Nmap Announce mailing list archives
RE: Detected NMAP scan
From: wanb0y <wanb0y () earthlink net>
Date: Wed, 6 Jan 1999 19:46:45 -0600
I agree with David here. This is a big discussion in the IDS world, to use active or passive responses. DOS is one consideration but there are more... What if you use active defense, and it rings all your bells and whistles on one box or segment. Only to disguise the real target? DOS is really a lame hack, its the handprint you leave with the active intrusion response that tips your hand, and makes your other tools less useful. wanb0y ---------- From: David G. Andersen Sent: Wednesday, January 06, 1999 3:39 PM To: joff () newmonics com Cc: Frank W. Keeney; 'nmap-hackers () insecure org' Subject: RE: Detected NMAP scan Would it perhaps be impolite to suggest that if you detect a SYN port scan, and start refusing all connections from that IP, that your tool opens up a beautiful DOS attack against the host system? Since there's no three-way handshake to verify that the remote computer really is who they say they are, you can shut down connectivity to just about anyone with a few forged SYNs. I think there are a few other problems with your patch. The relatively small number of IP addresses, means that I could still scan your host if it started exhibiting this behavior - I'd simply need to scan it with 64 other addresses as well. Nmap already has this mode to disguise itself. The logging would be nice, but you'd still have to track down 65 source addresses. The former problem, obviously, is a bit more pertinent. -Dave Lo and Behold, joff () newmonics com said:
I've written a small (~30) line patch to the linux 2.0 kernel that detects and masq's all scans, (stealth, half-open, etc) and blocks them in mid scan so the attacker does not see any ports open. Take a look: http://www.geek-girl.com/bugtraq/1998_3/0008.html. //Jesse Off On Wed, 6 Jan 1999, Frank W. Keeney wrote:I get scanned at least ten times a week! With the 1.x versions of nmap, Linux ipfwadm successfully logged all stealth scans in my lab. ---------- From: Lamont Granquist [SMTP:lamontg () raven genome washington edu] Sent: Wednesday, January 06, 1999 12:40 PM To: nmap-hackers () insecure org Subject: Detected NMAP scan So, on Jan 3rd a machine that I admin got scanned, and with the ipfw.c hack that I posted previously, I recorded the following packets, suggesting that it was someone with nmap2. I thought I'd post it here as a sighting of nmap "in the wild": Jan 3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62233 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62234 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62235 192.168.0.1:80 I've also identified people doing SYN scans of port 635 which is where mountd often/normally resides on a linux system.
-- Dave Andersen work: danderse () cs utah edu me: angio () pobox com University of Utah http://www.angio.net/ Computer Science - Flux Research Group
Current thread:
- RE: Detected NMAP scan, (continued)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Lance Spitzner (Jan 06)
- RE: Detected NMAP scan Jordan Ritter (Jan 06)
- RE: Detected NMAP scan Simple Nomad (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- Re: Detected NMAP scan Dave Packham (Jan 06)
- Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
- Re: Detected NMAP scan Chris Tobkin (Jan 06)
- RE: Detected NMAP scan wanb0y (Jan 06)