Re: prevent respond to port scanner
From:Date: 08/27/02
- Next message: TheMartian: "Re: prevent respond to port scanner"
- Previous message: Philipp Buehler: "Re: exploit found on my machine"
- In reply to: Tim Haynes: "Re: prevent respond to port scanner"
- Next in thread: : "Re: prevent respond to port scanner"
- Reply: : "Re: prevent respond to port scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 27 Aug 2002 08:53:07 GMT
I cannot believe I just posted several times with the same typo
type 5 should be type 3
After a long battle with technology, "Tim Haynes" an earthling wrote:
> TheMartian <themartian@phreaker.net> writes:
>
>>> That's certainly different - I've not seen that sort of thing here.
>>
>> Thats only one of the odd ones, the more common ones are, the ping of
>> death, DNS flood, SYN flood, and ARP attacks (interesting in a routed
>> environment!).
>
> Hmmmm. Strange. I don't get anything that bad on the colo swerver here,
> just the normal multiplicity of DNS and NNTP and other proxy scans,
> really. :)
>
>>>> Drop all ICMP except 5
>>>
>>> Wibble? I'd say that was a silly thing to do myself, unless you then
>>> have some `allow continuations & related packets' rule.
>>
>> I get asked this one all the time, this old article covers that one,
>> fairly well.
>>
>> http://www.networkmagazine.com/article/NMG20000829S0003
>
> The first page is fair enough and says nothing to support your approach
> and everything to support mine - filter your ICMP *properly*. If you
> know your network then you can say where all the various forms of ICMP
> should or shouldn't be seen (why should any packets come past a router
> to scan the internal network?), and can rate-limit things like
> parameter-problem etc.
>
>> Not being convinced, I did extensive testing a few years back when I
>> started blocking all but type 5, and found no problems if I was not
>> runing any sort of server.
>
> Now there's a big `if'... Don't you find lack of 3/4 buggers-up large
> downloads, as well?
I know, brain now fixed, thing type 3 allowed nothing else allowed.
>
>>>> Drop all private subnets
>>>> Drop all source routed
>>>
>>> Those two are an optional extra, depending on how often you get hit
>>> with them - otherwise I'd let them fall through to a catch-all rule or
>>> sysctls for source-routed packets.
>>
>> Here I found these to be one most important rules. I get thousends of
>> log enteries daily from 192.168.x.x and 10.x.x.x, my idiot ISP uses
>> 10.x.x.x for there internal mess, but I see no reason why they or
>> anyone else should try and connect to me on these address.
>
> These things are supposed to be restricted to "within the enterprise".
> As far as I'm concerned I'm not *in* my ISP's "enterprise" anyway, so I
> shouldn't be seeing this crap. Fortunately I don't :)
According my ISP, they own me, and I have agreed to it.
To me, they try and connect to me, is attempted hacking or at the very
least an attack. And they will get hammered big time.
I can live with the usual open mail relay checks etc, but nothing more.
The scan the whole network twice a day.
>
> [snip]
>>> Again, I'd only push these to the top of the firewall rule-set if they
>>> needed handling more quickly than legitimate traffic; otherwise, let
>>> them fall foul of the great `catch-all' at the bottom.
>>
>> They do. The ordering of the rules is based on the most comon attack
>> types. Which these days is excessive.
>
> Well that `profiled' approach is about the best idea IMO.
>
>> I run no servers at all, so droping SYN is not an issue, same with the
>> ICMP.
>
> I'd just let stateful handling deal with it unless you want to log
> things as "christmas-tree" specifically, myself.
The router I use at home does not give many options. So I gave up and
wrote my own filters.
>
>> There was me thinking the RST/SYN stuff was a new one :-)
>
> Doesn't surprise me. I've had SYN+FIN scans for ages, and also some
> strange RSTs that were either reverse-scans or back-scatter.
Its the ever worsening arms race, firewall security vs low life.
>>> The worst thing on my cable connection is the ISP itself scanning for
>>> open relays, proxies and news servers... I decided that merited
>>> special handling of the `icmp admin-prohib' variety ;)
>>
>> Sounds like your ISP is like mine, totally clueless. Here they let you
>> run servers but screw you with data charges. There is no unmetered
>> broadband here, they honor you with 3GB/Month, then hit you with
>> AUD$0.18/MB after that.
>
> Erk. It's unmetered here AFAIK but no servers. Well, they don't complain
> as long as it's nothing serious, anyway :)
You have good internet, and we have untimed local phone calls.
Give me good internet any time..
>> I take it you are in the US?
>
> Good heavens no!
That makes two of us, releived. I ran away from the UK a number of years
back :-)
> ~Tim
-- www.ozetechnology.com AIM:OrigMartian PGP key: www.ozetechnology.com/downloads/watsondk.pgp Fingerprint: 57C83166BDC89F743D6760A32FA90C63FF2CA8C2 100% Microsoft Free. Unleash the power of the Penguin
- Next message: TheMartian: "Re: prevent respond to port scanner"
- Previous message: Philipp Buehler: "Re: exploit found on my machine"
- In reply to: Tim Haynes: "Re: prevent respond to port scanner"
- Next in thread: : "Re: prevent respond to port scanner"
- Reply: : "Re: prevent respond to port scanner"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
