PortSentry was developed to detect and respond to port scans on a host. Because port scans are often the first step of the attack process, PortSentry monitors the TCP and UDP ports on a system and responds when a scan is identified. It has the ability to detect various types of scans including stealth scans. PortSentry provides three active response choices:

• Inserts a null route into the host s routing table. This will reroute the scan from the attacker to a non-existent IP address. The disadvantage of this type of response is that it increases the size of the routing table on the host, which uses more memory. If the attacker is using random spoofed source addresses as part of the attack, this could lead to a DoS condition on the host.

• Inserts a firewall rule to block traffic from the scanning IP address. PortSentry supports ipfw, ipfilter, ipfwadm, ipchains, and IPtables. When it detects a scan, PortSentry can add the appropriate rule to the firewall to block the IP address of the scanning host. Once again, this can also be used to create a DoS condition for the host or network. An attacker could spoof the source address to prevent legitimate connections.

• Adds a TCP wrapper rule for the attacking IP address to the /etc/hosts.deny file. This prevents the attacker from connecting to the target host s services. Although this is not as strong of a protection mechanism, it alleviates the potential DoS conditions from the other...