[tor-talk] Automatic vulnerability scanning of Tor Network?

Steven J. Murdoch tortalk+Steven.Murdoch at cl.cam.ac.uk
Wed Dec 21 23:32:35 UTC 2011


On Wed, Dec 21, 2011 at 02:14:50PM +0100, Fabio Pietrosanti (naif) wrote:
> If we would send "1 packet" every minute, it would take about 22hours to
> complete the scan, bypassing almost any portscan detection system.
> 
> That way it would still be possible to map the opened ports / service
> version, but without creating alarm or abuse complain.

I'm still highly unconvinced. If an institution has a policy that port scans are
suspicious and to be avoided, making the scans more stealthy could be
counterproductive. It might well make them harder to detect, but when they are
detected it will look even more suspicious. I'm also not convinced a slow port
scan will help much given that this is a common black-hat technique and thus the
sort of signature which will make it into an IDS.

Even if we could avoid detection, I don't see much of an advantage to a port
scan. Nowadays open ports are a very poor guide to actual system security. I'd
expect that practical security vulnerabilities will be the result of bad
passwords, old versions of daemons, insecure web applications, and so on; not
because someone has installed an inherently insecure daemon.

Steven.

-- 
http://www.cl.cam.ac.uk/users/sjm217/


More information about the tor-talk mailing list