Security Incidents mailing list archives
Re: Attack attempts from 195.86.128.45
From: Fred van Engen <fred.van.engen () xbn nl>
Date: Tue, 13 May 2003 23:34:52 +0200
Hi, On Tue, May 13, 2003 at 10:12:53AM +0200, Rune Kristian Viken wrote:
This, quite frankly, is blatant abuse of other people's bandwidth. If I read your post correctly, you're scanning _all ports_, 10.000 ports at a time. 60 bytes goes to the SYN, 60 bytes to the SYN/ACK, 52 more bytes to the ACK. Then the actual data needed to be sent to determine wheter it is a socksproxy, wingate or whatever ... I'll guesstimate at least 100bytes more in each direction, plus the FIN/ACK packets, which means another 52 bytes in each direction. This means something in the range of 260bytes incoming per port. 260 * 10.000 = 260.000 bytes per 'increment' of your scan, per IP.
For closed ports, that will be just an incoming SYN and an outgoing RST. Most ports are closed, so the average amount of data sent will be a SYN and RST only. That's 60 incoming bytes, or even less if I'm correct.
Now, I used to have a 33k6bps always-on connection, with a /27 IP-range. This means your abusive scanning would waste 32*260.000 = 8.3MB for every
They scan only IP addresses that sent them mail, which is none of your addresses if you use your ISP's mail server, or just one if you use your own.
'increment' of your scan. If I still had that 33k6 connection, I would get 3.5kb/s incoming .. amounting to you wasting 40 minutes of my total bandwidth for every increment of your self-rightous scanning.
That would be 1*60*10.000 bytes over your 3.5KB dial-up line, which probably even used data compression and TCP header compression. That is well below 20 seconds for the 10.000 port scan. And then you're assuming a connection that is not very likely for people running a mailserver without smarthost.
This pain is not acceptable. Your scanning is quite frankly worse than most spammers - for a lot of people. The argument for running blocklist is that spammers waste bandwidth. You waste FAR more bandwidth for a lot of people. This is a thypical example of the 'cure' *killing* the patient instead of helping.
Bandwidth is not the only problem. Annoyed people is another good argument. Regards, Fred. -- Fred van Engen XB Networks B.V. email: fred.van.engen () xbn nl Televisieweg 2 tel: +31 36 5462400 1322 AC Almere fax: +31 36 5462424 The Netherlands ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- Attack attempts from 195.86.128.45 Christian Stigen Larsen (May 06)
- <Possible follow-ups>
- Re: Attack attempts from 195.86.128.45 KoRe MeLtDoWn (May 06)
- Re: Attack attempts from 195.86.128.45 Jacco Tunnissen (May 07)
- Re: Attack attempts from 195.86.128.45 abuse (May 07)
- Re: Attack attempts from 195.86.128.45 Rune Kristian Viken (May 13)
- Re: Attack attempts from 195.86.128.45 Fred van Engen (May 13)
- Re: Attack attempts from 195.86.128.45 Jacco Tunnissen (May 07)
- Re: Attack attempts from 195.86.128.45 Valdis . Kletnieks (May 08)
- Re: Re: Attack attempts from 195.86.128.45 Benjamin Krueger (May 08)