Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Blocking Port scans

from [robert] Network Security [Permanent Link]
Subject: Re: Blocking Port scans
Date: Mon, 24 Oct 2005 11:11:40 -0700 
BSK(bishan4u@yahoo.co.uk)@Mon, Oct 24, 2005 at 12:34:30PM +0100:

Just wanted some feedback from you people. I'm doing a
Firewall Assessment for a CISCO PIX firewall. The
firewall allows SYN, FIN, NULL and XMAS scans but
blocks ACK scans (largely means its a stateful
firewall).

Now what do we do to block the scans that are allowed.
I think it should be easy to block FIN, NULL and XMAS
scans but how do we block or limit or workaround a SYN
scan. 1 way that I think is probably blocking or
limiting  the packets from the source (using IDS/IPS)


You most likely don't really want to.  Scans that are not part of a
stateful connection can have their source IP easily spoofed.  If you
start blocking IP's based on the appearance of bad traffic that can be
spoofed, you'll open yourself up for some pretty impressive targeted DoS
situations.

When you auto-block based on perceived "badness", you're allowing that
bad person to write your rules.  Basically, when you allow a "bad"
person to start writing your firewall rules for you, you've taken a big
step in the wrong direction.

Furthermore, I would say that there is an incorrect assumption that
trying to block port scans increases your security.  Unfortunately, if
the resource is still available, you've not increased your security in
any measurable way.  You've only added an additional set of DoS
conditions.

As a security tester you have a finite amount of resources (IP's to come
from, bandwidth, computers, etc), and a limited amount of time (1-4
weeks, etc).  It should be assumed that an attacker has an unlimited
amount of resources (He's attacking you, surely he's compromised other
machines too).  Even if he did port scan, he could break it into small
enough chunks from throw away IP's.

If it's a targeted exploit payload for a specific host/service, you
won't see a port scan coming before the exploit payload.

Robert

-- 
Robert E. Lee
CIO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert@dyadsecurity.com
M - (949) 394-2033

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Scanning Class A network, Justin
Next by Date:  Re: Blocking Port scans, Justin
Previous by Thread:  Re: Blocking Port scans, Ivan .
Next by Thread:  Re: Blocking Port scans, Justin
Indexes:  [Date] [Thread] [Top] [All Lists]