On Mon, 26 Jul 1999, Derek Martin wrote:
> On Fri, 23 Jul 1999, Paul D. Robertson wrote:
>
> > > Agreed. As I said, I have no problem busting people that actually DO
> > > something. I see no problem with using evidence of a port scan as
> > > establishing a pattern, once and ACTUAL BREAK-IN has occured, but it is
> > > not in-and-of-itself harmful or dangerous to network security.
> >
> > Portscanning *can* be harmful to the network equipment, vigorous
> > portscanning *can* make network-based equipment unavailable to legitimate
> > users, and poorly-written stacks in such equipment can die when handed
> > fragmented packets typically used for "stealth scanning."
>
> Again, this problem is your VENDOR's fault. Properly written TCP/IP
> stacks will not have this problem. Complain to your vendor. A port scan
> doesn't do anything that a legitimate user doesn't do (except that it
> does it to a bunch of ports instead of just one), so your hardware is
> BROKEN.
Derek, this is incorrect, and not a good attempt to avoid the point<s>
made by Paul and others here on this topic also. What legitimate user
sends only fin or syn packets to a broad range of ports? Which protocal
or tcp/ip service implements null scans to achieve it's means? Scanners
form packets, fragments of, and combinations of packets that do not
constitute normal, legitimate usage patterns, and thus most leave a
distiinctive footprint in the logs of the systems being scanned. Many of
the DOS and intrusion methods recnetly used do much the same thing, taking
advantage of previously unknown broken tcp/ip stacks and services. It's
also when vulnerabilities like this are noted in these security related
lists that the incidence of 'non-authorized' scans probing for such
weaknesses increase.
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
