[Snort-users] blocking nmap -P0 attack

Frank Knobbe frank at ...9761...
Mon Jan 10 14:16:06 EST 2005


On Mon, 2005-01-10 at 17:05 -0500, Matt Kettler wrote:
> But in general, as long as you have a finite block duration, they can 
> always run their scans slower to get around it, but that's a bit of a very 
> slow guessing game if the time is large.

Agreed. However, have you ever run a pentest where you scan just one
port a day? ;)

>  Working around someone with a 1 
> week block duration is pretty much hopeless unless you use a distribution 
> of sources (ie: a botnet)

One thing that a lot of folks seem to overlook is that distributed
scanning is a hard reality. So are the decoy scans which are luckily
easy to detect (there is always that extra/duplicate packet from the
same IP, or the packet to a .0 that only comes from one IP while the
rest comes from 5 IP's, etc.)

Instead of a bot net, open proxy servers can be nicely used for
distributed/decoy/stealth scans. And there are still plenty of those
around :)

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050110/93c09d25/attachment.sig>


More information about the Snort-users mailing list