On 3/2/11 2:04 PM, Mitar wrote:
Interesting. We were doing the very same thing (opening only 80 and 443 ports to check for certificates) just few weeks ago over whole IP space and got a few complaints: from ATT, usu.edu and usi.com.
Maybe the difference was in speed of scanning? We randomized order of scanning but still some networks detected us as scanning their whole ranges.
Hi,
i am trying to create a low-responsibility TOR exit node that would allow the node to run without too much issue for the maintainer (few claim from operators).
I wrote something about it here: http://infosecurity.ch/20110124/my-tor-exit-node-experience-trying-to-filter...
I am now struggling to be able to filter outgoing portscan but i am not finding an effective way to do it without affecting good traffic.
P2P is out (OpenIPS), traffic to my originating country is out (iptables), i am testing removal of web attacks (trough snort inline) but i am not able to remove outgoing portscan that are now generating at least 1-2 claim per week.
My attempt now has been done with: ######### ANTI PORSCAN ##################### # Allow up to 3 pkts / seconds for a class C / 24 network: Block hard portscan # iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 3/s --hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name everything_else_fast_scan -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 5/s --hashlimit-mode dstip --hashlimit-dstmask 16 --hashlimit-name everything_else_fast_scan_very_randomized -j ACCEPT
# Allow many connection (50/s) to the same IP (ex: facebook or google main site) # iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 50/s --hashlimit-mode dstip --hashlimit-dstmask 32 --hashlimit-name everything-unique-ip -j ACCEPT
# Allow up to 5 pkts / minute for a class C / 24 network: Block slow and steady portscan iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -m hashlimit --hashlimit-upto 5/min --hashlimit-mode dstip --hashlimit-dstmask 24 --hashlimit-name everything_else_slow_scan -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -j LOG --log-prefix "Limit reached: " iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW -s 88.198.109.35/32 --syn -j REJECT --reject-with tcp-reset
Does anyone have already tried and has been successful in blocking outgoing portscan?
I know that my approach could be considered not-good by someone, but still i am carrying on an experiment to create a: - long-lived tor exit node - low-maintenance tor exit node - a tor exit node that cannot be used for P2P, Web attacks and Portscan - a tor exit node that generate very few claims (that means more resiliency against carrier/hosting disconnecting hte server)
Cheers -naif http://infosecurity.ch