[Info-vax] Kernel Transplantation
Mark Berryman
mark at theberrymans.com
Wed Jan 24 10:36:03 EST 2024
On 1/24/24 6:11 AM, Simon Clubley wrote:
> On 2024-01-23, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 1/22/2024 2:40 PM, Mark Berryman wrote:
>>> I ran a VMS host fully exposed to the Internet with DECnet phase V on it
>>> for years without issue. It was a honeypot so it wanted to see as many
>>> attack attempts as possible. It was running WASD instead of Apache so
>>> none of the attacks on the web port succeeded and none of the attacks on
>>> the ports used by DECnet ever caused an issue.
>>
>> I was not even aware that DECnet used ports.
>>
>
> They are called objects, but they are really numbered ports, just like
> TCP/IP. However, I suspect Mark is talking about the TCP/IP ports used
> as a transport for DECnet packets, in the same way as SSH can be used
> to transport X11 traffic.
>
>> And how did DECnet traffic come in via the internet?
>>
>
> I suspect the implementation Mark is using encapsulates the DECnet
> traffic in a little custom TCP/IP-based protocol, which is then routed
> over one or more TCP/IP ports to its destination before the encapsulation
> is reversed and the DECnet packets delivered to the target DECnet stack.
>
> That means the attacks would be limited to malformed TCP/IP packets
> unless the attacker was also running a DECnet stack and the same TCP/IP
> DECnet encapsulation protocol.
No, as I mentioned in a previous message, it was DECnet Phase V, which
supports DECnet over IP. An attacker would not need to be running
DECnet. The attacks simply tried to attack the ports used by DECnet
phase V. And, as I mentioned, none of those attack attempts caused an
issue for the DECnet stack.
Mark Berryman
More information about the Info-vax
mailing list