[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: BoS: IP Port Scan Detector.
From: Mike Neuman <mcn () EnGarde ! com>
Date: 1995-12-03 15:52:24
[Download RAW message or body]
Three things:
>Darren Reed <avalon@coombs.anu.edu.au> wrote:
> It doesn't look for Stealth Scans by their signiture (half-open connections
> and using ACKs, etc), but just registers all packets sent to a select
> number of ports. The higher the number of ports `hit' by a given host,
> the higher its score for probability of having done a port scan.
1) I haven't looked at the code, but it would seem a couple things were
significant in this approach:
- What happens if a firewall is blocking some of the "sensitive" ports?
(e.g. ports 1-100 but not 23 get scanned)
- Time would seem to be significant. (e.g. What if I scan a new port every 5
minutes (or whatever)) And if the timing is too small, a busy server
will most likely get flagged as being scanned.
2) You didn't mention if your half-open port scanner was available. I wrote
one a long time ago which is freely available. If anyone would like to grab a
copy of it, you can find it in the intrusion section of my home page. It only
runs under SunOS 4.x, but it's basically just a proof of concept. :-)
http://www.engarde.com/~mcn
3) Are firewall logging packages vulnerable to this? (ie. Does the firewall
only log/alert on the existance of a fully established connection, or merely
on the first SYN?)
-Mike
mcn@EnGarde.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic