Discussion:
Port scan detection with pf
Holger Burde
2002-11-30 17:45:35 UTC
Permalink
Hi;

I found that iptables has (via patch-o-matic) a option to build a Portscan detection Module (psd) which blocks scanning hosts (nmap etc.) for some time and efficiently makes auto-scanning sort of impossible.
Is this also possible with OpenBSD pf or is it planed to add this feature ? (from man faq google etc. it seems not)
PS The Watchguard Firewalls also have such a feature which is turned on by default.

PS2 I want this on a firewall so using some IDS does not work since the packets are dropped before the
IDS would see them ...

hb
Ryan McBride
2002-11-30 17:51:47 UTC
Permalink
Post by Holger Burde
PS2 I want this on a firewall so using some IDS does not work since
the packets are dropped before the IDS would see them ...
Actually, I believe that you could use snort on the pflog interface.

-Ryan
Gordon Grieder
2002-11-30 17:55:44 UTC
Permalink
This post might be inappropriate. Click to display it.
Robert Waldner
2002-11-30 17:59:57 UTC
Permalink
Post by Gordon Grieder
Remember that nmap can use forged IPs as a source so an attacker would be
able to spoof the IP of (for example) one of your important customer's mail
server during an nmap and your firewall would then happily prevent
legitimate mail from reaching the inside.
DoS is the main problem with every auto-reacting filter.

cheers,
&rw
--
-- The People don't rule, the Sheeple do.
-- - Richard Forno
Holger Burde
2002-11-30 19:29:38 UTC
Permalink
hi;

Yep - i know - thats the main prb (spoofing/DoS) with dynnamic rules. But i think its worth the risk
if config options are flexible enough (time hosts are blocked, threshold (#ports / time) forwarding of alerts,
#of scanning attempts etc.). 'Information gathering' would be rather difficult/frustrating and (i think/hope?)
most attackers will simply give up and select a new target. Nothing is for free ...


hb

On Sat, 30 Nov 2002 18:59:57 +0100
Post by Robert Waldner
Post by Gordon Grieder
Remember that nmap can use forged IPs as a source so an attacker would be
able to spoof the IP of (for example) one of your important customer's mail
server during an nmap and your firewall would then happily prevent
legitimate mail from reaching the inside.
DoS is the main problem with every auto-reacting filter.
cheers,
&rw
--
-- The People don't rule, the Sheeple do.
-- - Richard Forno
Generic Player
2002-11-30 23:15:05 UTC
Permalink
Post by Holger Burde
hi;
Yep - i know - thats the main prb (spoofing/DoS) with dynnamic
rules. But i think its worth the risk if config options are flexible
enough (time hosts are blocked, threshold (#ports / time) forwarding
of alerts, #of scanning attempts etc.). 'Information gathering' would
be rather difficult/frustrating and (i think/hope?) most attackers
will simply give up and select a new target. Nothing is for free ...
Worth the risk why? You aren't gaining anything by doing this, what
exactly could be making it worth the risk? You are opening up your
machine to a trivial DoS attack, and in return, gaining nothing. Good
plan. A portscan isn't an attack, and they don't hurt. And if your
firewall is blocking it anyways, why do you care?

Adam

Theo de Raadt
2002-11-30 18:17:10 UTC
Permalink
Fundamentally, you do not want to do that.

Please tell me what host it is that you are protecting, and I'll show
you why, by spoofing a very small stream of packets from your favorite
hosts.
Post by Holger Burde
I found that iptables has (via patch-o-matic) a option to build a Portscan detection Module (psd) which blocks scanning hosts (nmap etc.) for some time and efficiently makes auto-scanning sort of impossible.
Is this also possible with OpenBSD pf or is it planed to add this feature ? (from man faq google etc. it seems not)
PS The Watchguard Firewalls also have such a feature which is turned on by default.
PS2 I want this on a firewall so using some IDS does not work since the packets are dropped before the
IDS would see them ...
hb
Mike Frantzen
2002-11-30 22:26:38 UTC
Permalink
Post by Holger Burde
I found that iptables has (via patch-o-matic) a option to build a
Portscan detection Module (psd) which blocks scanning hosts (nmap
etc.) for some time and efficiently makes auto-scanning sort of
impossible.
Blech. It is a nightmare doing portscan detection in-kernel. You have
to track states _far_ too long after they've expired. It ends up
consuming tons of memory which we just can't afford to dedicate to it
in-kernel.

You'd be better off writing something to monitor pflog0 to watch for
blocked packets and blocking those hosts. You'd be on your own as to a
whitelisting valid hosts. I haven't seen anything that can set up a
good whitelist without tens of hours of manual work and I haven't met a
good FW admin yet who wasn't also a damn lazy bastard (me included).

.mike
Loading...