Re: Defeating NMAP Null scans (and Nessus scans).

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 23 Jun 2005, Jan Engelhardt wrote:




turns on those detections and rejections within the kernel, as well as
perhaps adding a rule or two to DROP INVALID packets they should be
covered, should they not? And thus with far less resource over head as
extensive rules in their ruleset?


That depends on what you want.


what we want is for the firewall to be imune to invalid packets generated by
these kinds  of scans, yes?  to not give out port information when hits with


I do not give out port information. At least, I do not give correct port
information, which is just as much gain.


REJECT is the ind way to end a connection and does not slow an automated
scanner one bit, while a DROP lets that attack tool keep the socket open on


Read closely. It uses -m random to switch between REJECT/DROP.
Try that rulesets and then nmap yourself with "nmap -r localhost -p 1-2500".
Count the time, and compare to a pure DROP based approach.
 (iptables -F; iptables -P INPUT DROP; nothing more)


it;s end and tries to wait for feedback from the other end, and thus slows or


Surprisingly no. The REJECT/DROP mix confuses nmap more than a plain DROP. See
above.
Interesting this use of random. I'll have to play with it when I get that rare bit of spare time for testing and fooling about with things not in prod or requirening immediate attention to fix! Which tend to be even more rare these days in our understaffed env. But, your reports of this random further confusing the scanner and slowing it down are extremely interesting... 


Thanks,

Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCvCP6st+vzJSwZikRAm5lAKC0NUYKngyDpRzPcdbli2+F17xmIgCgvm5J
6Ck0P7LOcsqflFJllb5e1vU=
=Gzgq
-----END PGP SIGNATURE-----
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux