Re: Block / Monitor PORTSCAN/QUESO/NMAP/ETC...

[Benjamin Smee <ben.smee () one net au>]

William Stearns wrote:
> Good day, Fabio,
>
> On Sat, 30 Oct 1999, Fabio da Silva Cunha wrote:
>
> > I need to monitor and if possible protect against this kind of attack
> > (PORTSCAN/QUESO/NMAP/ETC...)
> > anyone know how to do this?
>
>         You describe them as attacks.  Are they really?  In a sense, they
> can be used as information gathering tools ("Those systems are all running
> System 7 and I don't have any attacks against those...") which a cracker
> might use in the process of attacking a system.  As to whether they
> constitute attacks by themselves, that's debatable.
>
>         Queso (which identifies remote systems by looking at the response
> received by sending packets with different characteristics and tcp flags
> to an open port and comparing the responses to an internal table) needs to
> have an open port to talk to.  If you're dead set on not having someone be
> able to identify what OS you're running, don't run any open services.  If
> you need to run services, someone can use queso to see what os you're
> running.  Sorry.

Hello,

just a small pedantic correction but one that i feel is important at any
rate:) It IS possible to protect yourselves from these type of
"attacks" (personally i dont consider them attacks but thats another
point) by modifying your TCP/IP stack. Now I realise this is not for the
faint hearted but it can and does change your fingerprint for things
like nmap and queso. It is therefore possible to be running services
while still concealing your OS from remote identification.

regards,



-- 
Benjamin Smee
ben.smee () one net au or ben.smee () onetel com au
308440 () pager link com au
+61-2-95139346