Snort mailing list archives
Re: blocking nmap -P0 attack
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 10 Jan 2005 16:14:59 -0600
On Mon, 2005-01-10 at 17:05 -0500, Matt Kettler wrote:
But in general, as long as you have a finite block duration, they can always run their scans slower to get around it, but that's a bit of a very slow guessing game if the time is large.
Agreed. However, have you ever run a pentest where you scan just one port a day? ;)
Working around someone with a 1 week block duration is pretty much hopeless unless you use a distribution of sources (ie: a botnet)
One thing that a lot of folks seem to overlook is that distributed scanning is a hard reality. So are the decoy scans which are luckily easy to detect (there is always that extra/duplicate packet from the same IP, or the packet to a .0 that only comes from one IP while the rest comes from 5 IP's, etc.) Instead of a bot net, open proxy servers can be nicely used for distributed/decoy/stealth scans. And there are still plenty of those around :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- blocking nmap -P0 attack N B (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)