Security Basics mailing list archives

RE: Server blocks access of IP after nmap scan

From: "Rishi Narang" <exe.tmp () gmail com>
Date: Wed, 18 May 2011 22:52:36 +0530

Hello,

If that is a single IP, there is a possibility that there is a timing
problem. You can try using "--scan-delay" for your scans. Here is the
excerpt from the manual,

--scan-delay <time>; --max-scan-delay <time> (Adjust delay between probes)

This option causes Nmap to wait at least the given amount of time between
each probe it sends to a given host. This is particularly useful in the case
of rate limiting. Solaris machines (among many others) will usually respond
to UDP scan probe packets with only one ICMP message per second. Any more
than that sent by Nmap will be wasteful. A --scan-delay of 1s will keep Nmap
at that slow rate. Nmap tries to detect rate limiting and adjust the scan
delay accordingly, but it doesn't hurt to specify it explicitly if you
already know what rate works best.
When Nmap adjusts the scan delay upward to cope with rate limiting, the scan
slows down dramatically. The --max-scan-delay option specifies the largest
delay that Nmap will allow. A low --max-scan-delay can speed up Nmap, but it
is risky. Setting this value too low can lead to wasteful packet
retransmissions and possible missed ports when the target implements strict
rate limiting.
Another use of --scan-delay is to evade threshold based intrusion detection
and prevention systems (IDS/IPS).

More details - http://nmap.org/book/man-performance.html

--
Regards,
Rishi Narang, CEH
----------------------------------------------------------------------------
---------------------------------------------------------------
Twitter: @rnarang | Weblog: www.wtfuzz.com | Skype: rishi.narang | LinkedIn:
www.linkedin.com/in/rishinarang

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of amon.amarth9 () gmail com
Sent: Wednesday, May 18, 2011 10:07 PM
To: security-basics () securityfocus com
Subject: Server blocks access of IP after nmap scan

I am conducting this little security test on a specific web server owned by
a colleague of mine, saying it's pretty secured. So first I ran nmap but
after the nmap scan completes (and it says all ports filtered, which is
impossible), the web server became unresponsive. I called my friend in order
to explain him how accidentally I DoSed his server but he says it's all ok.
I check again - it's not responding. So I connect through a proxy and whoa -
it's alive, so i guess after the nmap scan the server somehow protected
itself by blocking access to the site for my ip. I would like to know what I
can do in this case, how I can successfully complete a nmap scan without
putting it 'down'. Any ideas please?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Server blocks access of IP after nmap scan amon . amarth9 (May 18)
- Re: Server blocks access of IP after nmap scan Ken Fox (May 18)
  - Re: Server blocks access of IP after nmap scan Thomas Rozenbroek (May 18)
- Re: Server blocks access of IP after nmap scan pasquale imperato (May 18)
- Re: Server blocks access of IP after nmap scan anthony kasza (May 18)
- RE: Server blocks access of IP after nmap scan Dan Lynch (May 18)
  - Re: Server blocks access of IP after nmap scan Martin Schneider (May 18)
- Re: Server blocks access of IP after nmap scan Saif El Sherei (May 18)
- RE: Server blocks access of IP after nmap scan Rishi Narang (May 18)
- <Possible follow-ups>
- Re: RE: Server blocks access of IP after nmap scan amon . amarth9 (May 18)
  - Re: Server blocks access of IP after nmap scan Joseph Saselli (May 18)
- Re: Server blocks access of IP after nmap scan Luciano Mazzella (May 18)
- Re: RE: Server blocks access of IP after nmap scan phyco . rootelement (May 18)
- Re: RE: Server blocks access of IP after nmap scan TAS (May 18)
- Re: Server blocks access of IP after nmap scan amon . amarth9 (May 18)
  - Re: Server blocks access of IP after nmap scan Littlefield, Tyler (May 18)
    - Re: Server blocks access of IP after nmap scan Matthew Caron (May 18)
    - RE: Server blocks access of IP after nmap scan Michael Sturtz (May 18)
- Re: RE: Server blocks access of IP after nmap scan amon . amarth9 (May 18)

(Thread continues...)