Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: Max Vision <vision () whitehats com>
Date: Sun, 14 Feb 1999 18:11:42 -0800 (PST)
On Sun, 14 Feb 1999, Simple Nomad wrote:
Is everyone this paranoid? That they reverse scan?
I am surprised at the views taken by the "general public". See the hacker vigilante polls on cnn lately? People think it's ok to strike back! But what are their criteria? Do they have a clue? There are very few cases where a connection to one's site can be authenticated to be from the apparent source. The vast majority of traffic that sysadmin are "responsive" to can be easily forged, and possibly used to frame someone. (Starting wars is *easy* and some people think it's fun. Blackhats exist.) Of the public remote Denial Of Service attacks that I am aware, more than 9 out of 10 of them are either ICMP or UDP, and almost all are one-off, fire and forget. Most DOS scripts have command line options for the source IP. Portscanning has come of age and now decoy storm methods such as sl0wscan and nmap -D have joined the ranks of ftp bounce and other proxy-based scans. With 100 source IP's how smart does one's IDS-Return-Fire system sound? Let alone reverse scanning... Limiting your concern to TCP (full handshake) "attacks" is a start, but let's say you are upset about someone checking for CGI bugs on your webserver. Consider that the source address could have been a proxy, any number of text-pushing-holes such as FTP bouncing, or even sequenced (check your boxes for susceptibility). Also the method described of limiting reverse scans to once-per-IP doesn't cut it. What about the fellow that decides to send you tickle-packets from say, everywhere. Great you've just scanned the entire internet "but it was only once per host...." Be careful with automated systems! Max
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)