> --On 26 June 2005 15:27 +0200, [EMAIL PROTECTED] wrote: > >> Is there any spamtrap-like Mechanism for the pf? >> E.g. more skilled "badguys" don't use `nmap -sS &target`. >> Such guys will limit their scans to just a few ports (3-6). > > Since this type of scan typically won't complete a 3-way handshake, > there's not really any chance to tell a spoofed source address from a > real one...
What's about 3-Way- handshake scans? As I said such guys scan just a few ports to not getting noticed by an IDs (and a IDS would "mostly" notice Syn-Scans but not full 3-way. Scans if just 3 ports e.g. where scanned). e.g. nmap -sT -sV -P0 -sV -p21,22,80 would be such a case or nmap -sT -sV -P0 -sV -p21,22 So if I know that I don't run a FTPd the Src-IP would get blocked and the scan for other ports would fail. Kind regards, Sebastian
