Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: Scanning hosts connecting to a linuxbox.

Re: Scanning hosts connecting to a linuxbox.

From: ace24 <ace24_at_gmx.net>
Date: Mon, 15 Feb 1999 18:22:26 +0100

Monday, 15 February 1999, Max wrote:

> I am surprised at the views taken by the "general public". See the
> hacker vigilante polls on cnn lately? People think it's ok to strike
> back! But what are their criteria? Do they have a clue?
> There are very few cases where a connection to one's site can be
> authenticated to be from the apparent source. The vast majority of
> traffic that sysadmin are "responsive" to can be easily forged, and
> possibly used to frame someone. (Starting wars is *easy* and some people
> think it's fun. Blackhats exist.)
> Of the public remote Denial Of Service attacks that I am aware, more
> than 9 out of 10 of them are either ICMP or UDP, and almost all are
> one-off, fire and forget. Most DOS scripts have command line options for
> the source IP.
> Portscanning has come of age and now decoy storm methods such as
> sl0wscan and nmap -D have joined the ranks of ftp bounce and other
> proxy-based scans. With 100 source IP's how smart does one's
> IDS-Return-Fire system sound? Let alone reverse scanning...

I agree with you here, currently someone is spoofing one of the
ips i admin (209.218.208.120) and using it to scan the whole internet
for port 143 in an attempt to get us to remove the domain thats using it.
I have recevied 6 mails from paranoid sysadmins already.
If each of the ips he scanned started doing reverse scans/return-fire
on that ip it would be worse than a smurf attack.
He connects to 1 port, your system detects it and starts a
portscan of ports 0-65535 on our machine -> a tcp amplifier of 65535.
We could get our provider to block icmp to our c-class at the router if
smurf attacks got bad, even udp to most ports could be dropped. But
dropping tcp from all for a commercial shell provider ?
I think sending a mail for a few SPOOFED packets to port 143 is already a bit
excessive, even if you are security concious. Reverse scanning for a
few connection attempts (that might be spoofed) is exagerated and dangerous.
Not everyone supposedly scanning you are bad guys, some are just victims.

- Ace24 (ace24_at_gmx.net)
Admin at lucian.net, coolnet.net and morillton.net
PGP key available, mail ace24_at_gmx.net with "PGP KEY REQUEST" in the subject line.
Received on Feb 15 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos