Security Basics mailing list archives
Re: Network scanning: Continued (newbie)
From: "Adam Newhard" <atnewhard () microstrain com>
Date: Mon, 18 Aug 2003 08:58:49 -0400
Why don't you just regulate the ip numbers...in other words, if a machine goes off the network, that ip can no longer be used...you control the ip's completely. Pretty much the same idea as mac filtering. Then, no matter what he does he won't get an ip address and won't be able to do beans. This might be a little off, but you might like this article on security focus about physically tracking down a machine...someone here probably has a link to it...i don't and unfortunately i don't have time to search for it...scan some of the security focus archives. adam ----- Original Message ----- From: "Christos Gioran" <himicos () freemail gr> To: "security-basics" <security-basics () securityfocus com> Sent: Friday, August 15, 2003 4:17 PM Subject: Network scanning: Continued (newbie)
Hi all, The recent conversation titled network scanning inspired me to ask the following: Say an imaginary attacker snifs traffic of a network, having plugged in through a rogue cable. One of the solutions proposed would be to ping
sweep
the network on regular time intervals checking on the responses. Suppose
the
attacker raises a firewall with a simple ruleset like (not exact iptables syntax): input --protocol any -j ACCEPT output --protocol any -j DROP and to be paranoid add this: input --protocol icmp -j DROP In iptables, if i am correct, the target DROP causes the packet to be
silently
dropped. Then this would remedy this approach, correct?? The idea is that
all
outgoing packets will be dropped and only incoming traffic will be
monitored,
as the attacker desires. This having been said, is the use of special
wiring
anymore required? Forgive me for bringing the subject up again but when i originally posted
this
question (2003-08-13) i was ignored. If i did something wrong please let
me
know. The posting mentioning the ICMP approach follows. cheers CGOne thing that you could do is use a tool that would send an ICMP packet to all possible addresses in your particular network. That won't detect all connecting hosts, in particular if someone jacks in to sniff only, but that assumes that your network is hub based. If your network is switch based then people will have a hard time logging in and sniffing without being detected as they'd normally have to ARP poison the switch or do something else that would be detectable. So... the simple 99% answer is, ping all possible IP addresses once, if you get a response from an address thats not supposed to be there... well... then you'll know. Also, if you use DHCP then you could watch the DHCP log for new systems... thats not super difficult either.____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking. --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Network scanning: Continued (newbie) Christos Gioran (Aug 16)
- Re: Network scanning: Continued (newbie) Adam Newhard (Aug 18)
- <Possible follow-ups>
- RE: Network scanning: Continued (newbie) Meidinger Chris (Aug 18)
- Re: Network scanning: Continued (newbie) Schneider Sebastian (Aug 20)
- RE: Network scanning: Continued (newbie) Burt, David (Aug 18)