Security Incidents mailing list archives

Re: Annoy Those Sub7 Scanners.

From: Computer Vegetable <CompuVeg () COLUMBUS RR COM>
Date: Thu, 31 Aug 2000 08:22:33 -0400

I've noticed something in my firewall logs 99% of the time when I get an
obviously spoofed scan.  (i.e., connection request from 10.x.x.x or
192.168.x.x, or the other range of non-internettable addresses)  I almost
always get a second scan attempt within milliseconds of the first connection
request.

I've assumed that this is someone spoofing their IP address in a very sloppy
manner.  Or perhaps the ISP sees the spoofer and sends identifying packets
alongside the spoofed packets.

Are either of these theories right?

Thanks--

----------------------------------------------------------------------------
- David Sentelle

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Talisker
Sent: Wednesday, August 30, 2000 6:11 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Annoy Those Sub7 Scanners.


First post was rejected  :o(
Tamer version

As someone once told me, they are merely flies bouncing of a fly screen.
They aren't going to get a connection, in most cases I suspect they are
young kids who have installed a (free)  personal firewall and are wondering
what all these 27274 connection attempts are, a little research reveals an
easy to use tool and hey-presto you are being scanned.  SubSeven Servers
don't appear to be widespread so they will give up after a few days.

Retalliation will merely generate a challenge, and as it's school holidays
at the moment, they probably have a lot more free time on their hands.

Cautionary Note.  Make sure that you are not vulnerable, scan your own
addresses from time to time, keep your virus signatures bang up to date, and
concentrate on the more elaborate/unknown connection attempts.

By all means retain yo[just got a sub7 scan :o)]ur logs and if a particular
source becomes a nuisance report them.


just my 2 cents

Andy

www.networkintrusion.co.uk Listing all known commercial IDS
                    '''
                 (0 0)
  ----oOO----(_)----------
  | The geek shall        |
  |  Inherit the earth     |
  -----------------oOO----
               |__|__|
                  || ||
              ooO Ooo


The opinions contained within this transmission are entirely my own, and do
not necessarily reflect those of my employer.

Current thread:

Re: Annoy Those Sub7 Scanners., (continued)
- - - Re: Annoy Those Sub7 Scanners. Greg A. Woods (Aug 28)
  - Re: Annoy Those Sub7 Scanners. Snehal Dasari (Aug 28)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 27)
  - Re: Annoy Those Sub7 Scanners. Dan Hollis (Aug 27)
- Re: Annoy Those Sub7 Scanners. H Carvey (Aug 28)
- Re: Annoy Those Sub7 Scanners. Forrester, Mike (Aug 28)
- Re: Annoy Those Sub7 Scanners. Pierre Vandevenne (Aug 28)
- Re: Annoy Those Sub7 Scanners. Frank Knobbe (Aug 30)
  - Re: Annoy Those Sub7 Scanners. Talisker (Aug 31)
    - Re: Annoy Those Sub7 Scanners. Computer Vegetable (Aug 31)
- Re: Annoy Those Sub7 Scanners. Robert G. Ferrell (Aug 30)
  - Re: Annoy Those Sub7 Scanners. Bryan Andersen (Aug 31)
- Re: Annoy Those Sub7 Scanners. Bill Royds (Aug 31)
- Re: Annoy Those Sub7 Scanners. Forrester, Mike (Aug 31)