Penetration Testing mailing list archives
RE: Providers blocking portscans - bad news for pentest?
From: "Drage, Nick" <nick.drage () eds com>
Date: Tue, 5 Jul 2005 12:27:02 +0100
Can you find out the specific tool they are using? My guess is they are looking at "X" number of port attempts in "Y" amount of time. If so something like: nmap -T sneaky ... should do the trick. I would expect that the threshold can not be all that low, otherwise it would false positive on busy name and mail servers.
I wouldn't have thought so, you could probably exclude UDP scans with a source port of 53 and SYN/ACKs with a source port of 25 and still provide an effective filtering service. Actually, maybe the OP could try different flags in their scans and see how they get on...
And what if providers start filtering TCP/IP traffic. Then portscans will become very unreliable.Some already do. Many still block TCP/1433 & UDP/1434 due to the large number of infected Slammer systems that have yet to be cleaned. Some even block TCP/25, Echo-requests, inbound TCP/80 to non-hosted Web servers, etc. Its all a matter of the provider's policy.
Seconded, in the UK it was quite difficult to find an ISP that didn't filter... Force9/PlusNet and Demon don't at the moment. Does this mean that while the rest of the world will be taking advantage of 21st Century working methods we'll still be travelling just to plug into switch ports? -- Nick Drage EDS UK Penetration Testing Team
Current thread:
- RE: Providers blocking portscans - bad news for pentest? Drage, Nick (Jul 05)
- <Possible follow-ups>
- Re: Providers blocking portscans - bad news for pentest? Christoph Puppe (Jul 05)