[ale] Nmap + filtered ports
Jason Day
jasonday at worldnet.att.net
Fri Dec 16 14:15:43 EST 2005
On Thu, Dec 15, 2005 at 09:46:52PM -0500, Bob Toxen wrote:
> Second, generally it's best just to DROP all that you don't allow rather
> than trying to get "clever". You probably don't know enough about networking
> to outsmart nmap or other very clever scanners and thus just will "tip your
> hand".
I thought it was better to REJECT all that you don't allow, on the
grounds that that's the expected behavior for an unbound port.
In other words, if I REJECT packets to, say, port 25, then to an
attacker running a scan it looks like I don't have a daemon listening on
port 25. But if I DROP packets to port 25, then he knows I have some
kind of firewall in place, and might think I would make a more
interesting target.
Granted, if an attacker is specifically targeting my box, then it
doesn't really matter. But if he's running a general scan over a bunch
of IPs, then the IPs that DROP packets will stand out, because the scan
will come to a screeching halt while waiting for the connection attempts
to timeout.
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
More information about the Ale
mailing list