mailing list archives
Re: how to know scan is correct?
From: Bart van Leeuwen <bart () ixori demon nl>
Date: Fri, 11 Feb 2000 22:48:26 +0100
On Thu, 10 Feb 2000, Bennett Todd wrote:
That's why you have a iptables/whatever module that listens looks
for syns to non-open ports, logs once, then filters the offending
ip/netmask for 30 minutes or a few days if you're particularly
If you're going to do any such reactive firewall stuff as this, make
very sure nobody knows you're doing it; if they know you're doing
that, it's amazingly easy for them to cut you off from any or all of
the internet. Lessee, how long would it take to send SYN packets to
closed ports with source addrs forged from all the root nameservers.
The people who need to block portscans because they're worried about being
rooted need to upgrade their daemons. The people who think they need to
block them are either people who are doing it for their personal systems,
or people like the government who have this bizarre idea that having 50
gigs of logs each day somehow makes their systems more secure.
ihmo there are a few more things to this.
My systems do some amount of logging which many people would find
extreme, and which, as far as the logs from ipfilters go, is largely
ignored but kept (yes, I even have backups of them). Does this make me
more secure? well, not really. It does however allow me to do 2 things:
1. do statistical analysis on all kinds of trafic (not just scans, they
are just one of the kinds of 'trafic' that end up in such logs)
2. Look back in time in case I find out something happened and want to
There is no good "security through obscurity" approach. Filtering with
temporary firewall rules is not a security measure. It's a proof of
concept kind of thing. You can generate fake replies on closed ports, but
the people you don't want scanning you are just looking for specific
daemons, and it doesn't matter to them that you have honeypots on all
privledged closed ports. As was pointed out, syn scans leave a log trail,
but spoofed syn floods are a good way to cover up real syn scans. Still,
you could probably detect them. The NSA probably does a statistical
analysis on source addresses every time they get flooded.
They are not the only ones who can afford the capicity to do that.
Anyway, the point is not so much obscurity (as in preventing ports to
show when someone does a full scan of a machine) but the simple fact
that ip range scans for certain ports will not turn up a machine as one
with a filtered port is more the issue. I don't think there are many
good reasons to try to completely prevent a port scan, but there is a
lot to say to make that many people dont even notice the box. Sure, it
wont keep away those who simply and seriously want to break into your
box, but it prevents quite a bit of annoying trafic and bandwidth
consumption ;P The fact that those who will no longer see the machine
are not the ones to really worry about doesn't really mean that you
shouldn't be keeping them away if possible with relatively easy measures
if you dont want them there.
And on another note, there is no reason to not want to limit a machine
to only those forms of communications that it needs to have when you are
sure you have the most recent (and personally audited ;-) versions of
all software it runs.. just as having an ipfilter is not a reason to not
ensure that the things you let people talk to are as secure as possible.
In short: additional measures can often lead to increased security,
dismissing a measure because you think the ones you already took are
perfect, usually decreases security.
Bart van Leeuwen