[ale] Nmap + filtered ports

Christopher Fowler cfowler at outpostsentinel.com
Fri Dec 16 14:23:58 EST 2005


This is why I use REJECT.  I want the scan to see an unbound port.  A
DROP will simply make me stand out in the crowd.


On Fri, 2005-12-16 at 14:15, Jason Day wrote:
> On Thu, Dec 15, 2005 at 09:46:52PM -0500, Bob Toxen wrote:
> > Second, generally it's best just to DROP all that you don't allow rather
> > than trying to get "clever".  You probably don't know enough about networking
> > to outsmart nmap or other very clever scanners and thus just will "tip your
> > hand".
> 
> I thought it was better to REJECT all that you don't allow, on the
> grounds that that's the expected behavior for an unbound port.
> 
> In other words, if I REJECT packets to, say, port 25, then to an
> attacker running a scan it looks like I don't have a daemon listening on
> port 25.  But if I DROP packets to port 25, then he knows I have some
> kind of firewall in place, and might think I would make a more
> interesting target.
> 
> Granted, if an attacker is specifically targeting my box, then it
> doesn't really matter.  But if he's running a general scan over a bunch
> of IPs, then the IPs that DROP packets will stand out, because the scan
> will come to a screeching halt while waiting for the connection attempts
> to timeout.




More information about the Ale mailing list