Home page logo
/

basics logo Security Basics mailing list archives

Re: IDS which denies access after one "false" scanned port
From: Samuel Lavitt <samuel.lavitt () tectia com>
Date: Wed, 21 Dec 2011 18:44:18 +0200

I encountered a system like this before, it was an IDS setup by some
consultants from IBM for a project I audited, as part of one of their
outsourced websphere systems.  I do not know the actual IDS, but it 
made the audit damn difficult, as it was also prone to locking me out
whenever I caused too many server errors (where too many was something
~50 HTTP 400s or 500s in a 15m period).  Burp's automated intruder,
directory scans, etc. were all worthless as a result.

Did manage some success using purely manual testing, mostly simple XSS
attacks though, worked well on the language selection ;)

On 12/21/2011 02:20 PM, Martin T wrote:
I found a webserver, which serves webpage on TCP port 80, but in case
I try to connect to any other TCP port, my IP will be blocked for
10min. Example below:

[root@ ~]# ping -qc1 www.<domain>.com
PING www.<domain>.com (10.10.10.3): 56 data bytes

--- www.<domain>.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.793/1.793/1.793/0.000 ms
[root@ ~]# telnet www.<domain>.com 80
Trying 10.10.10.3...
Connected to www.<domain>.com.
Escape character is '^]'.
Connection closed by foreign host.
[root@ ~]# telnet www.<domain>.com 37219
Trying 10.10.10.3...
^C
[root@ ~]# telnet www.<domain>.com 80
Trying 10.10.10.3...
^C
[root@ ~]# ping -qc1 www.<domain>.com
PING www.<domain>.com (10.10.10.3): 56 data bytes

--- www.<domain>.com ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
[root@ ~]#


Anyone seen such behavior before? Is it somehow possible to
detect/guess, which IDS this might be? Any other suggestions how to
find out more information about this IDS and server behind it?


regards,
martin

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]