Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Providers blocking portscans - bad news for pentest?

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Mon, 04 Jul 2005 22:43:54 -0400
On Mon, 2005-07-04 at 17:13, Petr.Kazil () eap nl wrote:


However they have recently installed a system that wil automatically block 
anyone doing a portscan. They mention a system of "aggregated firewalls" 
that behaves like a "bot".


Can you find out the specific tool they are using? My guess is they are
looking at "X" number of port attempts in "Y" amount of time. If so
something like:
nmap -T sneaky ...

should do the trick. I would expect that the threshold can not be all
that low, otherwise it would false positive on busy name and mail
servers.


And what if providers start filtering TCP/IP traffic. Then portscans will 
become very unreliable.


Some already do. Many still block TCP/1433 & UDP/1434 due to the large
number of infected Slammer systems that have yet to be cleaned. Some
even block TCP/25, Echo-requests, inbound TCP/80 to non-hosted Web
servers, etc. Its all a matter of the provider's policy. 

HTH,
Chris
Previous By Date Next
Previous By Thread Next

Current thread: