Nmap Announce mailing list archives
Re: how to know scan is correct?
From: Bart van Leeuwen <bart () ixori demon nl>
Date: Fri, 11 Feb 2000 22:48:26 +0100
Justin wrote:
On Thu, 10 Feb 2000, Bennett Todd wrote:2000-02-10-01:09:22 Justin:That's why you have a iptables/whatever module that listens looks for syns to non-open ports, logs once, then filters the offending ip/netmask for 30 minutes or a few days if you're particularly fascist.If you're going to do any such reactive firewall stuff as this, make very sure nobody knows you're doing it; if they know you're doing that, it's amazingly easy for them to cut you off from any or all of the internet. Lessee, how long would it take to send SYN packets to closed ports with source addrs forged from all the root nameservers.The people who need to block portscans because they're worried about being rooted need to upgrade their daemons. The people who think they need to block them are either people who are doing it for their personal systems, or people like the government who have this bizarre idea that having 50 gigs of logs each day somehow makes their systems more secure.
ihmo there are a few more things to this. My systems do some amount of logging which many people would find extreme, and which, as far as the logs from ipfilters go, is largely ignored but kept (yes, I even have backups of them). Does this make me more secure? well, not really. It does however allow me to do 2 things: 1. do statistical analysis on all kinds of trafic (not just scans, they are just one of the kinds of 'trafic' that end up in such logs) 2. Look back in time in case I find out something happened and want to know more.
There is no good "security through obscurity" approach. Filtering with temporary firewall rules is not a security measure. It's a proof of concept kind of thing. You can generate fake replies on closed ports, but the people you don't want scanning you are just looking for specific daemons, and it doesn't matter to them that you have honeypots on all privledged closed ports. As was pointed out, syn scans leave a log trail, but spoofed syn floods are a good way to cover up real syn scans. Still, you could probably detect them. The NSA probably does a statistical analysis on source addresses every time they get flooded.
They are not the only ones who can afford the capicity to do that. Anyway, the point is not so much obscurity (as in preventing ports to show when someone does a full scan of a machine) but the simple fact that ip range scans for certain ports will not turn up a machine as one with a filtered port is more the issue. I don't think there are many good reasons to try to completely prevent a port scan, but there is a lot to say to make that many people dont even notice the box. Sure, it wont keep away those who simply and seriously want to break into your box, but it prevents quite a bit of annoying trafic and bandwidth consumption ;P The fact that those who will no longer see the machine are not the ones to really worry about doesn't really mean that you shouldn't be keeping them away if possible with relatively easy measures if you dont want them there. And on another note, there is no reason to not want to limit a machine to only those forms of communications that it needs to have when you are sure you have the most recent (and personally audited ;-) versions of all software it runs.. just as having an ipfilter is not a reason to not ensure that the things you let people talk to are as secure as possible. In short: additional measures can often lead to increased security, dismissing a measure because you think the ones you already took are perfect, usually decreases security. -- Bart van Leeuwen
Current thread:
- Re: how to know scan is correct? Marcy Abene (Feb 09)
- Re: how to know scan is correct? Justin (Feb 09)
- Re: how to know scan is correct? Bennett Todd (Feb 10)
- Re: how to know scan is correct? Justin (Feb 11)
- Re: how to know scan is correct? Bart van Leeuwen (Feb 11)
- Re: how to know scan is correct? Mikael Olsson (Feb 11)
- Re: how to know scan is correct? Bennett Todd (Feb 10)
- Re: how to know scan is correct? Bart van Leeuwen (Feb 10)
- Re: how to know scan is correct? Eric Hankins (Feb 11)
- Re: how to know scan is correct? Justin (Feb 09)
- Re: how to know scan is correct? $eeweed (Feb 10)
- Re: how to know scan is correct? Enrico Demarin (Feb 11)