Re: stoping net scans

To: Michael Bergbauer <michael@noname.franken.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: stoping net scans
From: José A. Guzmán <jose@iteso.mx>
Date: Sun, 13 Apr 2003 19:04:41 -0500
Message-id: <[🔎] 1050278681.3e99fb1981b2e@correo.iteso.mx>
In-reply-to: <[🔎] 20030413221852.GI6438@noname.franken.de>
References: <[🔎] 1050166210.3e9843c2cf485@correo.iteso.mx> <[🔎] 20030413221852.GI6438@noname.franken.de>

Mensaje citado por Michael Bergbauer <michael@noname.franken.de>:

> On Sat Apr 12, 2003 at 11:5010AM -0500, José A. Guzmán wrote:
> > 
> >  Is there a tool (log monitoring or otherwise) that effectively blocks
> incoming
> > port scans (maybe interacting with iptables)?.
> > 
> >  What are you guys using to block incoming port scans?
> 
> Why do you want to block them? Get a secure configuration of you 
> publicly reachable boxes and be happy with it.
> 
> Blocking port scans is something compared to preventing people passing 
> by your house because you're afraid of thieves looking around for 
> vulnerabilties.
> 

  Well, in theory (or in a very small and controlled network) I believe you are
right, but in practice, with a campus network of thousands of boxes lying
around, with students and faculty legitimately playing around with services on
their linux-windows machines, and not being moderately paranoid (like myself),
it does make some sense to have some security through obscurity and block scans.

 Plus, I belive there is an advantage in blocking detected scanners with an
'early rule' in iptables, saving the kernel the work of checking the packet with
every rule until the default policy applies, (multiply N times for each scanned
ip, times N ports, times N scanners), for a class B network it does add a bit to
the cpu of the firewall router.

 Blocking port scans, following your metaphor, would be like having a policeman
in your neigborhood, detaining graffitiers or bell ringers and allowing only
apparently-well-behaved citizens.

 Althouhg there still lurks the issue raised by Bernd, the possibility of
abusing the scan-stop mechanism to generate a DoS by forging IP addresses of
well known sites.

  Is this a common or a growing practice?   Is it that easy to spoof well known
sites?

> 
> -- 
> Michael Bergbauer <michael@noname.franken.de>
> use your idle CPU cycles - See http://www.distributed.net for details.
> Visit our mud Geas at geas.franken.de Port 3333
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 

José

-------------

"We will kill them all........most of them."

---

Reply to:

Follow-Ups:
- Re: stoping net scans
  - From: Bernd Eckenfels <lists@lina.inka.de>

References:
- stoping net scans
  - From: José A. Guzmán <jose@iteso.mx>
- Re: stoping net scans
  - From: Michael Bergbauer <michael@noname.franken.de>

Prev by Date: IPtables or shorewall
Next by Date: Re: stoping net scans
Previous by thread: Re: stoping net scans
Next by thread: Re: stoping net scans
Index(es):
- Date
- Thread