[Snort-users] blocking nmap -P0 attack
frank at ...9761...
Mon Jan 10 14:16:06 EST 2005
On Mon, 2005-01-10 at 17:05 -0500, Matt Kettler wrote:
> But in general, as long as you have a finite block duration, they can
> always run their scans slower to get around it, but that's a bit of a very
> slow guessing game if the time is large.
Agreed. However, have you ever run a pentest where you scan just one
port a day? ;)
> Working around someone with a 1
> week block duration is pretty much hopeless unless you use a distribution
> of sources (ie: a botnet)
One thing that a lot of folks seem to overlook is that distributed
scanning is a hard reality. So are the decoy scans which are luckily
easy to detect (there is always that extra/duplicate packet from the
same IP, or the packet to a .0 that only comes from one IP while the
rest comes from 5 IP's, etc.)
Instead of a bot net, open proxy servers can be nicely used for
distributed/decoy/stealth scans. And there are still plenty of those
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users