Penetration Testing mailing list archives
Re: Blocking Port scans
From: Chris Moody <chris () siliconhotrod com>
Date: Tue, 25 Oct 2005 13:24:13 -0700
The only way to effectively block SYN packets is to have Access-lists in place for all the hosts you are protecting. If you don't allow any traffic to a system, you stop the SYN.
Since a SYN flag is necessary to initiate a valid connection, there is no way to mitigate against a SYN connection attempt shy of strict filtering of who can contact what.
While an IPS inline could drop what it detects as a "scan", I'm personally not as comfortable relying on a signature based system as I am fine grained restricting traffic at layer3. If it's supposed to talk, it's allowed...everything else is dropped. I find that this rules out the vast majority of cases.
-Chris BSK wrote:
Hello Everyone, Just wanted some feedback from you people. I'm doing a Firewall Assessment for a CISCO PIX firewall. The firewall allows SYN, FIN, NULL and XMAS scans but blocks ACK scans (largely means its a stateful firewall). Now what do we do to block the scans that are allowed. I think it should be easy to block FIN, NULL and XMAS scans but how do we block or limit or workaround a SYN scan. 1 way that I think is probably blocking or limiting the packets from the source (using IDS/IPS) Looking ahead to some ideas, thoughts, hints. thns bshan___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Blocking Port scans BSK (Oct 24)
- Re: Blocking Port scans Ivan . (Oct 24)
- Re: Blocking Port scans robert (Oct 24)
- Re: Blocking Port scans Justin (Oct 24)
- Re: Blocking Port scans Terry Vernon (Oct 24)
- Re: Blocking Port scans Chris Moody (Oct 25)
- Re: Blocking Port scans Georgi Alexandrov (Oct 26)
- <Possible follow-ups>
- RE: Blocking Port scans Josh Perrymon (Oct 24)
- RE: Blocking Port scans Geelen, Ruud (Oct 31)