Re: Blocking Port scans
robert_at_dyadsecurity.com
Date: 10/24/05
- Previous message: Justin: "Re: Scanning Class A network"
- In reply to: BSK: "Blocking Port scans"
- Next in thread: Justin: "Re: Blocking Port scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Oct 2005 11:11:40 -0700 To: pen-test@securityfocus.com
BSK(bishan4u@yahoo.co.uk)@Mon, Oct 24, 2005 at 12:34:30PM +0100:
> Just wanted some feedback from you people. I'm doing a
> Firewall Assessment for a CISCO PIX firewall. The
> firewall allows SYN, FIN, NULL and XMAS scans but
> blocks ACK scans (largely means its a stateful
> firewall).
>
> Now what do we do to block the scans that are allowed.
> I think it should be easy to block FIN, NULL and XMAS
> scans but how do we block or limit or workaround a SYN
> scan. 1 way that I think is probably blocking or
> limiting the packets from the source (using IDS/IPS)
You most likely don't really want to. Scans that are not part of a
stateful connection can have their source IP easily spoofed. If you
start blocking IP's based on the appearance of bad traffic that can be
spoofed, you'll open yourself up for some pretty impressive targeted DoS
situations.
When you auto-block based on perceived "badness", you're allowing that
bad person to write your rules. Basically, when you allow a "bad"
person to start writing your firewall rules for you, you've taken a big
step in the wrong direction.
Furthermore, I would say that there is an incorrect assumption that
trying to block port scans increases your security. Unfortunately, if
the resource is still available, you've not increased your security in
any measurable way. You've only added an additional set of DoS
conditions.
As a security tester you have a finite amount of resources (IP's to come
from, bandwidth, computers, etc), and a limited amount of time (1-4
weeks, etc). It should be assumed that an attacker has an unlimited
amount of resources (He's attacking you, surely he's compromised other
machines too). Even if he did port scan, he could break it into small
enough chunks from throw away IP's.
If it's a targeted exploit payload for a specific host/service, you
won't see a port scan coming before the exploit payload.
Robert
-- Robert E. Lee CIO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert@dyadsecurity.com M - (949) 394-2033 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
- Previous message: Justin: "Re: Scanning Class A network"
- In reply to: BSK: "Blocking Port scans"
- Next in thread: Justin: "Re: Blocking Port scans"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
