Re: How to avoid port scanners
This has been brought up before, and leads to the problem of:
(1) hostile individual realizes he is firewalled automaticly after SYN
scanning (which does not require a handshake and may be spoofed)
(2) attacker spoofs legit source IPs to get them firewalled (which might
block outgoing mail from being sent, depending on how it is implemented.)
Adam
On Thu, 17 Jan 2002, Vegard Engen wrote:
> Well. You *could* in theory, I guess, implement something that firewalled
> a specific host totally once you discovered that it was in the process of
> portscanning. This is not that straightforward, though, and not foolproof,
> but you might prevent some portscanning-attacks from discovering your services,
> and failing that due to race conditions (i.e. port 25 already having been
> tried before your system blocked the ip-adress), maybe it would be blocked
> before it started hammering exploits against it.
[snip]
> --
> - Vegard Engen, member of the first RFC1149 implementation team.
Reply to: