Re: How to avoid port scanners

To: Vince Mulhollon <vlm@norlight.com>
Cc: <debian-firewall@lists.debian.org>, Vegard Engen <vegard@engen.priv.no>
Subject: Re: How to avoid port scanners
From: Adam William Lydick <awlydick@bulldog.unca.edu>
Date: Thu, 17 Jan 2002 12:21:26 -0500 (EST)
Message-id: <[🔎] Pine.OSF.4.31.0201171217040.424539-100000@bulldog.unca.edu>
In-reply-to: <[🔎] OFD0A96652.9596DEF1-ON86256B44.00572903@norlight.com>

On Thu, 17 Jan 2002, Vince Mulhollon wrote:

> (3) Distributed scan system where each compromised "attacking" system
> probes exactly one probe once.  When an individual attacker is firewalled,
> the next attacker begins.
>
> I've not seen an automated system like that, but its not rare at all for a
> fully manual system.  Somebodys got ten cracked systems, they've got ten
> tries to break into a new box, one attempt from each.
>
> Blocking a single /32 per attack only stops the lamest skript kiddies, whom
> are precisely the most harmless of the skript kiddies.
>
> Not much gain, for too much pain.

Or even two boxes on different subnets - one to scan and get blocked, one
to send a sploit. Or the more common method: why bother scanning at all,
just send mass exploit attempts, ala the swarm of recent IIS worms.

Mass scans *are* useful to blackhats for "preseeding" worms with
potentially vulnerable hosts, if you record version numbers of daemons and
wait for a new hole to be uncovered. But the vast majority of attackers
seem to just use the brute force, try and exploit every machine on the
routed internet.

Like you said, it has a very low payback for the irritation it could
cause.

Adam Lydick

Reply to:

References:
- Re: How to avoid port scanners
  - From: "Vince Mulhollon" <vlm@norlight.com>

Prev by Date: RE: How to avoid port scanners
Next by Date: please test iptables init.d
Previous by thread: Re: How to avoid port scanners
Next by thread: RE: How to avoid port scanners
Index(es):
- Date
- Thread