Nmap Announce mailing list archives
RE: Detected NMAP scan
From: "David G. Andersen" <danderse () cs utah edu>
Date: Wed, 6 Jan 1999 14:39:32 -0700 (MST)
Would it perhaps be impolite to suggest that if you detect a SYN port scan, and start refusing all connections from that IP, that your tool opens up a beautiful DOS attack against the host system? Since there's no three-way handshake to verify that the remote computer really is who they say they are, you can shut down connectivity to just about anyone with a few forged SYNs. I think there are a few other problems with your patch. The relatively small number of IP addresses, means that I could still scan your host if it started exhibiting this behavior - I'd simply need to scan it with 64 other addresses as well. Nmap already has this mode to disguise itself. The logging would be nice, but you'd still have to track down 65 source addresses. The former problem, obviously, is a bit more pertinent. -Dave Lo and Behold, joff () newmonics com said:
I've written a small (~30) line patch to the linux 2.0 kernel that detects and masq's all scans, (stealth, half-open, etc) and blocks them in mid scan so the attacker does not see any ports open. Take a look: http://www.geek-girl.com/bugtraq/1998_3/0008.html. //Jesse Off On Wed, 6 Jan 1999, Frank W. Keeney wrote:I get scanned at least ten times a week! With the 1.x versions of nmap, Linux ipfwadm successfully logged all stealth scans in my lab. ---------- From: Lamont Granquist [SMTP:lamontg () raven genome washington edu] Sent: Wednesday, January 06, 1999 12:40 PM To: nmap-hackers () insecure org Subject: Detected NMAP scan So, on Jan 3rd a machine that I admin got scanned, and with the ipfw.c hack that I posted previously, I recorded the following packets, suggesting that it was someone with nmap2. I thought I'd post it here as a sighting of nmap "in the wild": Jan 3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62233 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62234 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62235 192.168.0.1:80 I've also identified people doing SYN scans of port 635 which is where mountd often/normally resides on a linux system.
-- Dave Andersen work: danderse () cs utah edu me: angio () pobox com University of Utah http://www.angio.net/ Computer Science - Flux Research Group
Current thread:
- RE: Detected NMAP scan Frank W. Keeney (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Lance Spitzner (Jan 06)
- RE: Detected NMAP scan Jordan Ritter (Jan 06)
- RE: Detected NMAP scan Simple Nomad (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- Re: Detected NMAP scan Dave Packham (Jan 06)
- Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
- Re: Detected NMAP scan Chris Tobkin (Jan 06)
- <Possible follow-ups>
- RE: Detected NMAP scan wanb0y (Jan 06)