Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting Servers From Nmap's Idlescan?

Posted by Cliff on from the obtaining-extra-security dept.

Istealmymusic asks: "Now that Nmap 3.00's idlescan technique is fully documented, thousands of vulnerable NT and Linux hosts on the Internet are being exploited to perform stealthy port-scanning. My employer's Linux cluster was a victim of these attacks; apparently he has been used to perform hundreds of port scans on DDN machines. Needless to say we where contacted by the sysadmin and forced to blacklist the cracker. However, our Linux cluster is still vulnerable to the idlescan exploit from other attackers, and I believe our company has a false sense of security. OpenBSD is the only OS I know of which randomizes the IPID sequence therefore making it invulnerable to the idlescan, but we have neither the time nor urge to migrate to OpenBSD. How can one secure their Linux or NT TCP/IP stack from malicious idlescanning?"

4 of 37 comments (clear)

  1. no need to migrate by norwoodites · · Score: 4, Insightful

    Just put a machine right after the router that is in coming and put OpenBSD on it and turn on bridging and "srub all on $ext" and you have a great firewall that is transparent to the inside and to the outside.

  2. Linux is secure by tswinzig · · Score: 5, Insightful

    The person posting asks how you can protect Linux computers from malicious idlescanning, since OpenBSD is the only OS he knows of that doesn't use sequential IPID.

    However, the document he linked to (!) clearly states, "The latest versions of Linux, Solaris, and OpenBSD are immune as zombies..."

    Of course, you can't keep Linux from being scanned by a zombie, but that has nothing to do with the IPID sequencing. You need some sort of firewall that doesn't respond to SYN requests on closed ports.

    --

    "And like that ... he's gone."
  3. Bad wording by ActiveSX · · Score: 4, Insightful

    from the obtaining-extra-security dept.

    A misnomer. You can't obtain security, you can only remove insecurities.

  4. Re:My humble opinion... by Rick+the+Red · · Score: 3, Insightful
    Or, just get a humble P90 box with two network cards and make an OpenBSD firewall. Just use it to pass all traffic through. You need few if any rules, you won't need NAT, or dhcpd or bind or anything. Just a small IPID randomizer between your current setup and the big, bad internet. If you can put it in or take it out without affecting anything, then it's configured correctly. Test it with Nmap to prove it works, then relax.

    No -- I mean DON'T relax, you should keep up with the latest threats and remain vigilant. But you can stop worrying about Idlescan.

    --
    If all this should have a reason, we would be the last to know.