[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: 'mirror' with iptables

This is fairly strange, since scanning ports 20-25 + OS fingerprint should 
have generated something like... 20-25 messages. My IDS tends to accumulate 
that amount of scans/exploits/other crap in about 2-3 hours. Your firewall 
must be invisible or something because when I say IDS I mean it is installed 
on both my home system and my work system. In any case, I get 20-100 port 
scans about once in ~2-3 days. There are a lot of idiots out there you know.
To protect from single port scans use LaBrea.

On Wednesday 14 November 2001 03:21 pm, Tim Haynes wrote:
> Dmitriy Kropivnitskiy <jeld@mindless.com> writes:
>
> [snip]
>
> > > how does this stop the scanner from identifying open ports?
> >
> > If you actually drop packets instead of rejecting them your port scanner
> > will slow down to a crawl, since it has to wait for timeout on every try.
>
> Bzzzzzzt.
>
> Push out loads of packets to many hosts at one port per host, and just sit
> back & wait for the responses; they'll tell you if they're listening.
> Absolutely *nobody* does multi-port per host sweeps these days - to the
> extent that I nmapped myself from ports 20-25 only, this morning, and it
> occupied the greater amount of the firewall log for the last 24hrs.
>
> ~Tim
Reply to: