Response to door knocking

[Robert Graham <robert_david_graham () yahoo com>]

---"Paul D. Robertson" <proberts () clark net> wrote:
> I don't know anyone who doesn't have difficulty deciding how to
react to 
> door-knocking.  Well, besides whoever that was who used to
automatically 
> e-mail zone contacts for any connect attempt, and I think they had
problems 
> with the results of their decision.  

What are some legitimate responses to door knocking? Sending out
automated e-mail seems to be a pathological response given the
likelyhood that IP addresses can be spoofed. How about these ideas:

1. nbstat (NetBIOS node status request).
2. identd protocol
3. GET / HTTP/1.0
4. OS fingerprint (a la. nmap or queso)
5. link speed identification

Let's take the extreme case where we've detected an intruder over a
TCP connection whereby we know the TCP sequence number hasn't been
spoofed (i.e. those operating systems with patches against spoofing).
Thus, we are pretty sure about the source of the attack. First, we
send a simple NetBIOS nodestatus request (UDP port 137) to the
offending machine to potentially gather that users login information. 

In the most extreme case, we do an OS fingerprint scheme like nmap or
queso that sends a series of strange TCP packets/options/flags to the
intruder in order to "fingerprint" the operating system. For example,
we can likely tell whether they are using Windows or Linux or Mac or
Solaris etc, even if no ports are open. Likewise, by sending varying
size ping packets at the target, we can get a good fingprint of their
link speed (assuming our link is faster than their link). In essence,
I can likely gather the user name, machine type, and operating system.

Of course, this won't be effective against real hackers but would
gather a lot of evidence against script kiddies (which are more
numerous).

If you don't care about evidence and simply want to scare them off,
you can use the SMB messenger service or rwall to popup a message on
their screen. Again, this assumes either NetBIOS or Sun RPC enabled
respectively. Such a message would simply say "You are
cybertrespassing and probably breaking several laws for which we will
prosecute".

Assuming that you take care of the obvious pathalogical cases (be
careful about false positives, IP spoofing, and throttling the rate at
which you send such messages, etc.), are there any problems with this
scheme?

Rob.
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com