From owner-freebsd-security Sat May 15 17:10:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from obie.softweyr.com (unknown [204.68.178.33]) by hub.freebsd.org (Postfix) with ESMTP id ABDDE15038 for ; Sat, 15 May 1999 17:10:11 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from softweyr.com ([204.68.178.224]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id SAA06989; Sat, 15 May 1999 18:09:24 -0600 (MDT) (envelope-from wes@softweyr.com) Message-ID: <373E0CB2.D98C9E75@softweyr.com> Date: Sat, 15 May 1999 18:09:22 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Peter Wemm Cc: Kris Kennaway , Matthew Dillon , danny , freebsd-security@FreeBSD.ORG Subject: Re: network scan? References: <19990515204158.C390F1F58@spinner.netplex.com.au> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Wemm wrote: > > Kris Kennaway wrote: > > On Wed, 12 May 1999, Matthew Dillon wrote: > > > > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > > > :a.b.c.1:1080 in via ed0 > > > :... > > > > > > I get this all the time from people scanning for netbios. I > > > usually just ignore them. If I'm in a bad mood I send a nasty gram > > > to the originating network. > > > > In this case they're looking for an open SOCKS proxy (so they can use it to > > bounce attacks against other machines, most likely). I usually do what Matt > > does as well - if they're scanning really heavily then I might slap a blanket > > ban on their IP address(es). Don't forget though that TCP connection > > initiations (i.e. the initial step of the 3-way handshake) can be forged if > > they're designed to just bounce off your firewall (i.e. not actually connect > > to anything which may be listening) - so watch out for cutting off > > connectivity to a legitimate client. > > In this particular case, it's a site in China. They have a heavily > censored internet gateway, and I see lots of probes from china (and other > areas in Asia that have enforced proxy use and heavily censored feeds) > looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other > proxies including netscape). They are scanning for relays to bounce > connections off to bypass the censored feed. This sounds like an opportunity for someone with a FreeBSD machine and good network connectivity to make themselves a hero. I imagine you'll have to be agile about network addresses if the censors are any good at all. > They are not being malicious, just desperate. Most (but not all) cases > that I've seen from china are looking for news (journalistic, not usenet) > sites in their initial scans. An anonymous gateway service to sites like cnn.com and abcnews.com might go a long way to helping some of these people. I don't have the connectivity (yet), but I may have soon; TCI will finally get digital cable to me day after tomorrow, and @Home shouldn't be too far away. Can anyone else throw up a "public proxy" on a standalone machine? > Sigh, the shape of things to come for *.au too perhaps.. :-( And to think my Australian friends criticize me for saying the US Constitution was divinely inspired. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message