Re: port-scanning. advise?

To: debian-security@lists.debian.org
Subject: Re: port-scanning. advise?
From: Peter Cordes <peter@llama.nslug.ns.ca>
Date: Sun, 14 Jan 2001 04:58:28 -0400
Message-id: <[🔎] 20010114045828.H30733@llama.nslug.ns.ca>
In-reply-to: <[🔎] Pine.LNX.4.21.0101131653260.11267-100000@feanor.nuclear.demokritos.gr>; from markos@feanor.nuclear.demokritos.gr on Sat, Jan 13, 2001 at 05:15:30PM +0200
References: <[🔎] Pine.LNX.4.21.0101131653260.11267-100000@feanor.nuclear.demokritos.gr>

On Sat, Jan 13, 2001 at 05:15:30PM +0200, Konstantinos Margaritis wrote:
>   What makes me curious is the fact that no ip came from the same
> geographical area. Literraly the ips resolved to machines from all the
> continents of the world! As if I was under global attack! :-)
> Of course these could be spoofed, but surely that is a really tough feat
> just for port-scanning.

 Not really.

 nmap -D ip,ip,...

 will throw in packets from the decoy IPs you give, as well ones with your
own source address.  (Otherwise it wouldn't be very useful...).

 I personally never use any of the "secret" stuff to prevent detection in
nmap.  If someone notices, they can ask me to stop if they don't like it.
Trying to hide your activities definitely makes you look bad if someone does
notice.  If you just use a simple connect() or half-open SYN-only scan, then
you have every reason to claim you were just curious (especially if you were
just curious).  Why would you hide your tracks unless you were hoping to
subsequently break in undetected?

 Well, I guess an answer to that question might be if you wanted to find out
something about a computer that some goof rigged up to do stupid stuff if it
detected a port scan, or even traffic to ports it didn't like, or if you
need to do something tricky to scan a machine through an annoying firewall.
I've never been in that situation, so I've always just used the ordinary
scans.  They're faster and more reliable.

 With that in mind, I'd be suspicious if I saw people doing FIN, null, or
christmas-tree scans. (These are the stealth scans nmap can do, IIRC.)  If I
saw a connect() or SYN scan, I would be inclined to think that it was just
casual curiosity.  I don't try to detect scans against my home computer on a
cable modem, since I only run sshd, exim, and a few simple things.  I have
some firewall rules that block ports I don't want people to access, no matter
what happens to the config files for the daemons.  (e.g. netbios-* ports, in
case I screw up and let Samba listen on 0.0.0.0, instead of just the
internal IPs.)  I'm not too concerned about attacks, since I'm not running
anything very complicated.  I check on my log messages every now and then,
though :)

 BTW, I did think twice before admitting the above on a public list, but
I'll take my chances :)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to:

References:
- port-scanning. advise?
  - From: Konstantinos Margaritis <markos@feanor.nuclear.demokritos.gr>

Prev by Date: Firewall administering tool/whatever...
Next by Date: Re: port-scanning. advise?
Previous by thread: Re: port-scanning. advise?
Next by thread: RE: port-scanning. advise?
Index(es):
- Date
- Thread