Re: port scan to juniper fw



Hi,

what if i spoof my source address to any ip like root dns servers,
company's gateway router etc? Very dangerous options...

---
Huzeyfe ONAL
Ag Guvenligi Listesine uye oldunuz mu?
http://www.lifeoverip.net/netsec-listesi/

---


On Thu, Oct 22, 2009 at 8:27 PM, aditya mukadam
<aditya.mukadam@xxxxxxxxx> wrote:

Its good to know that the issue is resolved. However,please also note
the below default behavior of Juniper SSG for a port scan.

The security device internally logs the number of different ports
scanned from one remote source. Using the default settings, if a
remote host scans 10 ports in 0.005 seconds (5000 microseconds), the
device flags this as a port scan attack, and rejects all further
packets from the remote source for
the remainder of the specified timeout period. The device detects and drops the
tenth packet that meets the port scan attack criterion.

Thanks,
Aditya Govind Mukadam

On Wed, Oct 21, 2009 at 11:17 PM, raimarm@xxxxxxxxx
<raimarm@xxxxxxxxxxxxxx> wrote:
Hi All,

thank you very much for your answers and advices.
Deactivating the syn-proxy solved the issue.

Many Thanks
rm

2009/10/20 Paul Melson <pmelson@xxxxxxxxx>:
On Sun, Oct 18, 2009 at 8:15 AM, raimarm@xxxxxxxxx
<raimarm@xxxxxxxxxxxxxx> wrote:

Dear list,
I am performing a port scan to an IP address of juniper SSG firewall (6.2.r3).
When the port scan finishes the results show me a lot of open ports
although they are not open.
Further the results differ and the same scan shows different open
ports next time.
The tcpdump during the port scan shows me that the fw is answering
with a syn-ack after the third syn.
Why is this happening ? I would expect no answer or a rst packet.

This is the result of the Juniper firewall having SYN flood protection
mode being enabled.  This causes the firewall to begin responding to
SYN packets with SYN-ACK once the flood threshold is reached.  There
are two modes, syn-proxy and syn-cookie.  This is intended to protect
slow/unresponsive servers behind the firewall as well as the firewall
itself.  Y

https://support.neoteris.com/products/integrated/dos.pdf

ou can detect which is being used by capturing the traffic from your
portscan using tcpdump or Wireshark and examining the SYN+ACK packets
from the firewall.  If the ISNs are random, then the firewall is using
syn-proxy mode.  If the ISNs incrementally by port number (and then
again by time every 64s) then syn-cookie mode is enabled.  This might
be an interesting finding to share with your client.  Or not.  If they
are using syn-proxy mode, you can recommend that they use syn-cookie
mode since it's less CPU and memory intensive for the firewall.

For the purposes of your test, you could ask your client to disable
this feature temporarily while you scan, but advise them that it could
leave older, slower servers vulnerable to a DoS attack.  Or you could
simply ask them to share a copy of the firewall configuration in order
to speed up the pen-test.  If neither of these is an option, you could
try a FIN scan or a Version (-sV) scan to try and reduce the false
open port findings.  Either way, I would go back to the client and
communicate the issue you're having so that they understand the delay.
 Port scanning always sounds like the easiest part of a pen-test, but
often it's the hardest.

PaulM


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: port scan to juniper fw
    ... If the packet with SRC-IP a.b.c.d ... enters firewall via interface 'X' and the route on the firewall for ... the below default behavior of Juniper SSG for a port scan. ... Information Assurance Certification Review ...
    (Pen-Test)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: [opensuse] Interactive Firewall Needed
    ... That situation is impossible in Linux, as the firewall can not track to ... not to outgoing packets, and there is no info to link this to whatever ... application might have opened that port for listening. ...
    (SuSE)