Home page logo
/

basics logo Security Basics mailing list archives

Re: Dealing with Scans (portscans, vulnerability, etc.)
From: aditya mukadam <aditya.mukadam () gmail com>
Date: Fri, 27 Nov 2009 08:26:19 +0530

I agree with Jon K.

1) Ideally, your IDS shouldn't be seeing port scan from internet.
Either your Border router or Firewall should block this traffic.
2) Do not ignore scans. You need to know the threats your
network/resource is up against. It could be a start to a potential
attack.
3) It is recommended that you report this to the ISP, irrespective of
the fact it takes action or not.

Thanks,
Aditya Govind Mukadam
http://in.linkedin.com/in/adityamukadam

On Fri, Nov 27, 2009 at 1:56 AM, Holger Reichert
<holger.reichert () holysword de> wrote:

Hi,
just one hint regarding the topic of reporting this to a contact of the
company of where the attacking IP address is located.
In my times of defence system administration I decided to report major scans
to companies within my own country, which were the origin of attacks like
this. They were always very grateful, as they had not detected yet, that
they were hacked and their system used for scannings.

Kind regards
Holger Reichert
Holysword GbR
Information Security Consulting
Germany

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Aarón Mizrachi
Sent: Dienstag, 24. November 2009 21:29
To: security-basics () securityfocus com
Cc: Tony Raboza
Subject: Re: Dealing with Scans (portscans, vulnerability, etc.)

On Sunday 22 November 2009 01:35:02 Tony Raboza wrote:
Hi,

I'm tuning my IDS and I'm thinking of taking out the portscan/web
vulnerability scan rules.  Why?  Because, yes - I know that somebody
may be scanning my network - but, what can I do about it?

1.  Block the IP? But, what if its NAT - meaning only 1
workstation/user did the port scanning, I would be blocking all the
possibly valid users behind that IP.
Indeed. That's right.

2.  Report it to their ISP or to them?  Then what?

Not all ISP's take actions against it users doing port scanning. Depends on
internal policy and local legislation.

I want my IDS console not to be too cluttered that's why I'm tuning
it.  If its too cluttered - I might be missing out the really
important alerts.

What about you?  How do you deal with port/vulnerability scans?
First of all, we must secure enough our sites/servers to prevent attacks,
even if the attacker know every detail about our platform, including
usernames, ports, OS, versions, hardware, and more.

After that, we have two options to _delay_ scanning:

1- Restrict the scan: You can automatically block certain IP using IPS.  It
will delay, not prevent the scanning. An attacker could use anti-ips
techniques to prevent detection and surpass the protection.

2- Confuse the attacker: You can automatically send crafted information to
the scanning process and overload him with trash.

I wrote an application to do that, i called it portjammer / synackflood. Is
opensource, and you can download it from:

http://sourceforge.net/projects/synackflood/

Is it
illegal btw?

We need to understand that Internet is not ruled by only one legislation.
Every country have their own laws on that matter. And attackers, usually are
based in other countries.

In my country (by example), we have a special law for internet crime,  this
law defines that any attacker can't  be extradited based on foreign laws on
that matter. And... scanning itself is not defined as a offense here.

Add it to this that many of these countries do not have infrastructure to
investigate cybercrime. And in addition, many attackers are using the free
wifi hotspots.

What means?

We must protect our networks against attackers around the world. Not
thinking that our local laws will protect us. Local laws are intended to
prevent local crime, and these laws do not always work out of our country.



Thanks.


Best,
Tony

----------------------------------------------------------------------
-- Securing Apache Web Server with thawte Digital Certificate In this
guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company
and  how your customers can tell if a site is secure. You will find
out how to  test, purchase, install and use a thawte Digital
Certificate on your  Apache web server. Throughout, best practices for
set-up are highlighted  to help you ensure efficient ongoing
management of your encryption keys  and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
42f72
7d1

----------------------------------------------------------------------
--


--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
BBPIN: 0x 247066C1


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault