passive open and waits for
packets ON *ANY* PORT.  You obviously have to hide ALL
ports as a potential client could poke ANY port, notice a
response, then assume you are *deliberately* hiding OTHER ports
that don't reply!  If you reply ANYWHERE, then the "adversary"
knows that you aren't just a "dangling wire"!

Think of an old-fashioned RdTd serial port (no handshaking lines
that you can examine as "active").  You can listen to incoming
character stream without ever responding to it -- even allowing
your driver to lose characters to overrun/parity/framing/etc. errors.

Only when you see something that you recognize do you "react".

[This is the easy way to hide an "internal" 3-pin serial port
(that you likely have for diagnostics in a product) from folks
who like looking for shells, etc. on such things!]

Of course, if something (adversary or sniffer) sees that reaction,
then the secret is out.  So, you don't want to abuse this access
mechanism.

It's like tunneling under some existing protocol; it works
only as long as folks don't *notice* it!

> UDP isn't, which is why port knocking works so well.

Anything that can be routed can be used.  You can knock
on UDP/x, then UDP/y, then... before trying to open a
particular UDP/TCP connection.  The point is to just LOOK
at incoming packets and not blindly act on them -- even
if that action is to block the connection.