Home page logo
/

basics logo Security Basics mailing list archives

Re: Dealing with Scans (portscans, vulnerability, etc.)
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Tue, 24 Nov 2009 15:59:07 -0430

On Sunday 22 November 2009 01:35:02 Tony Raboza wrote:
Hi,

I'm tuning my IDS and I'm thinking of taking out the portscan/web
vulnerability scan rules.  Why?  Because, yes - I know that somebody
may be scanning my network - but, what can I do about it?

1.  Block the IP? But, what if its NAT - meaning only 1
workstation/user did the port scanning, I would be blocking all the
possibly valid users behind that IP.
Indeed. That's right.

2.  Report it to their ISP or to them?  Then what?

Not all ISP's take actions against it users doing port scanning. Depends on 
internal policy and local legislation.

I want my IDS console not to be too cluttered that's why I'm tuning
it.  If its too cluttered - I might be missing out the really
important alerts.

What about you?  How do you deal with port/vulnerability scans?  
First of all, we must secure enough our sites/servers to prevent attacks, even 
if the attacker know every detail about our platform, including usernames, 
ports, OS, versions, hardware, and more.

After that, we have two options to _delay_ scanning:

1- Restrict the scan: You can automatically block certain IP using IPS.  It 
will delay, not prevent the scanning. An attacker could use anti-ips 
techniques to prevent detection and surpass the protection.

2- Confuse the attacker: You can automatically send crafted information to the 
scanning process and overload him with trash. 

I wrote an application to do that, i called it portjammer / synackflood. Is 
opensource, and you can download it from:

http://sourceforge.net/projects/synackflood/

Is it
illegal btw?

We need to understand that Internet is not ruled by only one legislation. 
Every country have their own laws on that matter. And attackers, usually are 
based in other countries.

In my country (by example), we have a special law for internet crime,  this 
law defines that any attacker can't  be extradited based on foreign laws on 
that matter. And... scanning itself is not defined as a offense here.

Add it to this that many of these countries do not have infrastructure to 
investigate cybercrime. And in addition, many attackers are using the free wifi 
hotspots.

What means? 

We must protect our networks against attackers around the world. Not thinking 
that our local laws will protect us. Local laws are intended to prevent local 
crime, and these laws do not always work out of our country. 



Thanks.


Best,
Tony

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
 certificate.  We look at how SSL works, how it benefits your company and
 how your customers can tell if a site is secure. You will find out how to
 test, purchase, install and use a thawte Digital Certificate on your
 Apache web server. Throughout, best practices for set-up are highlighted
 to help you ensure efficient ongoing management of your encryption keys
 and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f72
7d1
 ------------------------------------------------------------------------


-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]