RE: Dealing with Scans (portscans, vulnerability, etc.)

["Holger Reichert" <holger.reichert () holysword de>]

Hi, 
just one hint regarding the topic of reporting this to a contact of the
company of where the attacking IP address is located.
In my times of defence system administration I decided to report major scans
to companies within my own country, which were the origin of attacks like
this. They were always very grateful, as they had not detected yet, that
they were hacked and their system used for scannings.

Kind regards
Holger Reichert
Holysword GbR
Information Security Consulting
Germany

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Aarón Mizrachi
Sent: Dienstag, 24. November 2009 21:29
To: security-basics () securityfocus com
Cc: Tony Raboza
Subject: Re: Dealing with Scans (portscans, vulnerability, etc.)

On Sunday 22 November 2009 01:35:02 Tony Raboza wrote:
> Hi,
>
> I'm tuning my IDS and I'm thinking of taking out the portscan/web 
> vulnerability scan rules.  Why?  Because, yes - I know that somebody 
> may be scanning my network - but, what can I do about it?
>
> 1.  Block the IP? But, what if its NAT - meaning only 1 
> workstation/user did the port scanning, I would be blocking all the 
> possibly valid users behind that IP.
Indeed. That's right.

> 2.  Report it to their ISP or to them?  Then what?
Not all ISP's take actions against it users doing port scanning. Depends on
internal policy and local legislation.

> I want my IDS console not to be too cluttered that's why I'm tuning 
> it.  If its too cluttered - I might be missing out the really 
> important alerts.
>
> What about you?  How do you deal with port/vulnerability scans?  
First of all, we must secure enough our sites/servers to prevent attacks,
even if the attacker know every detail about our platform, including
usernames, ports, OS, versions, hardware, and more.

After that, we have two options to _delay_ scanning:

1- Restrict the scan: You can automatically block certain IP using IPS.  It
will delay, not prevent the scanning. An attacker could use anti-ips
techniques to prevent detection and surpass the protection.

2- Confuse the attacker: You can automatically send crafted information to
the scanning process and overload him with trash. 

I wrote an application to do that, i called it portjammer / synackflood. Is
opensource, and you can download it from:

http://sourceforge.net/projects/synackflood/

> Is it
> illegal btw?
We need to understand that Internet is not ruled by only one legislation. 
Every country have their own laws on that matter. And attackers, usually are
based in other countries.

In my country (by example), we have a special law for internet crime,  this
law defines that any attacker can't  be extradited based on foreign laws on
that matter. And... scanning itself is not defined as a offense here.

Add it to this that many of these countries do not have infrastructure to
investigate cybercrime. And in addition, many attackers are using the free
wifi hotspots.

What means? 

We must protect our networks against attackers around the world. Not
thinking that our local laws will protect us. Local laws are intended to
prevent local crime, and these laws do not always work out of our country. 

> Thanks.
>
>
> Best,
> Tony
>
> ----------------------------------------------------------------------
> -- Securing Apache Web Server with thawte Digital Certificate In this 
> guide we examine the importance of Apache-SSL and who needs an SSL  
> certificate.  We look at how SSL works, how it benefits your company 
> and  how your customers can tell if a site is secure. You will find 
> out how to  test, purchase, install and use a thawte Digital 
> Certificate on your  Apache web server. Throughout, best practices for 
> set-up are highlighted  to help you ensure efficient ongoing 
> management of your encryption keys  and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
> 42f72
> 7d1
>  
> ----------------------------------------------------------------------
> --

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
BBPIN: 0x 247066C1


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------