Re: Stopping portscanning

[Max Lopez <mlopez () itesm mx>]

Ok.. actually we have a NAT, but as we are not using "Cisco Overload" nat , so  
every host has a "public" address (although this public address changes from 
time to time), not as a traditional "proxy" in wich all internal IP address 
goes to the Internet as just one IP referenced by the port number.

In this case every host has a nat translation that last for 10 minutes, and as 
long as the host has traffic the translation time extends, so a port scanning 
to an active nat translation is succesfull since the nat is mantained by the 
scanning itself.

Well, seems like we need a Stateful inspection system, but as we have about 
20,000 hosts this gets dificult to deploy.

Thanks a lot.




On Friday 07 March 2003 11:59 am, twig les wrote:
> Stateful inspection/NAT at the border works well, although not
> always feasible.  We also end almost all of our Cisco acls with
> a "deny ip any any log" and that helps too.  I don't see Snort
> doing this very well, especially because of the high rate of
> false positives in this area.
>
> --- Max Lopez <mlopez () itesm mx> wrote:
> > Hi:
> >
> > I am using Snort to detect Kazaa and Gnutella trafic, and to
> > send a TCP Reset
> > to both IPs when the Snort detects the traffic, we have been
> > able to lower
> > the traffic in our "Internet 2" serial (E3-34mbps) from
> > 10-12mbps to 1-2
> > mbps.
> >
> > Now I am seeing a lot of portscans, so I am looking for some
> > way to stop that
> > portscanning, I am not sure if there is some way to send
> > TCP_RESETs or
> > HOST_UNREACHABLE icmp's.. do you have any way of stopping
> > those scans??
> >
> > Thanks a lot.
> >
> > --
> >
> > Max Lopez
> > Departamento de Redes Corporativo
> > ITESM Sistema
> > Tel. (81) 8358-2000  ext. 4136
> > Fax. (81) 8328-4208
> > Monterrey Mexico.
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Etnus, makers of TotalView,
> > The debugger
> > for complex code. Debugging C/C++ programs can leave you
> > feeling lost and
> > disoriented. TotalView can help you find your way. Available
> > on major UNIX
> > and Linux platforms. Try it free. www.etnus.com
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> =====
> -----------------------------------------------------------
> Know yourself and know your enemy and you will never fear defeat.
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/

-- 

Max Lopez
Departamento de Redes Corporativo
ITESM Sistema
Tel. (81) 8358-2000  ext. 4136
Fax. (81) 8328-4208
Monterrey Mexico.


-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users