How to defend Nmap
Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: How to defend Nmap

  1. #1
    Junior Member
    Join Date
    Jun 2005
    Posts
    1

    How to defend Nmap

    Hi,
    I know that Nmap is a scan software. It is useful for administrators to monitor networks. But on the other side, for an intrunder can also uses this software to scan my network and servers. How to defend this on network devices, include routers and switches.

  2. #2
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    The best to defend against it (in the way you described) would be to have a hardware firewall between your internet connection and your routers/switches/computers. Ideally, the firewall would not respond at all to the scans so that the attacker would have no clue that your computer was there.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    The information you are looking for simply cannot be answered in a single post, or a single thread. People spend entire careers learning what you are asking. There is no one simple method to defend agains a scan. You are also assuming that a scan is indeed a threat.

    But to give you an idea of where to look, I would suggest reading up on common methods used in IDS systems and firewalls. Antionline has a number of excellent tutorials on IDS systems, packet sniffing and port scanning, and firewalls.

    Once you have a better understanding of how nmap scanning works, you will have a better idea of how to defend against it

    But, the short answer is that port scanning can be defended against with proper firewalls and IDS systems.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Member
    Join Date
    Feb 2002
    Posts
    99
    IMO the most relevant solution to your problem would be something called a tarpit.

    In a nutshell:

    Its software designed to keep port scanners 'tied up'. It accomplishes this by tricking the computer initiating the scan into thinking the TCP connection is open, when in reality, its only half open, and thus has to time out.

    The name of hte software I'm refering to is <a href="http://www.hackbusters.net/">LaBrea</a>.

    Once you get the theory down behind it, there are more than a few ways to implement it.

    Hope this helps!

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Jonesy: While the initiating computer might be dumb enough to be messed up by LaBrea it's operator, if he knows what he is doing, will certainly conclude that all is not well. The resulting information gleaned would be:-

    "The admin of this network is, quite probably, security aware......."

    That's a very useful piece of information to have at hand if you are trying to break in and thus, in some ways, you just helped the attacker. I am a big fan of "looking stupid", (please direct all comments to 127.0.0.1. Thank you ). If my network appears to be bristling with self defense mechanisms then the attacker automatically goes into "stealth mode" making my life more difficult. If he's allowed to scan for a while, then probe a bit without going to hardcore "steath" then he rings my alarm bells - but he doesn't know it. From that point on I have a much better chance of successfully preventing him from completing his attack.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Obviously you can't stop people port scanning your network. What you can do, is ensure that they don't find anything open that you are not officially aware of.

    You can do this by having a proper management system for your firewall, i.e. All open ports / services are catalogued by your network administrator and their purpose is known.

    When something isn't required any more, it can then be shut down at the network level.

    Clearly allowing people detect open services which are designed to be open to the world anyway (for example, your mail server, web server, DNS etc), is not a security risk.

    Having things open that you didn't intend to, IS.

    Of course you can detect port scans using an IDS, but to be quite honest, there is very little point. Almost all of them are carried out by automated programs which have no "kiddie" holding the wheel (as you might other wise imagine, some teenager in a bedroom looking at nmap logs, but it's not true).

    These automated programs are usually worms or other malware, and have no kiddie anywhere near them, in fact they're more likely to be controlled by some criminal gang looking for hosts exploit for use in DDoS, Phishing, etc. The scans will almost certainly be coming from already "owned" machines.

    Slarty

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252
    /Tiger opens big can of worms

    I am a big fan of "looking stupid", (please direct all comments to 127.0.0.1. Thank you ). If my network appears to be bristling with self defense mechanisms then the attacker automatically goes into "stealth mode" making my life more difficult. If he's allowed to scan for a while, then probe a bit without going to hardcore "steath" then he rings my alarm bells - but he doesn't know it. From that point on I have a much better chance of successfully preventing him from completing his attack.

    The approach of leaving one or two avenues of attack open should only be used in an environment that is ripe for attack - Financial institutions etc. I have three small networks, no ecommerce, voip or wireless. The only thing worth stealing here is bandwidth. Of course perimeter seeding is a concern; however, in the event of compromised router/switch, I'll still see the loss of bandwidth.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Er... I don't leave avenues open for attack.... But I don't make it obvious that I am watching either. All my monitoring systems are passive and "stealthed". You won't receive anything from my network that you wouldn't expect until I decide to show you that I'm there - then you'll really know it unless you are a dumbass - every alarm bell of yours should ring quite nicely and you'll know I have been and am watching your activity.

    Slarty is bang on with this:-

    What you can do, is ensure that they don't find anything open that you are not officially aware of.
    Though I would add "and are absolutely necessary for the purpose of the network". That allows for honeypots for example in a research environment but not necessarily in a corporate environment.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252
    Ok, I think I understand what you're saying. If I scan your network I'll see lot's lf well known ports [closed] and what not, instead of no ports at all?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    No.... You'll see lots of ports "filtered". There's a firewall there but it will only allow access to the services my network _needs_ to function. So you will find several "open" ports, no closed ports and a gazillion "filtered" ports. Information gleaned:-

    1. There is a firewall.
    2. The network has probably been audited and checked for unecessary ports.
    3. You may or may not have _accurate_ information regarding my services and OS's....

    Outside that you know nothing more. You sure don't know for sure that I have already begun tracking your activity in voluminous logs, but I have.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •