mailing list archives
Re: Intrusion detection question.
From: Tomi Ollila <Tomi.Ollila () sonera com>
Date: Mon, 21 Feb 2000 16:47:02 +0200 (EET)
Feb 12 19:35:58 +0100 2000 Michel Arboi <arboi () bigfoot com> wrote:
That is a fundamental question and I never found a clear answer.
RFC 793 does not explain how source ports numbers are allocated. It
just states that different programs on one machine should use
different port numbers.
AFAIK, Unix will never allocate the same TCP port numbers for client
programs connecting to different servers, althought it could perfectly
do it and comply to RFC 793.
As it is not in the norm, it should be a way to identify the OS,
unless everybody uses the same algorithm (first free port?)
Of course, the answer is quite simple for UDP, as it is not connected.
IMHO, this question is important for big sites : the number of
available "client ports" on the firewall (proxy or NAT) will limit the
number simultaneous connections from the internal network to wild wild
I made some investigation looking the Linux networking source code.
In Linux it looks like by default only ports 1024-4999 = 3795 simultaneous
connections (and TIME_WAITing) is possible. The Linux source code has a
comment that suggest changing this to the area 32768-61000 for high-usage
systems (using sysctl).
That made me wonder whether I'd move the IP masquerading area from 61000 -
(61000 + 4096) to either areas 1024 - something OR 32768 - 61000 -- in
former case I'd move the standard port allocation range to somewhere else
and just be careful not using anything.... hmm perhaps better using the
latter port range...
Anyway, What do you think. Any new problems coming to mind. Any better
ranges to suggest?
Main objectives are to extend the port range AND try to fool system
mailto:arboi () bigfoot com http://www.bigfoot.com/~arboi/
Re: Intrusion detection question. Michel Arboi (Feb 10)
Re: Intrusion detection question. Bart van Leeuwen (Feb 10)
- Re: Intrusion detection question., (continued)