From owner-freebsd-security Sun Jan 28 9:26: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 4DA2437B400 for ; Sun, 28 Jan 2001 09:25:42 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (3137 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sun, 28 Jan 2001 11:23:56 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sun, 28 Jan 2001 11:23:55 -0600 (CST) From: James Wyatt To: FBSDSecure@aol.com Cc: freebsd-security@freebsd.org Subject: Port Scans (was Re: (no subject)) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 28 Jan 2001 FBSDSecure@aol.com wrote: > At 1/27/01 9:51:58 PM Pacific Standard Time, kris@obsecurity.org writes: [ ... ] > > Be very careful using automated responses like automatically > > blackholing someone. Port scans can trivially be spoofed (most port > > scanners like nmap include a command-line option to do this), and all > > an attacker need to do is spoof a scan coming from your ISP's servers > > and it will effectively cut you off of the network. [ ... ] > Yes, that is true and yes it can be done. But it's very unlikely that it > will be done. Most people use phone modems to connect to the internet. The > ISP assignes an IP address to the user's computer based on which port the > user came in on. It is pretty much impossible to spoof a ISP assigned IP > address, and if they try, the ISP knows about it and usually takes steps to > correct it. On DSL connections, the DSLAM KNOWS which IP addresses are valid > on a given port, so you must use the IP address(es) that your ISP provides. > Cable Modems IP addresses are dynamicly assigned using DHCP. Once again, the > IP address is assigned to you. The routers in the ISPs know which IP > addresses are valid and which are not. So spoofing an IP address is pretty > close to impossible from a Dialup, xDSL, or cable modem. Another thing to > point out though is if a hacker were to spoof his IP address and do a port > scan, what would be the point? The data is useless if it can't get back to > the individual. Besides, the portsentry package has a ignore file. I gotta agree with Kris again on this: in practise if an ISP has *any* filtering, it's *very* rough and only at the INet edge. Limit your fake addresses to the same dialup pool (can be thousands), or large DSL pool. I've worked for several ISPs and only one was technically forward enough to do any real filtering and when they have been bought by a larger ISP that is more interested in their stock and their service so the filtering is going away. Toss your own address in towards the end of the scan on the ports you really want to attack. After the scan, try some simple attacks from a smaller range of addresses. I've seen this pattern in our logs from time to time. If a site has enough traffic, you can hide in the noise if you aren't *too* obvious. One of our sister sites *will* blacklist by class-C block for port scans (usually takes a dialout group out), but he has an exclude list to prevent folks from wreaking too much havoc and, like us, he does more consulting than service provision. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message