Re: Dealing with Scans (portscans, vulnerability, etc.)

[Aarón Mizrachi <unmanarc () gmail com>]

On Sunday 22 November 2009 01:35:02 Tony Raboza wrote:
> Hi,
>
> I'm tuning my IDS and I'm thinking of taking out the portscan/web
> vulnerability scan rules.  Why?  Because, yes - I know that somebody
> may be scanning my network - but, what can I do about it?
>
> 1.  Block the IP? But, what if its NAT - meaning only 1
> workstation/user did the port scanning, I would be blocking all the
> possibly valid users behind that IP.
Indeed. That's right.

> 2.  Report it to their ISP or to them?  Then what?
Not all ISP's take actions against it users doing port scanning. Depends on 
internal policy and local legislation.

> I want my IDS console not to be too cluttered that's why I'm tuning
> it.  If its too cluttered - I might be missing out the really
> important alerts.
>
> What about you?  How do you deal with port/vulnerability scans?  
First of all, we must secure enough our sites/servers to prevent attacks, even 
if the attacker know every detail about our platform, including usernames, 
ports, OS, versions, hardware, and more.

After that, we have two options to _delay_ scanning:

1- Restrict the scan: You can automatically block certain IP using IPS.  It 
will delay, not prevent the scanning. An attacker could use anti-ips 
techniques to prevent detection and surpass the protection.

2- Confuse the attacker: You can automatically send crafted information to the 
scanning process and overload him with trash. 

I wrote an application to do that, i called it portjammer / synackflood. Is 
opensource, and you can download it from:

http://sourceforge.net/projects/synackflood/

> Is it
> illegal btw?
We need to understand that Internet is not ruled by only one legislation. 
Every country have their own laws on that matter. And attackers, usually are 
based in other countries.

In my country (by example), we have a special law for internet crime,  this 
law defines that any attacker can't  be extradited based on foreign laws on 
that matter. And... scanning itself is not defined as a offense here.

Add it to this that many of these countries do not have infrastructure to 
investigate cybercrime. And in addition, many attackers are using the free wifi 
hotspots.

What means? 

We must protect our networks against attackers around the world. Not thinking 
that our local laws will protect us. Local laws are intended to prevent local 
crime, and these laws do not always work out of our country. 

> Thanks.
>
>
> Best,
> Tony
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
>  certificate.  We look at how SSL works, how it benefits your company and
>  how your customers can tell if a site is secure. You will find out how to
>  test, purchase, install and use a thawte Digital Certificate on your
>  Apache web server. Throughout, best practices for set-up are highlighted
>  to help you ensure efficient ongoing management of your encryption keys
>  and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f72
> 7d1
>  ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.