Penetration Testing mailing list archives
Request for discussion on defending against specific Nmap TCP syn and version scans.
From: "Smith, Chris" <Chris.Smith () nwdc net>
Date: Wed, 1 Mar 2006 09:53:22 -0800
Greetings list members, I'd like to generate some discussion and ask the list for a few best practice ideas on how to best defend against and ultimately block TCP syn (-sS) and version scans (-sV) against specific ports, in particular port 80. These targeted scans initiate a full TCP connection complete with 3 way handshake and thus are able to look like legitimate http requests. Specifically I'm interested in ideas that talk about authoring a snort rule of sorts that can log to the alerts file, or IPTables rule tweaks that can block particular scan types while still allowing legitimate connections. For example lets assume an attacker uses the following scan against a listening apache web server on the target IP. Nmap -sV -P0 -T4 -p 80 -vv X.X.X.X It's probable that the scan results are being dumped out as xml which is then parsed by other scripts for the sole purpose of getting the target IP on a web app exploit attempt list of some type. As the scan is attempted against the target IP, Apache's access_log indicates the following: 24.21.193.231 - - [28/Feb/2006:04:50:33 -0800] "GET / HTTP/1.0" 200 2349 Where 24.21.193.231 is most likely a compromised system being used for bulk scanning. Apache sends http response 200 back letting the attacker know of it's presence. based on observing future log file activity, it appears that this successful probe has automatically placed this box on an automated exploit attempts list, because multiple exploit attempts for the various IIS, and PHP forum /bulletin apps are attempted and show up in apache's access_log. Basically attempts that utilize the latest round of vulnerability disclosures being submitted to BugTraq start showing up. The logical conclusion that one might make would be, that if this initial scan could be blocked, it could prevent a plethora of specific, targeted, future exploit attempts. ------------------------------------------------------------------------------ This List Sponsored by: Lancope "Discover the Security Benefits of Cisco NetFlow" Learn how Cisco NetFlow enables cost-effective security across distributed enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) and Response solution, leverages Cisco NetFlow to provide scalable, internal network security. Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response Systems in the Enterprise." http://www.lancope.com/resource/ ------------------------------------------------------------------------------
Current thread:
- Request for discussion on defending against specific Nmap TCP syn and version scans. Smith, Chris (Mar 01)
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. Martin Mačok (Mar 02)
- Bank pen test Noe Espinoza Mancillas (Mar 02)
- RE: Bank pen test Andy Meyers (Mar 03)
- RE: Bank pen test mystic33 (Mar 03)
- Re: Bank pen test Noe Espinoza Mancillas (Mar 03)
- Re: Bank pen test Rick Zhong (Mar 03)
- RE: Bank pen test Omar A. Herrera (Mar 04)
- <Possible follow-ups>
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. revnic (Mar 02)
(Thread continues...)