Security Basics mailing list archives

Re: IDS which denies access after one "false" scanned port

From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 21 Dec 2011 20:41:16 -0600



Martin T <m4rtntns () gmail com> writes:

I found a webserver, which serves webpage on TCP port 80, but in case
I try to connect to any other TCP port, my IP will be blocked for
10min. Example below:

[root@ ~]# ping -qc1 www.<domain>.com
PING www.<domain>.com (10.10.10.3): 56 data bytes

Hi Martin,

In the very unlikely case:
a) this is for a client and you have permission to do this
b) denial of service is in-scope for the engagement
c) you have unusually clean access to the internet that will pass
spoofed packets relatively intact
and
d) you're mildly insane and have no business sense

...you could send some packets to various ports spoofed pretending to
be from, oh... the 13 root DNS servers and see if they were bright
enough to whitelist those servers from this behavior. :-)

If they haven't, I think it's still possible they'd be in for some
rather unpleasant DNS resolution issues with this lockout behavior.

But it'd be a good idea to talk them through that attack scenario to
make sure they've thought about that. :-)

If you need to portscan something like this, nmap's idle scan can be
rather handy. Most of the work there is finding suitably quiet
zombies to leverage.

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

IDS which denies access after one "false" scanned port Martin T (Dec 21)
- Re: IDS which denies access after one "false" scanned port Samuel Lavitt (Dec 21)
- Re: IDS which denies access after one "false" scanned port Matthew Caron (Dec 21)
  - Re: IDS which denies access after one "false" scanned port Orlando Leon (Dec 21)
- Re: IDS which denies access after one "false" scanned port Todd Haverkos (Dec 22)
- Re: IDS which denies access after one "false" scanned port Brent Huston (Dec 22)