Re: Scanning hosts connecting to a linuxbox.

[Max Vision <vision () whitehats com>]

On Sun, 14 Feb 1999, Simple Nomad wrote:
> Is everyone this paranoid? That they reverse scan?

  I am surprised at the views taken by the "general public".  See the
hacker vigilante polls on cnn lately?  People think it's ok to strike
back!  But what are their criteria?  Do they have a clue?
  There are very few cases where a connection to one's site can be
authenticated to be from the apparent source.  The vast majority of
traffic that sysadmin are "responsive" to can be easily forged, and
possibly used to frame someone.  (Starting wars is *easy* and some people
think it's fun.  Blackhats exist.) 
  Of the public remote Denial Of Service attacks that I am aware, more
than 9 out of 10 of them are either ICMP or UDP, and almost all are
one-off, fire and forget.  Most DOS scripts have command line options for
the source IP.
  Portscanning has come of age and now decoy storm methods such as
sl0wscan and nmap -D have joined the ranks of ftp bounce and other
proxy-based scans.  With 100 source IP's how smart does one's
IDS-Return-Fire system sound?  Let alone reverse scanning...

  Limiting your concern to TCP (full handshake) "attacks" is a start, but
let's say you are upset about someone checking for CGI bugs on your
webserver.  Consider that the source address could have been a proxy, any
number of text-pushing-holes such as FTP bouncing, or even sequenced
(check your boxes for susceptibility).

  Also the method described of limiting reverse scans to once-per-IP
doesn't cut it.  What about the fellow that decides to send you
tickle-packets from say, everywhere.  Great you've just scanned the
entire internet "but it was only once per host...."

Be careful with automated systems!
Max