Re: Annoy Those Sub7 Scanners.

[H Carvey <keydet89 () YAHOO COM>]

> Once a week? Hmm..

Yeah.  By then the scroll bar on my EventLog window is
getting pretty small.

> If it's over a few minutes later, and the source was
> a dialup, you
> almost certainly just nmap'ed the wrong user, who
> may or may not retaliate
> with complaints or worse.

As a security consultant, I am well aware of
this...the whole issue of even attempting to identify
the true source of an attack (even before the DDoS
attacks in Feb) is one that is best described as a
well-beaten dead horse (although admittedly some just
don't seem to get it).

My nmapNT response is a hard-coded stealth scan of
specific ports...so there is no issue of overwhelming
bandwidth, even for the occaisional dialup user.  I
make no attempts to query further (with that
particular script, anyway), even when I find an open
portmapper or NetBIOS session port.  So all in all,
the script that retrieves source IP addresses from my
snort alerts is fairly harmless.

Retaliation?  Not that I'm too concerned...I am aware
of how my box is configured, and monitor it's health
and welfare pretty religiously.  Most of the scans
seem to be from folks who have Win9x boxen, with the
occaisional scan from a Linux box, owned and operated
by one who undoubtedly is unfamiliar with the phrase
"recompile your kernel", or what the /etc/inetd.conf
file does...

__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/