[Snort-users] blocking nmap -P0 attack

Matt Kettler mkettler at ...4108...
Mon Jan 10 14:43:08 EST 2005

At 05:14 PM 1/10/2005, Frank Knobbe wrote:
>On Mon, 2005-01-10 at 17:05 -0500, Matt Kettler wrote:
> > But in general, as long as you have a finite block duration, they can=20
> > always run their scans slower to get around it, but that's a bit of a ver=
> > slow guessing game if the time is large.
>Agreed. However, have you ever run a pentest where you scan just one
>port a day? ;)

No, but if your attacker is scanning most of the internet the slow-scan 
approach works very well. Scanning 100,000 hosts in slow-paralel scan over 
a month is not much different than scanning 100,000 hosts using a 
fast-sequential scan over a month. However, at the recipient's end the 
traffic profile is much different.

It also depends on your threat level, how much your attacker knows about 
you (you're posting on the snort-users list mentioning snortsam, it's 
pretty easy for an attacker to google that up), and what scale of operation 
they are on.

>One thing that a lot of folks seem to overlook is that distributed
>scanning is a hard reality.

Is it? What about DScan? It's a very widely available tool for this very 


Given that virus writers have taken to dropping backdoors, the creation of 
a botnet itself is quite simple, just buy one from a virus writer, or write 
your own virus and collect thousands.

Sorry guys, but distributed attacks are here, now, and very common. Take a 
look at your mailserver logs for rumplestiltskin attacks some time.

>Instead of a bot net, open proxy servers can be nicely used for
>distributed/decoy/stealth scans. And there are still plenty of those
>around :)

True, but it's hard to get 10,000 open proxies. 10,000 windows machines 
that got infected by a mail virus are much easier to come by.

More information about the Snort-users mailing list