Re: Network Mapping Attempt Question

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Dec 07 2006 - 04:04:35 ART

• Next message: Narbik Kocharians: "Re: Protected Ports"
• Previous message: Petr Lapukhov: "Re: IDS 4200 Alarm Question"
• Maybe in reply to: Lab Rat #109385382: "Network Mapping Attempt Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

"Network Mapping" is a very generic concept, and one cannot combat
all the recon types with a single solution.

The precise answer depends highly on the kind of a "mapping attack" (though
it's not an "attack", actually). This could be a ping sweep, a single host
port map, a multiple hosts port scanning, etc. Number of port scanning
techniques is numerous - from simple connect scan, to a sophisticated
Idle Scan.

The most common way to overcome the recon attacks, is to limit "information
leakage" as much as possible. This means: filter all unnecessary traffic,
shut down all unneeded services, and limit the information responses, e.g.
turn off "icmp unreachables" etc. In essense, the network should "blackhole"
all the attempts to probe the unused hosts/ports, slowing down the scan
attempts.

A tool specifically used to combat the port scanning is IDS. It uses some
heuristics
to recognize port scanning activity, and block it's source. However, there
exists
numerous ways to counter-combat such heurists ;)

Additionally, IDS may recognize some "advanced" scanning techniques, like
TCP null/fin/xmas/fragmented scans (even IOS IDS can do that).

HTH

2006/12/6, Lab Rat #109385382 < techlist01@gmail.com>:
>
> Is this the only resource for understanding how to respond to network
> attacks on routers:
>
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
>
> ur_c/scfoverv.htm#wp1001106
>
> I'm specifically looking for the Cisco best practice for protecting
> against
> "network mapping" attempts on something such as a perimeter router, but
> the
> above link doesn't really talk about it directly.
>
> Please let me know.
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Narbik Kocharians: "Re: Protected Ports"
• Previous message: Petr Lapukhov: "Re: IDS 4200 Alarm Question"
• Maybe in reply to: Lab Rat #109385382: "Network Mapping Attempt Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART