On Sat, Jan 13, 2001 at 05:15:30PM +0200, Konstantinos Margaritis wrote:
>   What makes me curious is the fact that no ip came from the same
> geographical area. Literraly the ips resolved to machines from all the
> continents of the world! As if I was under global attack! :-)
> Of course these could be spoofed, but surely that is a really tough feat
> just for port-scanning.

 Not really.
 
 nmap -D ip,ip,...
 
 will throw in packets from the decoy IPs you give, as well ones with your
own source address.  (Otherwise it wouldn't be very useful...).

 I personally never use any of the "secret" stuff to prevent detection in
nmap.  If someone notices, they can ask me to stop if they don't like it.
Trying to hide your activities definitely makes you look bad if someone does
notice.  If you just use a simple connect() or half-open SYN-only scan, then
you have every reason to claim you were just curious (especially if you were
just curious).  Why would you hide your tracks unless you were hoping to
subsequently break in undetected?

 Well, I guess an answer to that question might be if you wanted to find out
something about a computer that some goof rigged up to do stupid stuff if it
detected a port scan, or even traffic to ports it didn't like, or if you
need to do something tricky to scan a machine through an annoying firewall.
I've never been in that situation, so I've always just used the ordinary
scans.  They're faster and more reliable.

 With that in mind, I'd be suspicious if I saw people doing FIN, null, or
christmas-tree scans. (These are the stealth scans nmap can do, IIRC.)  If I
saw a connect() or SYN scan, I would be inclined to think that it was just
casual curiosity.  I don't try to detect scans against my home computer on a
cable modem, since I only run sshd, exim, and a few simple things.  I have
some firewall rules that block ports I don't want people to access, no matter
what happens to the config files for the daemons.  (e.g. netbios-* ports, in
case I screw up and let Samba listen on 0.0.0.0, instead of just the
internal IPs.)  I'm not too concerned about attacks, since I'm not running
anything very complicated.  I check on my log messages every now and then,
though :)

 BTW, I did think twice before admitting the above on a public list, but
I'll take my chances :)
 
-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to