Re: Providers blocking portscans - bad news for pentest?

[Christoph Puppe <puppe () hisolutions com>]

Maarten Hartsuijker schrieb:

> Hmmm, I hope your ISP is not setting a trend over here in NL. So far,
> fortunately, I have not noticed any portscan blocking at my ISP. Using
> low-tech ISP appears to have its advantages as well ;-)
>
> Personally, I still don't know if I consider blocking based on port
> scans a good or a bad thing. For instance: what would happen if someone
> decides to spoof the IPS of a couple of subnet-neighbours while
> portscanning? Or the IP's of the DHCP/DNS servers (I hope these are
> whitelisted)?

A provider that does not even block ip-spoofing shouldn't venture into this
kind of protective measures, sure thing.

Unsuspecting users get hacked in the thousands each day, my opion is, that
a provider should acknoledge this and take measures. The provider can do a
lot to protect it's own customers and the internet as a whole:

oo prevent IP-Spoofing
oo block Broadcasts
oo filter TCP (in and out) ports 7,13,19,25,135,139,445
oo have an smtp-relay for its customers, with rate limits
oo react fast to new threats, e.g. when a new worm is out-> filter the port

If you realy want to do your customers a favor, you ask them for consent to
 being protected by an IPS or offer this at a premium. Same goes for
malware protection with email-relays and proxies.

Or kid-save internet access, but thats a complicated topic for other lists ;)

-- 
Mit freundlichen Grüßen

Christoph Puppe
Security Consultant


We secure your business.(TM)
_______________________________________________________

HiSolutions AG     Phone:    +49 30 533289-0
Bouchéstrasse 12   Fax:      +49 30 533289-99
D-12435 Berlin     Internet: http://www.hisolutions.com
_______________________________________________________