Snort mailing list archives
Re: blocking nmap -P0 attack
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Jan 2005 17:40:10 -0500
At 05:14 PM 1/10/2005, Frank Knobbe wrote:
On Mon, 2005-01-10 at 17:05 -0500, Matt Kettler wrote: > But in general, as long as you have a finite block duration, they can=20 > always run their scans slower to get around it, but that's a bit of a ver= y=20 > slow guessing game if the time is large. Agreed. However, have you ever run a pentest where you scan just one port a day? ;)
No, but if your attacker is scanning most of the internet the slow-scan approach works very well. Scanning 100,000 hosts in slow-paralel scan over a month is not much different than scanning 100,000 hosts using a fast-sequential scan over a month. However, at the recipient's end the traffic profile is much different.
It also depends on your threat level, how much your attacker knows about you (you're posting on the snort-users list mentioning snortsam, it's pretty easy for an attacker to google that up), and what scale of operation they are on.
One thing that a lot of folks seem to overlook is that distributed scanning is a hard reality.
Is it? What about DScan? It's a very widely available tool for this very purpose.
http://www.packetstormsecurity.org/distributed/Given that virus writers have taken to dropping backdoors, the creation of a botnet itself is quite simple, just buy one from a virus writer, or write your own virus and collect thousands.
Sorry guys, but distributed attacks are here, now, and very common. Take a look at your mailserver logs for rumplestiltskin attacks some time.
Instead of a bot net, open proxy servers can be nicely used for distributed/decoy/stealth scans. And there are still plenty of those around :)
True, but it's hard to get 10,000 open proxies. 10,000 windows machines that got infected by a mail virus are much easier to come by.
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- blocking nmap -P0 attack N B (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)