Penetration Testing mailing list archives
Re: Blocking Port scans
From: Justin <justinvinn () gmail com>
Date: Mon, 24 Oct 2005 14:10:42 -0400
BSK, Its kind of hard to block SYN scans as to maintain functionality, the server has to respond to a SYN with a SYN/ACK. Of course, if there is no server behind the router, you could just have it drop the SYNs (in nmap terms filter the ports). There are several other approaches to this problem (such as John Ericson's shroud2.sh script), that take different views. You could also jack the scan rate limiting way up, so the scan would take forever and a day to complete. While this wouldn't stop a dedicated attacker, it could discourage a script kiddie who'd get bored of watching nmap shoot new ETC values to STDOUT. Course, I'm not an admin and have never had hands on expirence with building a Cisco PIX firewall. So, my advice may be dead wrong... peace, --Justin On 10/24/05, BSK <bishan4u () yahoo co uk> wrote:
Hello Everyone, Just wanted some feedback from you people. I'm doing a Firewall Assessment for a CISCO PIX firewall. The firewall allows SYN, FIN, NULL and XMAS scans but blocks ACK scans (largely means its a stateful firewall). Now what do we do to block the scans that are allowed. I think it should be easy to block FIN, NULL and XMAS scans but how do we block or limit or workaround a SYN scan. 1 way that I think is probably blocking or limiting the packets from the source (using IDS/IPS) Looking ahead to some ideas, thoughts, hints. thns bshan ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Blocking Port scans BSK (Oct 24)
- Re: Blocking Port scans Ivan . (Oct 24)
- Re: Blocking Port scans robert (Oct 24)
- Re: Blocking Port scans Justin (Oct 24)
- Re: Blocking Port scans Terry Vernon (Oct 24)
- Re: Blocking Port scans Chris Moody (Oct 25)
- Re: Blocking Port scans Georgi Alexandrov (Oct 26)
- <Possible follow-ups>
- RE: Blocking Port scans Josh Perrymon (Oct 24)
- RE: Blocking Port scans Geelen, Ruud (Oct 31)