Security Incidents: Re: Attack attempts from 195.86.128.45

[Fred van Engen <fred.van.engen () xbn nl>]

Hi,

On Tue, May 13, 2003 at 10:12:53AM +0200, Rune Kristian Viken wrote:
> This, quite frankly, is blatant abuse of other people's bandwidth.  If I 
> read your post correctly, you're scanning _all ports_, 10.000 ports at a 
> time.  60 bytes goes to the SYN, 60 bytes to the SYN/ACK, 52 more bytes to 
> the ACK.  Then the actual data needed to be sent to determine wheter it is 
> a socksproxy, wingate or whatever ... I'll guesstimate at least 100bytes 
> more in each direction, plus the FIN/ACK packets, which means another 52 
> bytes in each direction.  This means something in the range of 260bytes 
> incoming per port.  260 * 10.000 = 260.000 bytes per 'increment' of your 
> scan, per IP.
For closed ports, that will be just an incoming SYN and an outgoing RST.
Most ports are closed, so the average amount of data sent will be a SYN
and RST only. That's 60 incoming bytes, or even less if I'm correct.


> Now, I used to have a 33k6bps always-on connection, with a /27 IP-range.  
> This means your abusive scanning would waste 32*260.000 = 8.3MB for every 
They scan only IP addresses that sent them mail, which is none of your
addresses if you use your ISP's mail server, or just one if you use your
own.


> 'increment' of your scan.  If I still had that 33k6 connection, I would get 
> 3.5kb/s incoming ..  amounting to you wasting 40 minutes of my total 
> bandwidth for every increment of your self-rightous scanning.
That would be 1*60*10.000 bytes over your 3.5KB dial-up line, which
probably even used data compression and TCP header compression. That is
well below 20 seconds for the 10.000 port scan. And then you're assuming
a connection that is not very likely for people running a mailserver
without smarthost.


> This pain is not acceptable.
>
> Your scanning is quite frankly worse than most spammers - for a lot of 
> people.  The argument for running blocklist is that spammers waste 
> bandwidth.  You waste FAR more bandwidth for a lot of people.  This is a 
> thypical example of the 'cure' *killing* the patient instead of helping.
Bandwidth is not the only problem. Annoyed people is another good
argument.


Regards,

Fred.

-- 
Fred van Engen                              XB Networks B.V.
email: fred.van.engen () xbn nl                Televisieweg 2
tel: +31 36 5462400                         1322 AC  Almere
fax: +31 36 5462424                         The Netherlands

----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------