On Thu, May 24, 2001, Boaz Rymland wrote about "[OT] ISPs and kid scanning your
computer":
>...
> The thing is I get many many scans, and I can see only the non-stealth ones.
> I'm being scanned many times per connection to the net, which is nowadays
> almost daily. The unauthorized connection attempts are to various ports,
> including 137, 12345, etc' etc' other beautiful assortments... .
>
> I was wandering if people subscribed to other ISPs also get many scans as I,
> or this is something Barak excels at (having too many
> kids-with-much-spare-time-on-their-hands...) .
This happening all over, and not specific to Barak. Crackers, worms, and
other "mar'in-bishin", as well as legitimate entities such as search engines,
global load balancers, and research companies are continuously probing
random addresses throughout IP space, and you're going to see these scans
in every provider, unless your provider has a firewall in front of you.
I get connection attempts (as well as more "stealthy" packets) to various
ports all the time: telnet, ftp, lpd, portmapper (several Linux distributions
had holes in the last two, so crackers are trying to use it), Windows SMB
ports, trojan backdoor ports, and other crap I don't recognize. It does no
harm, but it proves to me everyday why investing a few hours in learning
ipchains and why disabling most of the daemons on my home machine was a
smart move.
> BTW, obviously, Barak are extremely useful when I call them complaining
> about this situation that each time I connect through them I get scanned
> (god knows how many scans such as those were made when other people in my
> house connected via Windows).
Complaining to Barak won't do much good - it is not their fault, and there's
not much they can do about it except protect their network with a firewall
(and I know that I, for example, wouldn't want my dialup provider to enforce
its firewalling rules on me - I get enough of this crap at work).
What may help, in the long run, is looking at the IP addresses you can
connection attempts from, collecting this data from a large number of
volunteers (to screen out fake addresses - the issue of stealth scanning
is very complicated and interesting and I don't want to get into it right
now) and try to automatically find machines which may be "owned" (previously
broken into) and warn their owner. Very rarely do you see a connection attempt
from the direct source of the attack.
One time, when I logged in through Netvision, I was sent ping packets, once
every second, for several hours, from one IP address. This did me no harm
(my firewall blocked them), so I just ignored it, but it wasted my poor
modem's bandwidth, and filled my logfile with annoying messages... I don't
know why would anyone want to keep a ping process running on a specific
address in Netvision's dialup IP range, but I guess some idiot did...
--
Nadav Har'El | Thursday, May 24 2001, 2 Sivan 5761
[EMAIL PROTECTED] |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Why do doctors call what they do
http://nadav.harel.org.il |practice? Think about it.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
