Firewall Wizards mailing list archives
Re: Block / Monitor PORTSCAN/QUESO/NMAP/ETC...
From: William Stearns <wstearns () pobox com>
Date: Mon, 1 Nov 1999 00:57:06 -0500 (EST)
Good day, Fabio, On Sat, 30 Oct 1999, Fabio da Silva Cunha wrote:
I need to monitor and if possible protect against this kind of attack (PORTSCAN/QUESO/NMAP/ETC...) anyone know how to do this?
You describe them as attacks. Are they really? In a sense, they can be used as information gathering tools ("Those systems are all running System 7 and I don't have any attacks against those...") which a cracker might use in the process of attacking a system. As to whether they constitute attacks by themselves, that's debatable. Queso (which identifies remote systems by looking at the response received by sending packets with different characteristics and tcp flags to an open port and comparing the responses to an internal table) needs to have an open port to talk to. If you're dead set on not having someone be able to identify what OS you're running, don't run any open services. If you need to run services, someone can use queso to see what os you're running. Sorry. Port Scan detectors exists, such as Psionic PortSentry at http://www.psionic.com/abacus/portsentry/ . Try searching http://freshmeat.net or one of the security tools sites for others. "How do I protect against this kind of attack?" is a tough question. Are you looking to completely block someone from being able to know what ports you have open on hosts behind your firewall? Set up a block for all packets destined to those addresses and put in network level or application level proxies on the firewall for all services. Do you want to stop people from being able to see what ports are open on the firewall itself? Don't make any services available on the firewall itself; shut down basically everything not absolutely essential for firewalling on the box. While it doesn't hold true for every firewall setup, I'd say a starting point is that no services should be made available to the real world. You can also make the job of a portmapper harder by blocking certain outgoing icmp messages. Try stopping the following from going _out_ of your network: ping-reply #blocks pings from the outside world network-unreachable host-unreachable protocol-unreachable port-unreachable #makes port scanner's job more difficult time-exceeded #blocks traceroute The problem is that in addition to being abusable by people who might port scan your network, the different icmp protocols are also used in general communication, for example, to indicate back to a telnet client that www.whitehouse.gov doesn't _run_ a telnet daemon. Do _not_ simply block all outgoing icmp; "Fragementation needed and DF set" for example is terribly important in path mtu discovery; blocking it may make it impossible for some remote hosts to communicate with your network. The firewall builder script I've written (Mason - see .sig) has two macros to implement a "blackhole" mode that block the above and a few others. The goal is to make it difficult for anyone to detect that your systems exist if they're not connecting to an open service they should be able to see. One Mason user reports it does a pretty good job of blocking port scans, but that may not hold for every network setup. I'd start with Psionic's tool first, though. Cheers, - Bill --------------------------------------------------------------------------- "The idea that Bill Gates has appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place." - Douglas Adams, on Windows '95. (Courtesy of David Rysdam <drysdam () az com>) -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/ --------------------------------------------------------------------------
Current thread:
- Re: Block / Monitor PORTSCAN/QUESO/NMAP/ETC... William Stearns (Nov 01)
- Re: Block / Monitor PORTSCAN/QUESO/NMAP/ETC... Benjamin Smee (Nov 04)
- <Possible follow-ups>
- RE: Block / Monitor PORTSCAN/QUESO/NMAP/ETC... jussi . jaakonaho (Nov 05)