[Snort-users] blocking nmap -P0 attack
mkettler at ...4108...
Mon Jan 10 14:43:08 EST 2005
At 05:14 PM 1/10/2005, Frank Knobbe wrote:
>On Mon, 2005-01-10 at 17:05 -0500, Matt Kettler wrote:
> > But in general, as long as you have a finite block duration, they can=20
> > always run their scans slower to get around it, but that's a bit of a ver=
> > slow guessing game if the time is large.
>Agreed. However, have you ever run a pentest where you scan just one
>port a day? ;)
No, but if your attacker is scanning most of the internet the slow-scan
approach works very well. Scanning 100,000 hosts in slow-paralel scan over
a month is not much different than scanning 100,000 hosts using a
fast-sequential scan over a month. However, at the recipient's end the
traffic profile is much different.
It also depends on your threat level, how much your attacker knows about
you (you're posting on the snort-users list mentioning snortsam, it's
pretty easy for an attacker to google that up), and what scale of operation
they are on.
>One thing that a lot of folks seem to overlook is that distributed
>scanning is a hard reality.
Is it? What about DScan? It's a very widely available tool for this very
Given that virus writers have taken to dropping backdoors, the creation of
a botnet itself is quite simple, just buy one from a virus writer, or write
your own virus and collect thousands.
Sorry guys, but distributed attacks are here, now, and very common. Take a
look at your mailserver logs for rumplestiltskin attacks some time.
>Instead of a bot net, open proxy servers can be nicely used for
>distributed/decoy/stealth scans. And there are still plenty of those
True, but it's hard to get 10,000 open proxies. 10,000 windows machines
that got infected by a mail virus are much easier to come by.
More information about the Snort-users