[plug] responding to portscans

Grahame Bowland grahame at azale.net
Sat Oct 5 22:41:20 WST 2002


On Saturday 05 October 2002 19:34, Simon Scott wrote:
> Hi all
>
> Has anyone investigated portsentry and its alternatives, and give me any
> insight into which one would be the way to go? portsentry relies on csh,
> which struck me as so stupid Ive gone off it :)
>
> I was almost going to write my own in perl but Ive gotta stop reinventing
> the wheel :)

The trouble with portsentry is that people set up active responses from a 
single TCP 'SYN' packet. So someone portscans you and you filter them.

Why is this bad? Anyone can send a TCP 'SYN' with IP source address of (for 
example) your ISPs router -- your default route. And then you will 
immediately lose connectivity when you filter your default route.

I guess the only way to safely do this is have something running in iptables 
that redirects connections to all non-open TCP ports into a daemon process. 
This daemon can wait for a full TCP connection (with the triple handshake) to 
come up (and assuming your ISN is secure) you'll be pretty sure the IP 
address is valid to take action against them.

Cheers
Grahame





More information about the plug mailing list