RE: Server blocks access of IP after nmap scan

[Michael Sturtz <Michael.Sturtz () PACCAR com>]

Many firewalls and hosts do this based on heuristics i.e. if you do a progressive port scan then the IPS system (host 
based or firewall based) detection determines that it is unusual or attack like behavior or if you attempt to open too 
many connections on too many ports at a time or you send too many TCP SYN packets etc.  These types of behavior is 
associated with either malware or hacking activity.  The reaction is usually to block the IP address or addresses the 
traffic is coming from.  Sometimes it is a permanent block until an admin clears the block or other times it is a 
temporary block for a specific length of time.  As to IP Spoofing an IP address while the source IP can be spoofed it 
kind of breaks IP because in order for a TCP/IP conversation to occur you need a source IP a destination IP and a 
source port and destination port.  If you lie about your source IP (in the IP header) then the return packets would 
never get to you.  The only way to circumvent this is to either use multiple zombie machines or proxy servers.  However 
even then some of intrusion detection systems can detect this and block the IP addresses.  
Michael
________________________________________
From: listbounce () securityfocus com [listbounce () securityfocus com] On Behalf Of Littlefield, Tyler [tyler () 
tysdomain com]
Sent: Wednesday, May 18, 2011 11:35 AM
To: security-basics () securityfocus com
Subject: Re: Server blocks access of IP after nmap scan

hello:
I'm curious what prompted this? How did the firewall block ports from
being scanned by nmap?
Also:
> Good security defense, except if you try to find a way to spoof the ip
=).

I'd think this was pretty easily solved? If you have two NIC cards at
least, you can limit everything for class_A/B/C to that specific
interface, drop
everything on the external interface coming from class a,b,c or
loopback. But it'd still be possible I suppose to spoof an address when
you sent off a
packet to get someone else blacklisted; how do people work against that?

On 5/18/2011 12:22 PM, amon.amarth9 () gmail com wrote:
> I solved the problem - I just used the nmap firewall/IDS/IPS evasion options and I specified fragmented packets, all 
> together with different scan method than the usual SYN scan. Anyway the protection mechanism on the server is pretty 
> good I think, even if you try to connect on some port that is not open it bans your ip address. Good security 
> defense, except if  you try to find a way to spoof the ip =).
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


--

Take care,
Ty
my website:
http://tds-solutions.net
my blog:
http://tds-solutions.net/blog
skype: st8amnd127
My programs don't have bugs; they're randomly added features!


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------