[22] in Intrusion Detection Systems
Re: port scanners/ICMP port unreachable
daemon@ATHENA.MIT.EDU (Greg Brennan)
Thu Mar 30 22:16:55 1995
From: Greg Brennan <brenngp@onto.network.com>
To: "'ids@uow.edu.au'" <ids@uow.edu.au>
Date: Thu, 30 Mar 95 12:58:00 CST
Reply-To: ids@uow.edu.au
=Date: March 28, 1995 03:43PM
=
=> > I was figuring I could sniff the packets leaving my
=> > network and look for ICMP port unreachables since it would be
=> > a dead giveaway that someone was trying to light up the TCP ports
=> > of one of our computers.
=>
=> Why not simply use a 'sane' implementation of ICMP class filtering,
=> such as offered in cisco IOS 10.3, to simply block specific classes
=> of ICMP traffic?
=Maybe I am missing something, but I think the suggestion here is to watch
for
=ICMP packets as an indication that port scanning was taking place, not to
=prevent it. This is IDS after all, not FIREWALLS 8-). Blocking ICMP
packets
=wouldn't do anything towards this aim. Now, blocking the traffic while
=logging the traffic might do the trick.
Packet Control Facilty (PCF) from Network Systems will accomplish this with
the
appropriate filter. Under PCF, every filter has 3 elements: Pattern,
Action, and
Disposition. In the "Pattern" phase, you tell the router to look for the
appropriate
ICMP message (or any other identifiable bit in the header). In the
"Action" portion,
the filter can be easily customized to carry out logging (to a host) and
alarm
notification (amongst other things). Then the "Dispostion" element
establishes
whether to pass or fail the packet. This gives you the ability to just
count the packets
you are looking for, or to block them as well.
BTW, this works equally well between any two network segments, not just
between your network and the internet. This provides for enterprise level
notification capabilities and does not impose performance penalties on the
router (a benefit of the base hardware/software architecture).
Greg Brennan
Network Systems Corporation
Mississauga, Canada Ph. (905) 629-0440 greg.brennan@network.com
