Nmap Announce mailing list archives
Re: how to know scan is correct?
From: Justin <jguyett () andrew cmu edu>
Date: Fri, 11 Feb 2000 04:48:20 -0500 (EST)
On Thu, 10 Feb 2000, Bennett Todd wrote:
2000-02-10-01:09:22 Justin:That's why you have a iptables/whatever module that listens looks for syns to non-open ports, logs once, then filters the offending ip/netmask for 30 minutes or a few days if you're particularly fascist.If you're going to do any such reactive firewall stuff as this, make very sure nobody knows you're doing it; if they know you're doing that, it's amazingly easy for them to cut you off from any or all of the internet. Lessee, how long would it take to send SYN packets to closed ports with source addrs forged from all the root nameservers.
The people who need to block portscans because they're worried about being rooted need to upgrade their daemons. The people who think they need to block them are either people who are doing it for their personal systems, or people like the government who have this bizarre idea that having 50 gigs of logs each day somehow makes their systems more secure. spoofed scan: first check to make sure no current connection exists from source IP [03:21:05.27] syn->300 (ignore next 2 packets) [03:21:06.27] syn->599 (reset timeout set to 2 seconds) [03:21:07.27] syn->22 (dropped) [03:21:08.28] syn->914 (reset timeout set to 2.02 seconds) [now Joe Employee tries to connect from home, and his IP is being used] [03:21:09.82] syn->23 (dropped) [03:21:10:49] syn->23 (is logged and gets fired for trying to telnet in) Now this degenerates into trying to 1) anticipate people connecting and then flooding or 2) flooding all the time. These are problems. If someone is that motivated to screw over your business or network, perhaps you should upgrade your daemons and just log "scans". With a short timeout, I can't think how someone would guess this scheme was being used. The target network could just have heavy packet loss. On the bright side, if someone wants to DoS your network, this provides a method (provided they know what's going on) for them to do it without a flood, which means at least for all open connections and connections to addresses that aren't being spoofed, you have good connectivity. There is no good "security through obscurity" approach. Filtering with temporary firewall rules is not a security measure. It's a proof of concept kind of thing. You can generate fake replies on closed ports, but the people you don't want scanning you are just looking for specific daemons, and it doesn't matter to them that you have honeypots on all privledged closed ports. As was pointed out, syn scans leave a log trail, but spoofed syn floods are a good way to cover up real syn scans. Still, you could probably detect them. The NSA probably does a statistical analysis on source addresses every time they get flooded. Justin
Current thread:
- Re: how to know scan is correct? Marcy Abene (Feb 09)
- Re: how to know scan is correct? Justin (Feb 09)
- Re: how to know scan is correct? Bennett Todd (Feb 10)
- Re: how to know scan is correct? Justin (Feb 11)
- Re: how to know scan is correct? Bart van Leeuwen (Feb 11)
- Re: how to know scan is correct? Mikael Olsson (Feb 11)
- Re: how to know scan is correct? Bennett Todd (Feb 10)
- Re: how to know scan is correct? Bart van Leeuwen (Feb 10)
- Re: how to know scan is correct? Eric Hankins (Feb 11)
- Re: how to know scan is correct? Justin (Feb 09)
- Re: how to know scan is correct? $eeweed (Feb 10)
- Re: how to know scan is correct? Enrico Demarin (Feb 11)