Penetration Testing mailing list archives

Re: Blocking Port scans

From: Georgi Alexandrov <georgi.alexandrov () gmail com>
Date: Thu, 27 Oct 2005 08:47:52 +0300

BSK wrote:

Hello Everyone,

Just wanted some feedback from you people. I'm doing a
Firewall Assessment for a CISCO PIX firewall. The
firewall allows SYN, FIN, NULL and XMAS scans but
blocks ACK scans (largely means its a stateful
firewall).

Now what do we do to block the scans that are allowed.
I think it should be easy to block FIN, NULL and XMAS
scans but how do we block or limit or workaround a SYN
scan. 1 way that I think is probably blocking or
limiting  the packets from the source (using IDS/IPS)

Looking ahead to some ideas, thoughts, hints.

thns bshan

Hello,

I think that wasting your time searching for a (complex?) mechanism toblock port scans is useless.If a person wants to know what services a host is running - he will findthem ... one way or another.

Nmap for example has alot of options that can make any port scandetecting system suffer: decoys,paranoid scanning option, etc .. etc. But maybe a person doesn't evenneed the internet to figure out

the services - there are phones, not so knowledgable support personnel, etc.

I would prefer researching and intergrating more serious and interestingsecurity policies

than wondering how to block port scans.

Otherwise if you still insist on trying to detect port scans (and blockthem after that),

you can try scanlogd by Solar Designer.

Maybe i get the whole picture wrong and my opinion is useless, you willdecide that ;-)



regards,
Georgi Alexandrov

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Blocking Port scans BSK (Oct 24)
- Re: Blocking Port scans Ivan . (Oct 24)
- Re: Blocking Port scans robert (Oct 24)
- Re: Blocking Port scans Justin (Oct 24)
- Re: Blocking Port scans Terry Vernon (Oct 24)
- Re: Blocking Port scans Chris Moody (Oct 25)
- Re: Blocking Port scans Georgi Alexandrov (Oct 26)
- <Possible follow-ups>
- RE: Blocking Port scans Josh Perrymon (Oct 24)
- RE: Blocking Port scans Geelen, Ruud (Oct 31)