[Info-vax] Kernel Transplantation
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Wed Jan 24 08:11:21 EST 2024
On 2024-01-23, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 1/22/2024 2:40 PM, Mark Berryman wrote:
>> I ran a VMS host fully exposed to the Internet with DECnet phase V on it
>> for years without issue. It was a honeypot so it wanted to see as many
>> attack attempts as possible. It was running WASD instead of Apache so
>> none of the attacks on the web port succeeded and none of the attacks on
>> the ports used by DECnet ever caused an issue.
>
> I was not even aware that DECnet used ports.
>
They are called objects, but they are really numbered ports, just like
TCP/IP. However, I suspect Mark is talking about the TCP/IP ports used
as a transport for DECnet packets, in the same way as SSH can be used
to transport X11 traffic.
> And how did DECnet traffic come in via the internet?
>
I suspect the implementation Mark is using encapsulates the DECnet
traffic in a little custom TCP/IP-based protocol, which is then routed
over one or more TCP/IP ports to its destination before the encapsulation
is reversed and the DECnet packets delivered to the target DECnet stack.
That means the attacks would be limited to malformed TCP/IP packets
unless the attacker was also running a DECnet stack and the same TCP/IP
DECnet encapsulation protocol.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list