[ale] Nmap + filtered ports

Jason Day jasonday at worldnet.att.net
Fri Dec 16 14:15:43 EST 2005


On Thu, Dec 15, 2005 at 09:46:52PM -0500, Bob Toxen wrote:
> Second, generally it's best just to DROP all that you don't allow rather
> than trying to get "clever".  You probably don't know enough about networking
> to outsmart nmap or other very clever scanners and thus just will "tip your
> hand".

I thought it was better to REJECT all that you don't allow, on the
grounds that that's the expected behavior for an unbound port.

In other words, if I REJECT packets to, say, port 25, then to an
attacker running a scan it looks like I don't have a daemon listening on
port 25.  But if I DROP packets to port 25, then he knows I have some
kind of firewall in place, and might think I would make a more
interesting target.

Granted, if an attacker is specifically targeting my box, then it
doesn't really matter.  But if he's running a general scan over a bunch
of IPs, then the IPs that DROP packets will stand out, because the scan
will come to a screeching halt while waiting for the connection attempts
to timeout.

-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9



More information about the Ale mailing list