Nmap Announce mailing list archives
RE: Scanning hosts connecting to a linuxbox.
From: "Brown, Mark" <mbrown () visa com>
Date: Fri, 12 Feb 1999 11:35:00 -0800
You've opened the eternal can-of-worms :) I've been fooling around with attacker profiling (reactively gathering data through nmap, systat, netstat, traceroute, whois@arin, etc.) and found a number of problems with the concept in my toying: 1. You open yourself up to denial of service attacks. Let's say I flood your machine with tons of "scans" with spoofed source IPs. Your machine thrashes itself trying to profile all of these "attackers." If I slip a real scan in with all of the spoofed ones, it becomes lost in the noise. 2. You (bad guy) and I (good guy) both run profiling -- You scan me, I scan you back, you scan me back-back, I scan you back-back-back, etc. Both machines go nuts looping. 3. By profiling an attacker, you immediately tip your hand. There's a lot more information to be gathered by sitting quietly and observing someone who doesn't know they're being watched. I've cooked up some half-brained solutions to these problems: To prevent flooding, I take no immediate action. I use Abacus Sentry to monitor common ports that I don't use (IMAP, finger, lpd, etc.). When a scan takes place, Abacus does its normal logging to syslog and also writes the IP to a file instead of immediately kicking off the profiling scripts. Naturally, this all takes place in it's own partition. At a reasonable interval, say one minute, that log file of IPs is rotated out, normalized (removing duplicate entries) and a sanity (flood) check is performed. If we logged, for example, 300 new IPs in a minute something is obviously wrong... probably a flood, or a real scan mixed in with a flood to mask it. In this case no automatic profiling is done and the log is flagged for further human intervention. The flood rate you set should be based on the speed and depth of the profiling you do. YMMV. The time delay may cause you to miss profiling someone from a dynamic IP that logged off immediately following the scan, but c'est la vie. If the log passes the sanity check, it is passed to the profiling machine (a totally unrelated box through a different ISP in my case) where the actual profiling takes place. Because of the brief time delay and unrelated source of the profiling, perhaps brain-dead attackers won't put two-and-two together and realize they've tripped an alarm. I've been working to get away from Abacus Sentry and integrate this with a packet-level monitor (Network Flight Recorder). NFR has the capability to detect a wide variety of attacks and negates the need to install port-level monitoring on all the hosts... alas, I've found it all too easy to throw NFR into hysterics by overloading it. Something more lightweight is in order (unless you have unlimited hardware to throw at it). -----Original Message----- From: Mike A. Harris [mailto:mharris () ican net] Sent: Friday, February 12, 1999 12:37 AM To: nmap-hackers () insecure org Subject: Scanning hosts connecting to a linuxbox. I am connected via dialup PPP to the net, and I run a simple firewall. Normally, there is no need whatsoever for someone to be connecting to any services running on my machine. Most of the time the machine has no visible external service running anyways, thanks to the firewall, and tcpwrappers, however occasionally I run ssh/telnet/ftp/http for someone, or for remote access to my machine. Due to people portscanning my ISP, I've found many scan attempts and breakin attempts on my box - none successful of course, but I like to be paranoid about security so... I would like to somehow have nmap run a scan of my choosing on any hosts attempting a connect to any of my ports, either via tcpwrappers, or the firewall. Can someone either explain how to do this, or point me to the proper documentation/manuals, etc.. I've got an idea allready how to do it with tcpwrappers, but I draw a blank on doing it with the firewalled ports. I'd like to have nmap log the remote OS, and do finger/smtp/ident/etc... scans on the remote machine. I am fairly familiar with nmap itself, so I can figure out that part, but how do I get the services to auto call nmap with the remote machines IP? Admittedly, I haven't searched for any docs on my system that might explain this allready... Feel free to point me to them or an FAQ however. Thanks in advance, TTYL -- Mike A. Harris Linux advocate GNU advocate Computer Consultant Open Source advocate News for nerds, stuff that matters: http://slashdot.org
Current thread:
- Re: Scanning hosts connecting to a linuxbox., (continued)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)