Re: Request for discussion on defending against specific Nmap TCP syn and version scans.

From: Martin Mačok (martin.macok@underground.cz)
Date: Thu Mar 02 2006 - 03:02:55 EST

• Next message: revnic@gmail.com: "Re: Request for discussion on defending against specific Nmap TCP syn and version scans."
• Previous message: Louis: "Confidential, fast & secure, drugs online. SAVE here."
• In reply to: Smith, Chris: "Request for discussion on defending against specific Nmap TCP syn and version scans."
• Next in thread: revnic@gmail.com: "Re: Request for discussion on defending against specific Nmap TCP syn and version scans."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, Mar 01, 2006 at 09:53:22AM -0800, Smith, Chris wrote:

> IPTables rule tweaks that can block particular scan types while
> still allowing legitimate connections.

Nothing against hardening TCP/IP stack and filtering packets out
unless it violates RFCs ...

You could easily block Xmas, Null and this sort of scan probes but you
can't easily detect and block slow SYN or CONNECT probing...

> Nmap -sV -P0 -T4 -p 80 -vv X.X.X.X
>
> It's probable that the scan results are being dumped out as xml
> which is then parsed by other scripts for the sole purpose of
> getting the target IP on a web app exploit attempt list of some
> type.

How much probable? Nmap is not blackhat-only tool used with malicious
intentions ... it is simply tool to get usefull information about the
box, both of use for blackhats and whitehats...

> The logical conclusion that one might make would be, that if this
> initial scan could be blocked, it could prevent a plethora of
> specific, targeted, future exploit attempts.

I think "prevent" is a too much strong word here. I think it just
obfuscates the service a bit which may only have some rather small
effect on a statistical probability of a succesfull attack ...

Also remember that there are many type of attacks that do not precede
with info gathering/fingerprinting phase ... (fe. worms).

By the way, if you detect and block Nmap version scan by signatures
then nmap-service-probes file could always be changed to a different set
of probes or tweaked until you can't distinguish it from regular
traffic patterns... sound like a classic virus/antivirus race game...

Don't take me wrong. I'm definitely _not_ against IDS's ability to
detect Nmap/Nessus/Whatever activity and flagging it out an
interesting security-relevant event ... but I'm also not sure if this
discussion belongs to pen-test.

Martin Mačok
ICT Security Consultant

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------

• Next message: revnic@gmail.com: "Re: Request for discussion on defending against specific Nmap TCP syn and version scans."
• Previous message: Louis: "Confidential, fast & secure, drugs online. SAVE here."
• In reply to: Smith, Chris: "Request for discussion on defending against specific Nmap TCP syn and version scans."
• Next in thread: revnic@gmail.com: "Re: Request for discussion on defending against specific Nmap TCP syn and version scans."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT