Re: Blocking Port scans

From: Georgi Alexandrov (georgi.alexandrov_at_gmail.com)
Date: 10/27/05

  • Next message: Brian Loe: "RE: Scanning Class A network" 
    Date: Thu, 27 Oct 2005 08:47:52 +0300
To: pen-test@securityfocus.com

    BSK wrote:

    >Hello Everyone,
    >
    >Just wanted some feedback from you people. I'm doing a
    >Firewall Assessment for a CISCO PIX firewall. The
    >firewall allows SYN, FIN, NULL and XMAS scans but
    >blocks ACK scans (largely means its a stateful
    >firewall).
    >
    >Now what do we do to block the scans that are allowed.
    >I think it should be easy to block FIN, NULL and XMAS
    >scans but how do we block or limit or workaround a SYN
    >scan. 1 way that I think is probably blocking or
    >limiting the packets from the source (using IDS/IPS)
    >
    >Looking ahead to some ideas, thoughts, hints.
    >
    >thns bshan
    >
    >
    >
    Hello,

    I think that wasting your time searching for a (complex?) mechanism to
    block port scans is useless.
    If a person wants to know what services a host is running - he will find
    them ... one way or another.

    Nmap for example has alot of options that can make any port scan
    detecting system suffer: decoys,
    paranoid scanning option, etc .. etc. But maybe a person doesn't even
    need the internet to figure out
    the services - there are phones, not so knowledgable support personnel, etc.

    I would prefer researching and intergrating more serious and interesting
    security policies
    than wondering how to block port scans.

    Otherwise if you still insist on trying to detect port scans (and block
    them after that),
    you can try scanlogd by Solar Designer.

    Maybe i get the whole picture wrong and my opinion is useless, you will
    decide that ;-)

    regards,
    Georgi Alexandrov

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: Brian Loe: "RE: Scanning Class A network"

    Relevant Pages

    • Blocking Port scans
      ... Firewall Assessment for a CISCO PIX firewall. ... I think it should be easy to block FIN, NULL and XMAS ... scans but how do we block or limit or workaround a SYN ...
      (Pen-Test)
    • Re: some thoughts on the Slammer fiasco
      ... it can break SQL server. ... the port its better to do it at the router level so the firewall can do the ... > WTF are you running a software firewall on an SQL box for. ... > firewall of your choice) block port X. ...
      (microsoft.public.sqlserver.security)
    • Re: N00b Question
      ... > would have to block port 80, used for all web viewing, which isn't ... >> I am very new to the firewall and network security world. ...
      (Security-Basics)
    • Re: Port 113 security
      ... CS> Currently I block port 113 (ident) on the firewall. ... A lot of programs are trying to send a request to ...
      (Focus-Linux)
    • Re: Yahoo Messenger - Blocking
      ... >>Looking for the definitive answer on how to block this at our firewall ... >>Some say block port 5050, others say block access to ... > which is too much of as hassle, as their names and IP addresses ...
      (comp.security.firewalls)