Penetration Testing mailing list archives
Re: Blocking Port scans
From: Jason Thompson <securitux () gmail com>
Date: Wed, 2 Nov 2005 13:30:54 -0500
Agreed. It is easy to bypass firewall portscan protection and even IDS / IPS portscan protection with a tool such as Nmap... you will never see an intruder scan your network if he / she is even remotely competent at pre-attack probing. Don't bother blocking SYN scans, but monitor unusual traffic inside your network such as SYN-FYN scans or FIN scans (I personally have never seen a legitimate SF packet). If you want blocking of scans, look for an IPS but be warned... as others have mentioned you leave a possible DoS condition available for an attacker to exploit. IMO, scans are very low priority... its what comes afterwards that you need to be concerned about. Have an IPS monitor and log scans, then watch for any unusual activity from those machines following the scans. Let the firewall do what it does best: drop or accept traffic based on a strict security policy. -J On 10/31/05, Geelen, Ruud <ruud.geelen () logicacmg com> wrote:
Hi all, I agree with Georgi: it is not a function of a firewall to block / detect port scans. The PIX is designed to protect your network. So (D)DOS attacks would be blocked by your firewall if configured correctly amongst other things. (using the "static" commands) Scans are noticed but if legitimate not blocked. If you want to detect port scans you need IDS functionality, if you need to block it think about an IPS. Your PIX will not let you do this, the IDS it uses is much to weak to do so (version 6.3 and below), although since v7.x a lot has changed. And even there: if it is a very slow scan not many IDS/IPS will detect them. So forget about being able to block port scans on a firewall and think about IDS/IPS equipment. Cheers, Ruud CCIE #12793 security -----Original Message----- From: Georgi Alexandrov [mailto:georgi.alexandrov () gmail com] Sent: donderdag 27 oktober 2005 7:48 To: pen-test () securityfocus com Subject: Re: Blocking Port scans BSK wrote:Hello Everyone, Just wanted some feedback from you people. I'm doing a Firewall Assessment for a CISCO PIX firewall. The firewall allows SYN, FIN, NULL and XMAS scans but blocks ACK scans (largely means its a stateful firewall). Now what do we do to block the scans that are allowed. I think it should be easy to block FIN, NULL and XMAS scans but how do we block or limit or workaround a SYN scan. 1 way that I think is probably blocking or limiting the packets from the source (using IDS/IPS) Looking ahead to some ideas, thoughts, hints. thns bshanHello, I think that wasting your time searching for a (complex?) mechanism to block port scans is useless. If a person wants to know what services a host is running - he will find them ... one way or another. Nmap for example has alot of options that can make any port scan detecting system suffer: decoys, paranoid scanning option, etc .. etc. But maybe a person doesn't even need the internet to figure out the services - there are phones, not so knowledgable support personnel, etc. I would prefer researching and intergrating more serious and interesting security policies than wondering how to block port scans. Otherwise if you still insist on trying to detect port scans (and block them after that), you can try scanlogd by Solar Designer. Maybe i get the whole picture wrong and my opinion is useless, you will decide that ;-) regards, Georgi Alexandrov ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: RE: Blocking Port scans barcajax (Nov 01)
- <Possible follow-ups>
- Re: Blocking Port scans Jason Thompson (Nov 03)