Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5668
Views
0
Helpful
3
Replies

Block Ports scan (eg:nmap) at the ACL ?

faika
Level 1
Level 1

‎10-10-2004 06:31 PM - edited ‎02-20-2020 09:25 PM

Hi,

Does anyone know how to block ports scan (eg:nmap) at the ACL? I've deny all icmp at the core router. However, it still pass through with the command:

nmap -P0 (ip host)

Thanks,

Dicky Wong

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎10-10-2004 07:45 PM

To deny ICMP is not going to stop port scans such as nmap because they do not use ICMP for much. They use TCP and UDP. They send packets to the range of TCP and UDP ports on the target and look for response TCP and UDP packets to determine what ports the target is listening on.

And trying to block the port scan with an ACL is likely to be counterproductive especially if the ACL does a deny any any because you will not only block the port scan but will deny legitimate users trying to use that service.

If you are really concerned about port scans the appropriate way to stop them is to have something that will observe traffic flowing through the network and will look for patterns of traffic from the same source to the same destination but using constantly different port numbers. Once you have identified the source of the scan then you can implement something (perhas an ACL) that will deny the traffic from that specific source which would not impact legitimate users of the network. This is more the function of an IDS than it is of a router.

HTH

Rick

HTH

Rick
0 Helpful

jimwelsh
Level 1
Level 1

‎10-10-2004 09:48 PM

If you want to accomplish this with a router, about the best you can do is to use Context-Based Access Control (CBAC). This can be used to have a "deny all" access list on the outside interface to start with, and then CBAC will open up only access to allow return traffic in response to connections initiated from the inside.

It's not a perfect solution, but should stop your nmap scans.

0 Helpful

mohammed.ibrahim
Level 1
Level 1
In response to jimwelsh

‎10-11-2004 06:48 PM

Also try to used the IDS feature available on the IOS. This will give you a syslog indication when nmap type traffic is sent. Also Enable inspection for tcp and define a realistic maxincomplete and min incomplete and oneminute high and one minute low. This will also throttle back traffic when a high number of incomplete connections are generated and also give you a syslog output.

This although did not stop nmap scans it did trigger some signatures and also the tcp throttling worked. This gave me an indication something was wrong and could find the source

0 Helpful
Customers Also Viewed These Support Documents