Re: Scanning hosts connecting to a linuxbox.

[Simple Nomad <thegnome () nmrc org>]

As far as scanning goes, this boils down to a fundamental fact -- the real
purpose behind port scanning and fingerprinting is to take a remote
inventory of the potential security posture of a remote machine. Oh sure,
it is possible that creative people have found alternate uses for such
tools as nmap, but truthfully the "real" reason is as I stated it. What we
do with that information is important. If we are checking our systems to
secure them, then we secure them. If we are doing a penetration test, we
penetrate. And if we are a black hat/script kiddie/cracker/cyber-terrorist
(the media can take their pick on the label) then we r00t 'em.

The MAIN reason I occassionally reverse scan (manually, mind you) is to
see exactly how vulnerable the possible attacking host is. I always ASSUME
the scan/probe/rootscript/attack is coming from someone else's r00ted
host, although there are still a handful of very stupid people who hack
from their own machine. If the attacking box is real annoying me, I might
actually act upon it. Even at my day job it quicker to just add a rule to
the firewall to drop the host (sometimes the entire Class C or even
domain) than to track someone down.

In my mind, since the only thing a reverse scan does is tell you a remote
system's security posture, this implies that you wish to 1) r00t 'em
before they 0wn you, or 2) confirm the remote host is a compromised
hornet's nest to add to your DENY lists. In other words, casual automated 
reverse scanning is pointless -- unless you really plan on "doing
something" with your results.

    Simple Nomad    //  "When viewed as a metaphor for the human
 thegnome () nmrc org  //    condition, the humble GNU C compiler
    www.nmrc.org    //         becomes an endless enigma."

On Sun, 14 Feb 1999, Max Vision wrote:

> On Sun, 14 Feb 1999, Simple Nomad wrote:
> > Is everyone this paranoid? That they reverse scan?
>
>   I am surprised at the views taken by the "general public".  See the
> hacker vigilante polls on cnn lately?  People think it's ok to strike
> back!  But what are their criteria?  Do they have a clue?
>   There are very few cases where a connection to one's site can be
> authenticated to be from the apparent source.  The vast majority of
> traffic that sysadmin are "responsive" to can be easily forged, and
> possibly used to frame someone.  (Starting wars is *easy* and some people
> think it's fun.  Blackhats exist.) 
>   Of the public remote Denial Of Service attacks that I am aware, more
> than 9 out of 10 of them are either ICMP or UDP, and almost all are
> one-off, fire and forget.  Most DOS scripts have command line options for
> the source IP.
>   Portscanning has come of age and now decoy storm methods such as
> sl0wscan and nmap -D have joined the ranks of ftp bounce and other
> proxy-based scans.  With 100 source IP's how smart does one's
> IDS-Return-Fire system sound?  Let alone reverse scanning...
>
>   Limiting your concern to TCP (full handshake) "attacks" is a start, but
> let's say you are upset about someone checking for CGI bugs on your
> webserver.  Consider that the source address could have been a proxy, any
> number of text-pushing-holes such as FTP bouncing, or even sequenced
> (check your boxes for susceptibility).
>
>   Also the method described of limiting reverse scans to once-per-IP
> doesn't cut it.  What about the fellow that decides to send you
> tickle-packets from say, everywhere.  Great you've just scanned the
> entire internet "but it was only once per host...."
>
> Be careful with automated systems!
> Max