Regarding to Solar Designer (1999) it is not a good idea to block access to a IP address based on port scan. Port scan can be easily spoofed by generating 1000 of requests to a target with 999 spoofed source addresses and only one real one. This type of attach makes impossible to detect the real attacker’s IP address.
Blocking every source addres in the scan would use a lot of system resources. In the example above the firewall would have to create 1000 additional ACLs to bock all the addresses. This policy can lead to firewall overwhelming and crash.
Author also point out that attempts to connect to the source address might initiate and reconnaissance on a legitimate users.
Ban IP address based on port scan detection
Posted: 22nd July 2009 by as in Computer Security, Intrusion Detection, Intrusion Detection ToolsComments Off