Security Incidents mailing list archives
Re: @home: Is *anyone* really home there???
From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Thu, 2 Mar 2000 16:34:30 -0500
[ On Thursday, March 2, 2000 at 10:15:57 (-0800), Jon Burdge wrote: ]
Subject: RE: @home: Is *anyone* really home there??? "An errant packet or two" is all most people see of a sunrpc scan. I've never had my sunrpc port connected to by a machine that was *not* hacked.
Indeed. But unless that source machine is your own there's very little you can do but to try and contact the owners of it, out-of-band of course. My own experience with trying to contact such people has been generally frustrating and fruitless.
Therefore I consider a single connection important and go out of my way to notify the administrators of that machine.
Although I do consider it neighbourly to make such contact, but I don't see it as a necessary response. The security of one's networks and systems is one's own responsibility. I would say that if you get cracked then you should consider yourself extremely lucky if you get one or two neigbourly notifications that might alert you to this fact. You should hope like hell you don't get a million such notifications though.
If that's truly what you mean by 'an errant packet or two' I think you're missing something important.
In some cases even a single packet can directly match a known attack
signature. While this is more difficult to prove in the case of a
portmapper dump request it is as someone else has already said almost
impossible for anyone outside of your own network to have any legitimate
reason to query your portmapper.
In general though I'm personally not too concerned with a few "random"
foreign portmapper dump requests to my own systems unless they form a
recurring (and thus annoying) pattern.
As a side note I should mention that I find it quite interesting that
it's almost never the case that all of my hosts receive portmap requests
from the same source. Either such tools are randomising the source
address and using some other means of reply detection; or they are
distributing the scanning (and not all scanners are operating in sync
and thus the probes I see across my network are also randomly
distributed in time); or perhaps people don't actually scan entire
networks using this kind of test.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: Port 65535, (continued)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 29)
- Re: @home: Is *anyone* really home there??? Erick Brockway (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Rob Quinn (Mar 01)
- Re: @home: Is *anyone* really home there??? Jon Burdge (Mar 02)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
- scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)
- Re: @home: Is *anyone* really home there??? Ville (Mar 03)
- ingreslock message Dino Amato (Mar 05)
- Re: ingreslock message Graeme Fowler (Mar 07)
- Re: ingreslock message Dino Amato (Mar 07)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: ingreslock message Robert Graham (Mar 07)
- firewall abusing Przemyslaw Frasunek (Mar 07)
- Re: ingreslock message H D Moore (Mar 07)
- Re: ingreslock message Eric Maiwald (Mar 07)