Threat of the Month: Portscanning

February 28, 2007

- What is it?

Techniques have recently been developed for turning a user's web browserinto a portscanning engine, which can be used by an attacker to remotelyenumerate servers and servicers on the internal network, bypassing thefirewall.

- How does it work?

An attacker sets up a website and entices corporate users to visit it.The site's HTML causes the browser to send probes to common internalnetwork IP address ranges, then reports the results of the probes backto the attacker's web server. In this way, the browser becomes a proxyinto the network.

- Should I be worried?

Enumerating services in itself is not an attack, but can be a precursorto one. An attack using the browser as a proxy might be more likely towork if the servers on the internal network have not been given the samepriority for software vulnerability patching as external servers.

- How can I prevent it?

When patching software vulnerabilities on internal servers, giveconsideration to how the services might be accessed by workstations thatalso have internet access. Firewall user workstations from internalserver networks and only permit access to those services specificallyrequired. Deploy portscanning/intrusion prevention on all networksegments, whether they are internet-connected or not.

prestitial ad