From: Smith, Chris (Chris.Smith@nwdc.net)
Date: Wed Mar 01 2006 - 12:53:22 EST
Greetings list members,
I'd like to generate some discussion and ask the list for a few best
practice ideas on how to best defend against and ultimately block TCP
syn (-sS) and version scans (-sV) against specific ports, in particular
port 80. These targeted scans initiate a full TCP connection complete
with 3 way handshake and thus are able to look like legitimate http
requests. Specifically I'm interested in ideas that talk about
authoring a snort rule of sorts that can log to the alerts file, or
IPTables rule tweaks that can block particular scan types while still
allowing legitimate connections. For example lets assume an attacker
uses the following
scan against a listening apache web server on the target IP.
Nmap -sV -P0 -T4 -p 80 -vv X.X.X.X
It's probable that the scan results are being dumped out as xml which is
then parsed by other scripts for the sole purpose of getting the target
IP on a web app exploit attempt list of some type.
As the scan is attempted against the target IP, Apache's access_log
indicates the following:
24.21.193.231 - - [28/Feb/2006:04:50:33 -0800] "GET / HTTP/1.0" 200 2349
Where 24.21.193.231 is most likely a compromised system being used for
bulk scanning. Apache sends http response 200 back letting the attacker
know of it's presence. based on observing future log file activity, it
appears that this successful probe has automatically placed this box on
an automated exploit attempts list, because multiple exploit attempts
for the various IIS, and PHP forum /bulletin apps are attempted and show
up in apache's access_log. Basically attempts that utilize the latest
round of vulnerability disclosures being submitted to BugTraq start
showing up.
The logical conclusion that one might make would be, that if this
initial scan could be blocked, it could prevent a plethora of specific,
targeted, future exploit attempts.
------------------------------------------------------------------------------
This List Sponsored by: Lancope
"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."
http://www.lancope.com/resource/
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT