Re: Request for discussion on defending against specific Nmap TCP syn and version scans.

From: Martin Mačok (martin.macok@underground.cz)
Date: Sat Mar 04 2006 - 03:32:22 EST


On Thu, Mar 02, 2006 at 04:46:25PM -0800, Aaron wrote:

> There may also be some interest in looking up tarpitting. It does
> not stop scanning but maybe be used in conjunction with changing the
> OS fingerprint to slow a scan

May not work for a long because there is a pending patch (from me) for
detecting tarpitted ports in Nmap:

http://Xtrmntr.org/ORBman/tmp/nmap/nmap-3.95-detect_TARPIT.patch

(applies to all current releases)

P.S. If you know about different tarpit methods that does not get
detected with the patch above, please let me know...

Martin Mačok
ICT Security Consultant

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:36 EDT