On Wed, Dec 21, 2011 at 02:14:50PM +0100, Fabio Pietrosanti (naif) wrote: > If we would send "1 packet" every minute, it would take about 22hours to > complete the scan, bypassing almost any portscan detection system. > > That way it would still be possible to map the opened ports / service > version, but without creating alarm or abuse complain.
I'm still highly unconvinced. If an institution has a policy that port scans are suspicious and to be avoided, making the scans more stealthy could be counterproductive. It might well make them harder to detect, but when they are detected it will look even more suspicious. I'm also not convinced a slow port scan will help much given that this is a common black-hat technique and thus the sort of signature which will make it into an IDS. Even if we could avoid detection, I don't see much of an advantage to a port scan. Nowadays open ports are a very poor guide to actual system security. I'd expect that practical security vulnerabilities will be the result of bad passwords, old versions of daemons, insecure web applications, and so on; not because someone has installed an inherently insecure daemon. Steven. -- http://www.cl.cam.ac.uk/users/sjm217/ _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk