Penetration Testing mailing list archives
Re: Blocking Port scans
From: robert () dyadsecurity com
Date: Mon, 24 Oct 2005 11:11:40 -0700
BSK(bishan4u () yahoo co uk)@Mon, Oct 24, 2005 at 12:34:30PM +0100:
Just wanted some feedback from you people. I'm doing a Firewall Assessment for a CISCO PIX firewall. The firewall allows SYN, FIN, NULL and XMAS scans but blocks ACK scans (largely means its a stateful firewall). Now what do we do to block the scans that are allowed. I think it should be easy to block FIN, NULL and XMAS scans but how do we block or limit or workaround a SYN scan. 1 way that I think is probably blocking or limiting the packets from the source (using IDS/IPS)
You most likely don't really want to. Scans that are not part of a stateful connection can have their source IP easily spoofed. If you start blocking IP's based on the appearance of bad traffic that can be spoofed, you'll open yourself up for some pretty impressive targeted DoS situations. When you auto-block based on perceived "badness", you're allowing that bad person to write your rules. Basically, when you allow a "bad" person to start writing your firewall rules for you, you've taken a big step in the wrong direction. Furthermore, I would say that there is an incorrect assumption that trying to block port scans increases your security. Unfortunately, if the resource is still available, you've not increased your security in any measurable way. You've only added an additional set of DoS conditions. As a security tester you have a finite amount of resources (IP's to come from, bandwidth, computers, etc), and a limited amount of time (1-4 weeks, etc). It should be assumed that an attacker has an unlimited amount of resources (He's attacking you, surely he's compromised other machines too). Even if he did port scan, he could break it into small enough chunks from throw away IP's. If it's a targeted exploit payload for a specific host/service, you won't see a port scan coming before the exploit payload. Robert -- Robert E. Lee CIO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Blocking Port scans BSK (Oct 24)
- Re: Blocking Port scans Ivan . (Oct 24)
- Re: Blocking Port scans robert (Oct 24)
- Re: Blocking Port scans Justin (Oct 24)
- Re: Blocking Port scans Terry Vernon (Oct 24)
- Re: Blocking Port scans Chris Moody (Oct 25)
- Re: Blocking Port scans Georgi Alexandrov (Oct 26)
- <Possible follow-ups>
- RE: Blocking Port scans Josh Perrymon (Oct 24)
- RE: Blocking Port scans Geelen, Ruud (Oct 31)