Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hail list!

From: "Eliah Kagan" <degeneracypressure () gmail com>
Date: Thu, 7 Dec 2006 00:20:06 -0500
On 12/6/06, aNub15 wrote:

2. Looking for a low footprint windows firewall that's only supposed to do
one thing. If someone hits port 110, block the I.P for a week? (should take
care of most portscanners (skiddies)). And no I'm not worried about blocking
real users on the box.


Has it occurred to you that someone could send spoofed SYN packets
with port 110 as the destination, and any IP as the source? Maybe you
should worry about blocking real users after all. If there is an IP
range where you know you have no legitimate users, you should instead
block that IP range. Any IP range where you might have legitimate
users is a range that someone could deny access to easily. Except
actually it would be you denying access to them--a person attacking
you in that way would would likely not even be legally responsible
(but I am not a lawyer).

Also, why would that prevent access by most people scanning your
ports? Suppose someone is scanning your entire subnet, for instance,
but only on port 22. Or someone could scan lots of ports on your box,
and notice that plenty were open until 110 was probed. This person
could then think one of three things:

(1) Hmm, I guess that's all the ports open on that box.
(2) Hmm, lots of ports open, and then I scan port 110, and the rest
are all closed/filtered. (This is specially likely if it is the
person's *second* scan.) There must be something nice and juicy on
that box. I will scan the rest of the ports from another IP and then
penetrate any service I can and find out why such a strange measure of
pseudo-security is in place.
(3) Hmm, I was reading Full Disclosure recently and somebody was
asking about how to blacklist IPs for a week that send traffic to port
110. I bet this is the box of the guy who wanted to know how to do it.
Let's find out why he wanted to do that...


www.supernoia.com


Script kiddies and anybody else who likes portscanning thank you for
the heads up. If you are going to implement this almost certainly bad
idea--and it is for that server--you may wish to at least make it a
different port.

-Eliah

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: