On Fri, 7 Dec 2001, Stuart wrote: > We've run a pentest against a customer recently and found that the very act > of port scanning their Raptor firewall (running on NT) crippled its ability > to accept incoming connections for their web site. The firewall is a new > high spec PIII and the least line is a decent size. The nmap scans were > standard timing (not T5 or anything daft) - once the scans were stopped, > things burst back in to life within about 10minutes. I experienced similar issues when scanning hosts behind a client's Watchguard firewall. I (together with some help from this list) put it down to built-in automatic IDS/blackholing of "naughty" hosts. I tried to get the client to disable the functionality, but either it isn't possible to disable completely, or... I've never (knowingly) managed to break a Raptor FW in this way - usually all I see is the same open port profile for all hosts and looking to the world like some strange cross between NT and some flavour of UNIX. :) > thanks > Stuart > IT Security Consultant, UK Best Regards, Alex. -- Alex Butcher Brainbench MVP for Internet Security: www.brainbench.com Berkshire, UK Is *your* company hiring UNIX/Security/Pen. testing folks? PGP/GnuPG ID:0x271fd950 http://www.cocoa.demon.co.uk/cv/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 11:23:02 PST