Re: Block / Monitor PORTSCAN/QUESO/NMAP/ETC...

[William Stearns <wstearns () pobox com>]

Good day, Fabio,

On Sat, 30 Oct 1999, Fabio da Silva Cunha wrote:

> I need to monitor and if possible protect against this kind of attack
> (PORTSCAN/QUESO/NMAP/ETC...)
> anyone know how to do this?

        You describe them as attacks.  Are they really?  In a sense, they
can be used as information gathering tools ("Those systems are all running
System 7 and I don't have any attacks against those...") which a cracker
might use in the process of attacking a system.  As to whether they
constitute attacks by themselves, that's debatable.

        Queso (which identifies remote systems by looking at the response
received by sending packets with different characteristics and tcp flags 
to an open port and comparing the responses to an internal table) needs to
have an open port to talk to.  If you're dead set on not having someone be
able to identify what OS you're running, don't run any open services.  If
you need to run services, someone can use queso to see what os you're
running.  Sorry.

        Port Scan detectors exists, such as Psionic PortSentry at
http://www.psionic.com/abacus/portsentry/ .  Try searching
http://freshmeat.net or one of the security tools sites for others.
        "How do I protect against this kind of attack?" is a tough
question.  Are you looking to completely block someone from being able to
know what ports you have open on hosts behind your firewall?  Set up a
block for all packets destined to those addresses and put in network level
or application level proxies on the firewall for all services.
        Do you want to stop people from being able to see what ports are
open on the firewall itself?  Don't make any services available on the
firewall itself; shut down basically everything not absolutely essential
for firewalling on the box.  While it doesn't hold true for every firewall
setup, I'd say a starting point is that no services should be made
available to the real world.
        You can also make the job of a portmapper harder by blocking
certain outgoing icmp messages.  Try stopping the following from going
_out_ of your network:

ping-reply              #blocks pings from the outside world
network-unreachable
host-unreachable
protocol-unreachable
port-unreachable        #makes port scanner's job more difficult
time-exceeded           #blocks traceroute

        The problem is that in addition to being abusable by people who
might port scan your network, the different icmp protocols are also used
in general communication, for example, to indicate back to a telnet client
that www.whitehouse.gov doesn't _run_ a telnet daemon.
        Do _not_ simply block all outgoing icmp; "Fragementation needed
and DF set" for example is terribly important in path mtu discovery;
blocking it may make it impossible for some remote hosts to communicate
with your network.
        The firewall builder script I've written (Mason - see .sig) has
two macros to implement a "blackhole" mode that block the above and a few
others.  The goal is to make it difficult for anyone to detect that your
systems exist if they're not connecting to an open service they should be
able to see.  One Mason user reports it does a pretty good job of blocking
port scans, but that may not hold for every network setup.
        I'd start with Psionic's tool first, though.
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "The idea that Bill Gates has appeared like a knight in shining
armour to lead all customers out of a mire of technological chaos neatly
ignores the fact that it was he who, by peddling second-rate technology,
led them into it in the first place."
        - Douglas Adams, on Windows '95.
(Courtesy of David Rysdam <drysdam () az com>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------