Re: How to avoid port scanners

To: Adam William Lydick <awlydick@bulldog.unca.edu>
Cc: debian-firewall@lists.debian.org, Vegard Engen <vegard@engen.priv.no>
Subject: Re: How to avoid port scanners
From: "Vince Mulhollon" <vlm@norlight.com>
Date: Thu, 17 Jan 2002 09:59:07 -0600
Message-id: <[🔎] OFD0A96652.9596DEF1-ON86256B44.00572903@norlight.com>

On 01/17/2002 09:38:01 AM Adam William Lydick wrote:

>> This has been brought up before, and leads to the problem of:
>>
>> (1) hostile individual realizes he is firewalled automaticly after SYN
>> scanning (which does not require a handshake and may be spoofed)
>> (2) attacker spoofs legit source IPs to get them firewalled (which might
>> block outgoing mail from being sent, depending on how it is
implemented.)

(3) Distributed scan system where each compromised "attacking" system
probes exactly one probe once.  When an individual attacker is firewalled,
the next attacker begins.

I've not seen an automated system like that, but its not rare at all for a
fully manual system.  Somebodys got ten cracked systems, they've got ten
tries to break into a new box, one attempt from each.

Blocking a single /32 per attack only stops the lamest skript kiddies, whom
are precisely the most harmless of the skript kiddies.

Not much gain, for too much pain.

Reply to:

Follow-Ups:
- Re: How to avoid port scanners
  - From: Adam William Lydick <awlydick@bulldog.unca.edu>

Prev by Date: RE: How to avoid port scanners
Next by Date: RE: How to avoid port scanners
Previous by thread: RE: How to avoid port scanners
Next by thread: Re: How to avoid port scanners
Index(es):
- Date
- Thread