Firewall Wizards mailing list archives
RE: source port specific port scan
From: "robert_david_graham" <robert_david_graham () yahoo com>
Date: Mon, 15 Oct 2001 12:29:00 -0700
Spoofing of the source port is common in both scanners and exploit scripts. The two most popular source ports are 53 (dns) and 20 (ftp-data). Tools like "ADMfzap" and "firewalk" take advantage of this directly, but other scanners often include configuring the source port as an option. A number of exploits scripts use these as source ports by default. The reason, of course, is that a lot of legitimate incoming DNS requests and responses come from port 53, and a lot of legitimate incoming FTP data connections come from port 20. If I remember correctly, last year at BlackHat, some people pointed out that some versions of Checkpoint make it really easy for admins to make a mistake and trust anything from port 53 (dns). Actually, I am surprised how little hackers are taking advantage of this. This is still a wide-open hole throughout the Internet. As for you case, yes, somebody could spoof an ACK scan from port 25. It's not a huge hole; I doubt that no one (except the extreme paranoid) would worry about it, especially since you are blocking incoming SYNs/no-ACK from port 25 (aren't you?).
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Rich Wilson Sent: Friday, October 12, 2001 2:34 PM To: firewall-wizards () nfr com Subject: [fw-wiz] source port specific port scan Does anyone know of a port scanner that allows you to specify the source port? I'm trying to test a filter that allows outbound only SMTP. My worry is that it is not stateful, and that an attacker using a source port of 25 can bypass the filter. __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: source port specific port scan, (continued)
- Re: source port specific port scan Johan Allard (Oct 15)
- Re: source port specific port scan R. DuFresne (Oct 15)
- Re: source port specific port scan Barney Wolff (Oct 15)
- Re: source port specific port scan m p (Oct 15)
- Re: source port specific port scan Oscar Wahlberg (Oct 15)
- Re: source port specific port scan Charles Swiger (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
- Re: source port specific port scan Jose Nazario (Oct 15)
- Message not available
- Re: source port specific port scan Dom Glavach (Oct 15)
- Re: source port specific port scan Ben Eisenbraun (Oct 15)
- RE: source port specific port scan robert_david_graham (Oct 15)
- Re: source port specific port scan Steven M. Bellovin (Oct 15)