Re: Port Scanning.

robert_at_dyadsecurity.com
Date: 12/22/04


Date: Wed, 22 Dec 2004 12:17:01 -0800
To: DWreck <dwr3ckmailbox-pentest@yahoo.com>

DWreck(dwr3ckmailbox-pentest@yahoo.com)@Wed, Dec 22, 2004 at 08:29:08AM
> Most IPS admins do not block port scans. The data is fed to a SIM to
> keep a "low priority" eye on who may or may not be profiling you.
>
> Most people using IPS's have them tuned to block nachi type protocol
> anomalies etc.

Sure .. but TCP SYN port scanning was just one example. Any UDP/ICMP
(connectionless) or TCP non-established connection based triggers can be
spoofed with unicornscan as well. The only thing that isn't currently
easy to do is TCP full connection payload injection from spoofed IP's.
We're working on a way to do that though :).

Robret

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033


Relevant Pages

  • [Full-disclosure] Cisco PIX TCP Connection Prevention
    ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ...
    (Full-Disclosure)
  • [Full-disclosure] Cisco PIX TCP Connection Prevention
    ... Cisco PIX TCP ... Connection Prevention, posted on November 22, 2005. ... By sending a TCP SYN packet with an incorrect checksum through a PIX ...
    (Full-Disclosure)
  • [NEWS] Cisco PIX TCP Connection DoS
    ... Get your security news from a reliable source. ... By crafting a special TCP packet and sending it to a vulnerable Cisco PIX, ... embryonic connection open until the embryonic connection timeout which is ...
    (Securiteam)
  • FreeBSD Security Advisory FreeBSD-SA-01:39.tcp-isn
    ... TCP network connections use an initial sequence number as part of the ... incoming connection is being established, ... Systems running insecure protocols which blindly trust a TCP ... requiring other authentication of the originator are vulnerable to ...
    (FreeBSD-Security)
  • Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
    ... If we expire a connection too early, ... The way we solved this at NFR is to never expire idle TCP states. ... For example the timeout for the SYN|ACK may have been ...
    (Focus-IDS)