RE: Providers blocking portscans - bad news for pentest?

["Drage, Nick" <nick.drage () eds com>]

> Can you find out the specific tool they are using? My guess is 
> they are looking at "X" number of port attempts in "Y" amount 
> of time. If so something like:
> nmap -T sneaky ...
>
> should do the trick. I would expect that the threshold can not 
> be all that low, otherwise it would false positive on busy 
> name and mail servers.

I wouldn't have thought so, you could probably exclude UDP scans with a
source port of 53 and SYN/ACKs with a source port of 25 and still
provide an effective filtering service.

Actually, maybe the OP could try different flags in their scans and see
how they get on...

> > And what if providers start filtering TCP/IP traffic. Then portscans 
> > will become very unreliable.
>
> Some already do. Many still block TCP/1433 & UDP/1434 due to 
> the large number of infected Slammer systems that have yet to 
> be cleaned. Some even block TCP/25, Echo-requests, inbound 
> TCP/80 to non-hosted Web servers, etc. Its all a matter of the 
> provider's policy. 

Seconded, in the UK it was quite difficult to find an ISP that didn't
filter... Force9/PlusNet and Demon don't at the moment.

Does this mean that while the rest of the world will be taking advantage
of 21st Century working methods we'll still be travelling just to plug
into switch ports?

-- 
Nick Drage
EDS UK Penetration Testing Team