Nmap Announce mailing list archives
Re: Scanning hosts connecting to a linuxbox.
From: ace24 <ace24 () gmx net>
Date: Mon, 15 Feb 1999 18:22:26 +0100
Monday, 15 February 1999, Max wrote:
I am surprised at the views taken by the "general public". See the hacker vigilante polls on cnn lately? People think it's ok to strike back! But what are their criteria? Do they have a clue? There are very few cases where a connection to one's site can be authenticated to be from the apparent source. The vast majority of traffic that sysadmin are "responsive" to can be easily forged, and possibly used to frame someone. (Starting wars is *easy* and some people think it's fun. Blackhats exist.) Of the public remote Denial Of Service attacks that I am aware, more than 9 out of 10 of them are either ICMP or UDP, and almost all are one-off, fire and forget. Most DOS scripts have command line options for the source IP. Portscanning has come of age and now decoy storm methods such as sl0wscan and nmap -D have joined the ranks of ftp bounce and other proxy-based scans. With 100 source IP's how smart does one's IDS-Return-Fire system sound? Let alone reverse scanning...
I agree with you here, currently someone is spoofing one of the ips i admin (209.218.208.120) and using it to scan the whole internet for port 143 in an attempt to get us to remove the domain thats using it. I have recevied 6 mails from paranoid sysadmins already. If each of the ips he scanned started doing reverse scans/return-fire on that ip it would be worse than a smurf attack. He connects to 1 port, your system detects it and starts a portscan of ports 0-65535 on our machine -> a tcp amplifier of 65535. We could get our provider to block icmp to our c-class at the router if smurf attacks got bad, even udp to most ports could be dropped. But dropping tcp from all for a commercial shell provider ? I think sending a mail for a few SPOOFED packets to port 143 is already a bit excessive, even if you are security concious. Reverse scanning for a few connection attempts (that might be spoofed) is exagerated and dangerous. Not everyone supposedly scanning you are bad guys, some are just victims. - Ace24 (ace24 () gmx net) Admin at lucian.net, coolnet.net and morillton.net PGP key available, mail ace24 () gmx net with "PGP KEY REQUEST" in the subject line.
Current thread:
- Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
- Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
- RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)