Security Basics mailing list archives
Re: Dealing with Scans (portscans, vulnerability, etc.)
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Tue, 24 Nov 2009 15:59:07 -0430
On Sunday 22 November 2009 01:35:02 Tony Raboza wrote:
Hi, I'm tuning my IDS and I'm thinking of taking out the portscan/web vulnerability scan rules. Why? Because, yes - I know that somebody may be scanning my network - but, what can I do about it? 1. Block the IP? But, what if its NAT - meaning only 1 workstation/user did the port scanning, I would be blocking all the possibly valid users behind that IP.
Indeed. That's right.
2. Report it to their ISP or to them? Then what?
Not all ISP's take actions against it users doing port scanning. Depends on internal policy and local legislation.
I want my IDS console not to be too cluttered that's why I'm tuning it. If its too cluttered - I might be missing out the really important alerts. What about you? How do you deal with port/vulnerability scans?
First of all, we must secure enough our sites/servers to prevent attacks, even if the attacker know every detail about our platform, including usernames, ports, OS, versions, hardware, and more. After that, we have two options to _delay_ scanning: 1- Restrict the scan: You can automatically block certain IP using IPS. It will delay, not prevent the scanning. An attacker could use anti-ips techniques to prevent detection and surpass the protection. 2- Confuse the attacker: You can automatically send crafted information to the scanning process and overload him with trash. I wrote an application to do that, i called it portjammer / synackflood. Is opensource, and you can download it from: http://sourceforge.net/projects/synackflood/
Is it illegal btw?
We need to understand that Internet is not ruled by only one legislation. Every country have their own laws on that matter. And attackers, usually are based in other countries. In my country (by example), we have a special law for internet crime, this law defines that any attacker can't be extradited based on foreign laws on that matter. And... scanning itself is not defined as a offense here. Add it to this that many of these countries do not have infrastructure to investigate cybercrime. And in addition, many attackers are using the free wifi hotspots. What means? We must protect our networks against attackers around the world. Not thinking that our local laws will protect us. Local laws are intended to prevent local crime, and these laws do not always work out of our country.
Thanks. Best, Tony ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f72 7d1 ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Dealing with Scans (portscans, vulnerability, etc.) Tony Raboza (Nov 24)
- Re: Dealing with Scans (portscans, vulnerability, etc.) Jon Kibler (Nov 24)
- Re: Dealing with Scans (portscans, vulnerability, etc.) Aarón Mizrachi (Nov 25)
- RE: Dealing with Scans (portscans, vulnerability, etc.) Holger Reichert (Nov 26)
- Message not available
- Re: Dealing with Scans (portscans, vulnerability, etc.) aditya mukadam (Nov 27)