On Tue, Aug 29, 2006 at 07:05:08PM +0200, [EMAIL PROTECTED] wrote:
> > On Tue, Aug 29, 2006 at 05:50:56PM +0200, [EMAIL PROTECTED]
> > wrote:
> >> block drop in log quick on $ext_if os NMAP overload <nmapscanners> flush
> >
> > This is a bad idea, because nmap scans can be trivially spoofed (nmap
> > provides a command line option to do this), resulting in a simple denial
> > of service attack.
> >
> > We have the overload table for tcp connections because the handshake
> > makes us reasonably confident that the packets are not spoofed.
>
> If you`re afraid of spoofing you may shouldn`t use overload-Rules at all!
> In fact most ISPs in europe do filter spoofed packets.
> You simply can`t spoof...
Really? Not even from the same network?
That, and it's far too easy to bring down the whole network from a
compromised Windows box. Yes, in some cases, it might work - but the
risk is very great in comparison to the reward.
> But except this: What else should an "admin" do?
> I realy mean it...
>
> A normal overload-Example (I just used some common services):
>
> pass in on $ext_if proto tcp to $web_server \
> port 22 flags S/SA keep state \
> (max-src-conn 10, max-src-conn-rate 3/10, overload <badssh> flush)
[and so on - J.]
> Well I guess we all do know what PF does here.
> But what if you wanna Block hosts wich do connect to all those services in
> a very short time period (like during a "normal" Portscan (yes I know
> about -T1 in nmap..)
>
> Should an admin then do this:
>
> pass in on $ext_if proto tcp to $web_server \
> port &ALL_SERVICES_HERE flags S/SA keep state \
> (max-src-conn 3, max-src-conn-rate 10/10, overload <allports> flush)
>
> With that limit a normal user may get catched by this rule even he just
> visited the www and maybe fetched/send a mail (some browsers do connect
> serval times).
> But a nmap-Scan would get catche dby this rule too (as far as nmap isn`t
> in use with -T1 or maybe even with -T2).
>
> So what other "solution" will solve the problem I`m trying to fix?!
> And in fact why should somebody else scan your servers except of you..
> (even it`s not illegal)?!
>
> Btw: It would be very usefull to block hosts wich used nmap!
> Think about controled big LANs (like in universities where you can`t watch
> EVERY Computer and where students may can boot a Linux-Live CD or whatever
> and try to do bad stuff... if nmap is just blocked they`ll propably use
> something else after they noticed it).
There are other solutions; there are some portscan-detectors in ports.
However, most of us, myself included, take the position that making
scanning more difficult isn't worth the bother. And that such
block-scripts, while they *can* be done right, have a far too high risk
of self-DoS (which would really hurt) and are unlikely to significantly
delay skilled attackers (in other words, they don't really matter).
If you really want to do this on a big LAN, set up Snort (in a chroot or
systrace jail - Snort is not that secure). And have a chat with the
offenders.
However, I know that *I* did try to report spammers, portscanners, and
other attackers for a while; but it doesn't really help all that much,
and more importantly costs an enormous amount of time that is better
spent looking after whatever you're supposed to be looking after.
Joachim
