Nmap Announce mailing list archives

Re: Scanning hosts connecting to a linuxbox.

From: ace24 <ace24 () gmx net>
Date: Mon, 15 Feb 1999 18:22:26 +0100

Monday, 15 February 1999, Max wrote:

  I am surprised at the views taken by the "general public".  See the
hacker vigilante polls on cnn lately?  People think it's ok to strike
back!  But what are their criteria?  Do they have a clue?
  There are very few cases where a connection to one's site can be
authenticated to be from the apparent source.  The vast majority of
traffic that sysadmin are "responsive" to can be easily forged, and
possibly used to frame someone.  (Starting wars is *easy* and some people
think it's fun.  Blackhats exist.)
  Of the public remote Denial Of Service attacks that I am aware, more
than 9 out of 10 of them are either ICMP or UDP, and almost all are
one-off, fire and forget.  Most DOS scripts have command line options for
the source IP.
  Portscanning has come of age and now decoy storm methods such as
sl0wscan and nmap -D have joined the ranks of ftp bounce and other
proxy-based scans.  With 100 source IP's how smart does one's
IDS-Return-Fire system sound?  Let alone reverse scanning...


I agree with you here, currently someone is spoofing one of the
ips i admin (209.218.208.120) and using it to scan the whole internet
for port 143 in an attempt to get us to remove the domain thats using it.
I have recevied 6 mails from paranoid sysadmins already.
If each of the ips he scanned started doing reverse scans/return-fire
on that ip it would be worse than a smurf attack.
He connects to 1 port, your system detects it and starts a
portscan of ports 0-65535 on our machine -> a tcp amplifier of 65535.
We could get our provider to block icmp to our c-class at the router if
smurf attacks got bad, even udp to most ports could be dropped. But
dropping tcp from all for a commercial shell provider ?
I think sending a mail for a few SPOOFED packets to port 143 is already a bit
excessive, even if you are security concious. Reverse scanning for a
few connection attempts (that might be spoofed) is exagerated and dangerous.
Not everyone supposedly scanning you are bad guys, some are just victims.

- Ace24 (ace24 () gmx net)
Admin at lucian.net, coolnet.net and morillton.net
PGP key available, mail ace24 () gmx net with "PGP KEY REQUEST" in the subject line.

Current thread:

Scanning hosts connecting to a linuxbox. Mike A. Harris (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Rasmus Andersson (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 12)
  - Re: Scanning hosts connecting to a linuxbox. Lance Spitzner (Feb 14)
    - Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 14)
    - Re: Scanning hosts connecting to a linuxbox. Max Vision (Feb 14)
    - Re: Scanning hosts connecting to a linuxbox. ace24 (Feb 15)
    - Re: Scanning hosts connecting to a linuxbox. Simple Nomad (Feb 15)
- Re: Scanning hosts connecting to a linuxbox. Philip Ehrens (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Taral (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Kevin Littlejohn (Feb 12)
  - RE: Scanning hosts connecting to a linuxbox. Dragos Ruiu (Feb 13)
- Re: Scanning hosts connecting to a linuxbox. johnny (Feb 13)
- <Possible follow-ups>
- RE: Scanning hosts connecting to a linuxbox. Brown, Mark (Feb 12)
- Re: Scanning hosts connecting to a linuxbox. Chris St. Clair (Feb 15)
  - Re: Scanning hosts connecting to a linuxbox. Bryan Seitz (Feb 15)