Single Packet Authorization (Linux Journal)
Posted Mar 6, 2007 2:34 UTC (Tue) by tialaramex
Parent article: Single Packet Authorization (Linux Journal)
The main thing people seem to be looking for is a way to disadvantage bulk scanners. But that already exists, as a production system, in the form of IPv6. Bulk scanning IPv6 networks is not practical because of the much larger address space, so you can hide the entire machine, rather than just a service port, by simply neglecting to publicise its existence. With your SSH server using just one or two addresses in a LAN that has many billions of possible addresses, script kiddies simply can't find you. Once they start losing all the time, "find the SSH server" stops being a fun game and most script kiddies won't even bother trying any more.
Modern DNS servers no longer offer transfers to unknown third parties, so if you don't tell anyone that "panda.toys.example.com" is your IPv6 SSH server, there's no practical way for them to find out that it even exists, let alone that it's vulnerable to a brand new SSH vulnerability.
Of course this doesn't protect you against a sophisticated criminal, who might be shoulder-surfing your SSH server address at the same time he snoops on your passphrase and pickpockets your SecureID keyring. Resourceful attackers remain a significant threat, but eliminating the chaff we all deal with every day from script kiddies would even help to make the serious stuff more visible. If your IDS flagged one intrusion attempt per month you'd investigate, but on today's crowded IPv4 networks the IDS may be logging a hundred potentially serious incidents per hour, 24/7, until you switch it off altogether
to post comments)