Re: Blocking Port scans

From: Georgi Alexandrov (georgi.alexandrov@gmail.com)
Date: Thu Oct 27 2005 - 01:47:52 EDT

• Next message: Brian Loe: "RE: Scanning Class A network"
• Previous message: arif.jatmoko@sea.ccamatil.com: "Re: Backdoor:Win32/Hackdef.E"
• In reply to: BSK: "Blocking Port scans"
• Next in thread: Geelen, Ruud: "RE: Blocking Port scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

BSK wrote:

>Hello Everyone,
>
>Just wanted some feedback from you people. I'm doing a
>Firewall Assessment for a CISCO PIX firewall. The
>firewall allows SYN, FIN, NULL and XMAS scans but
>blocks ACK scans (largely means its a stateful
>firewall).
>
>Now what do we do to block the scans that are allowed.
>I think it should be easy to block FIN, NULL and XMAS
>scans but how do we block or limit or workaround a SYN
>scan. 1 way that I think is probably blocking or
>limiting the packets from the source (using IDS/IPS)
>
>Looking ahead to some ideas, thoughts, hints.
>
>thns bshan
>
>
>
Hello,

I think that wasting your time searching for a (complex?) mechanism to
block port scans is useless.
If a person wants to know what services a host is running - he will find
them ... one way or another.

Nmap for example has alot of options that can make any port scan
detecting system suffer: decoys,
paranoid scanning option, etc .. etc. But maybe a person doesn't even
need the internet to figure out
the services - there are phones, not so knowledgable support personnel, etc.

I would prefer researching and intergrating more serious and interesting
security policies
than wondering how to block port scans.

Otherwise if you still insist on trying to detect port scans (and block
them after that),
you can try scanlogd by Solar Designer.

Maybe i get the whole picture wrong and my opinion is useless, you will
decide that ;-)

regards,
Georgi Alexandrov

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Brian Loe: "RE: Scanning Class A network"
• Previous message: arif.jatmoko@sea.ccamatil.com: "Re: Backdoor:Win32/Hackdef.E"
• In reply to: BSK: "Blocking Port scans"
• Next in thread: Geelen, Ruud: "RE: Blocking Port scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT