Full Disclosure mailing list archives
Re: Hail list!
From: "Eliah Kagan" <degeneracypressure () gmail com>
Date: Thu, 7 Dec 2006 00:20:06 -0500
On 12/6/06, aNub15 wrote:
2. Looking for a low footprint windows firewall that's only supposed to do one thing. If someone hits port 110, block the I.P for a week? (should take care of most portscanners (skiddies)). And no I'm not worried about blocking real users on the box.
Has it occurred to you that someone could send spoofed SYN packets with port 110 as the destination, and any IP as the source? Maybe you should worry about blocking real users after all. If there is an IP range where you know you have no legitimate users, you should instead block that IP range. Any IP range where you might have legitimate users is a range that someone could deny access to easily. Except actually it would be you denying access to them--a person attacking you in that way would would likely not even be legally responsible (but I am not a lawyer). Also, why would that prevent access by most people scanning your ports? Suppose someone is scanning your entire subnet, for instance, but only on port 22. Or someone could scan lots of ports on your box, and notice that plenty were open until 110 was probed. This person could then think one of three things: (1) Hmm, I guess that's all the ports open on that box. (2) Hmm, lots of ports open, and then I scan port 110, and the rest are all closed/filtered. (This is specially likely if it is the person's *second* scan.) There must be something nice and juicy on that box. I will scan the rest of the ports from another IP and then penetrate any service I can and find out why such a strange measure of pseudo-security is in place. (3) Hmm, I was reading Full Disclosure recently and somebody was asking about how to blacklist IPs for a week that send traffic to port 110. I bet this is the box of the guy who wanted to know how to do it. Let's find out why he wanted to do that...
www.supernoia.com
Script kiddies and anybody else who likes portscanning thank you for the heads up. If you are going to implement this almost certainly bad idea--and it is for that server--you may wish to at least make it a different port. -Eliah _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hail list! aNub15 (Dec 06)
- Re: Hail list! Eliah Kagan (Dec 06)
- Re: Hail list! pingywon (Dec 07)
- Re: Hail list! pingywon (Dec 07)
- Re: Hail list! Eliah Kagan (Dec 06)