Re: stoping net scans
On Sun, Apr 13, 2003 at 07:04:41PM -0500, José A. Guzmán wrote:
> Well, in theory (or in a very small and controlled network) I believe you are
> right, but in practice, with a campus network of thousands of boxes lying
> around, with students and faculty legitimately playing around with services on
> their linux-windows machines, and not being moderately paranoid (like myself),
> it does make some sense to have some security through obscurity and block scans.
In this kind of environment it is nearly impossible to reliable detect
scans.
> Plus, I belive there is an advantage in blocking detected scanners with an
> 'early rule' in iptables, saving the kernel the work of checking the packet with
> every rule until the default policy applies
Even a high bandwith scan is not able to saturate your network or cpu, so
there is realy no gain in dropping scan packages earyl. The only real gain
in early dropping is for DDOS attacks. But on the other hand, the DDOS might
have saturated your upstream link long before your packet filter is maxed
out, anyway.
> Althouhg there still lurks the issue raised by Bernd, the possibility of
> abusing the scan-stop mechanism to generate a DoS by forging IP addresses of
> well known sites.
And the additional problem: how to detect a port scan (without keeping too
much state).
Reading my snort port-scan log file, I know that a lot of fine tning is
needed to avoid most false-positives. In a big hetreogene network, it might
be nearly impossible.
Greetings
Bernd
PS: German campus networks have started to move from a accept-all to a
deny-all (white list) strategy on border routers, at least for priveledged
ports. The reason for this are the recent worms.
--
(OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Reply to: