Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: @home: Is *anyone* really home there???
From: annis () BIOSTAT WISC EDU (William Annis)
Date: Fri, 3 Mar 2000 15:54:04 -0600


Date:         Thu, 2 Mar 2000 16:34:30 -0500
From: "Greg A. Woods" <woods () most weird com>

As a side note I should mention that I find it quite interesting that
it's almost never the case that all of my hosts receive portmap requests
from the same source.


        I have seen RPC dump scans of our entire class C's originating
from the same source address.  Of course I also see the random
requests from all over, too, spread over days.


                       Either such tools are randomising the source
address and using some other means of reply detection; or they are
distributing the scanning (and not all scanners are operating in sync
and thus the probes I see across my network are also randomly
distributed in time);


        Has anyone done any sort of statistical analysis of scanning
behavior against their networks?  I came up with a fairly bizarre
mechanism inspired by my desire *not* to get paged for every single
host scanned.  See http://www.biostat.wisc.edu/~annis/mom3/help/tr_event.html
for the algorithm which analyzes the rate of security events.  It
seems to match fairly well for various port and service scans, at
least for the last few months of data.

        I'd love to know if people have better mechanisms for event
time analysis.


                      or perhaps people don't actually scan entire
networks using this kind of test.


        They do.  It's very subtle. :)

        Anecdote: I contacted the owner of one ISP after getting a
full RPC dump() sweep.  He insisted up one side and down the other
that the source IP - his - was spoofed.  Can anyone explain to me the
purpose of doing a dump() scan if you never see the data?  I can't
think of anything, but information about low-level networking
sometimes takes me a while to absorb.

--
William Annis - System Administrator - Biomedical Computing Group
annis () biostat wisc edu                       PGP ID:1024/FBF64031
Mi parolas Esperanton - La Internacian Lingvon  www.esperanto.org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]