Re: How to avoid port scanners

To: Vegard Engen <vegard@engen.priv.no>
Cc: <debian-firewall@lists.debian.org>
Subject: Re: How to avoid port scanners
From: Adam William Lydick <awlydick@bulldog.unca.edu>
Date: Thu, 17 Jan 2002 10:38:01 -0500 (EST)
Message-id: <[🔎] Pine.OSF.4.31.0201171033190.419224-100000@bulldog.unca.edu>
In-reply-to: <[🔎] 20020117153143.GR1245@engen.priv.no>

This has been brought up before, and leads to the problem of:

(1) hostile individual realizes he is firewalled automaticly after SYN
scanning (which does not require a handshake and may be spoofed)
(2) attacker spoofs legit source IPs to get them firewalled (which might
block outgoing mail from being sent, depending on how it is implemented.)

Adam

On Thu, 17 Jan 2002, Vegard Engen wrote:

> Well. You *could* in theory, I guess, implement something that firewalled
> a specific host totally once you discovered that it was in the process of
> portscanning. This is not that straightforward, though, and not foolproof,
> but you might prevent some portscanning-attacks from discovering your services,
> and failing that due to race conditions (i.e. port 25 already having been
> tried before your system blocked the ip-adress), maybe it would be blocked
> before it started hammering exploits against it.

[snip]

> --
> - Vegard Engen, member of the first RFC1149 implementation team.

Reply to:

References:
- Re: How to avoid port scanners
  - From: vegard@engen.priv.no (Vegard Engen)

Prev by Date: RE: How to avoid port scanners
Next by Date: Re: How to avoid port scanners
Previous by thread: Re: How to avoid port scanners
Next by thread: Re: How to avoid port scanners
Index(es):
- Date
- Thread