Re: Detected NMAP scan

[Chris Tobkin <tobkin () jaws umn edu>]

> Also everyone concerned about watching for scans in their logs should keep
> in mind how easy it is to spoof a scan "-e eth0 -S www.whitehouse.gov". 
> Of course they aren't getting any information, but there are people out
> there who enjoy disinformation, or like to cause trouble.  Also even if
> the ip scanning you is the correct one, odds are in this day that it's an
> 0wned linux machine, and the rightful admin has no clue it's occuring. 
> They should be notified, but probably not accused.

Also, somone can use the above modification to the command and scan your 
network with spoofed addrs 20 or 30 times and then do it once from the actual
host.. It'll get lost in the clutter..  It would be trivial to make a shell
script to do this..
i.e.  if your ip was 11.23.48.45 just have it iterate through faking 
[1..80].23.48.45 and when it gets to 11, do the actual scan.. if somone is
logging the sys like my firewall does.. they'll probably just shrug it off 
because of the sheer number of different admins they'd have to email..

// chris
tobkin () umn edu

*************************************************************************
Chris Tobkin                                               tobkin () umn edu
Java and Web Services - Academic and Distributed Computing Services - UMN
Shep. Labs 190                                      Minneapolis, MN 55455 
 -----------------------------------------------------------------------
  "Thanks to the printing press, the deviant smart people were able to 
    distribute their genius without having to pass it on genetically.  
         Evolution was short-circuited.  We gained knowledge and 
         technology without gaining intelligence." - Scott Adams
*************************************************************************