From: Chris Brenton (cbrenton@chrisbrenton.org)
Date: Mon Jul 04 2005 - 22:43:54 EDT
On Mon, 2005-07-04 at 17:13, Petr.Kazil@eap.nl wrote:
>
> However they have recently installed a system that wil automatically block
> anyone doing a portscan. They mention a system of "aggregated firewalls"
> that behaves like a "bot".
Can you find out the specific tool they are using? My guess is they are
looking at "X" number of port attempts in "Y" amount of time. If so
something like:
nmap -T sneaky ...
should do the trick. I would expect that the threshold can not be all
that low, otherwise it would false positive on busy name and mail
servers.
> And what if providers start filtering TCP/IP traffic. Then portscans will
> become very unreliable.
Some already do. Many still block TCP/1433 & UDP/1434 due to the large
number of infected Slammer systems that have yet to be cleaned. Some
even block TCP/25, Echo-requests, inbound TCP/80 to non-hosted Web
servers, etc. Its all a matter of the provider's policy.
HTH,
Chris
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:31 EDT