Date: Sun, 16 May 1999 04:41:56 +0800 From: Peter Wemm <peter@netplex.com.au> To: Kris Kennaway <kkennawa@physics.adelaide.edu.au> Cc: Matthew Dillon <dillon@apollo.backplane.com>, danny <danny@pentalpha.com.hk>, freebsd-security@freebsd.org Subject: Re: network scan? Message-ID: <19990515204158.C390F1F58@spinner.netplex.com.au> In-Reply-To: Your message of "Thu, 13 May 1999 12:18:16 %2B0930." <Pine.OSF.4.10.9905131211500.1222-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote: > On Wed, 12 May 1999, Matthew Dillon wrote: > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > :a.b.c.1:1080 in via ed0 > > :... > > > > I get this all the time from people scanning for netbios. I > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > to the originating network. > > In this case they're looking for an open SOCKS proxy (so they can use it to > bounce attacks against other machines, most likely). I usually do what Matt > does as well - if they're scanning really heavily then I might slap a blanket > ban on their IP address(es). Don't forget though that TCP connection > initiations (i.e. the initial step of the 3-way handshake) can be forged if > they're designed to just bounce off your firewall (i.e. not actually connect > to anything which may be listening) - so watch out for cutting off > connectivity to a legitimate client. In this particular case, it's a site in China. They have a heavily censored internet gateway, and I see lots of probes from china (and other areas in Asia that have enforced proxy use and heavily censored feeds) looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other proxies including netscape). They are scanning for relays to bounce connections off to bypass the censored feed. A few key points from traceroute: 16 cust-gw.Teleglobe.net (207.45.214.210) 500.028 ms .. 20 beijing-xgw-lan.cernet.net (202.112.1.210) 1042.496 ms 1042.076 ms 24 guangzhou-rgw-lan.cernet.net (202.112.1.78) 1554.514 ms 1562.112 ms They are not being malicious, just desperate. Most (but not all) cases that I've seen from china are looking for news (journalistic, not usenet) sites in their initial scans. Sigh, the shape of things to come for *.au too perhaps.. :-( Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990515204158.C390F1F58>