> From: rob.edkins@axon.co.nz [mailto:rob.edkins@axon.co.nz]
> Subject: RE: scans for pc anywhere anyone?
>
> Unfortunately such door-knocking is a fact of life if you're
> connected to the Internet and have a static IP.
>
> There's not a lot you can do about it other than look out for it.

i concur.

i want corroboration for another reason. i'm involved in
analysis of 'attacks' from a theoretical perspective. i
was hoping someone else could check their logs for this
period and find the same scan. two seperate sources of
such info provides such corroboration

> An attacker can mask their origin so that you may never
> really know the true source of a scan

except in this case they prolly didn't. it is unlikely
(tho' far from impossible) that they would go to the
effort of picking an address adjacent to mine. whilst
they don't need to do a 3-way handshake to find out if
i've got the port open they would to actually use pc
anywhere (or whatever). this would make a spoofed source
address much less likely.

> (If you're running Linux, then try Snort IDS from snort.org.
> It has a VERY comprehensive list of attack signatures.)

i run snort already as one of the ids' on my net.

> There has been an endless thread raging on the firewalls
> mailing list about the ethics of port scans per se..

we'll leave the rage there then :-)

> At least one previous poster to this list claimed that using
> the PCA clinet to scan his ISP's subnet was the only way to
> locate his remote machine when the IP changed after an outage.

> One side effect of the NAT on the Nokias is that unless you pinhole
> everything through to an internal logging firewall then most
> people won't even see a large percentage of the stuff that is actually
> going on every day.

which for most is prolly what they would prefer.

and.....

> From: Tom Parker [mailto:tom@carrott.org]
> Sent: Wednesday, April 04, 2001 1:39 AM
> To: Craig Whitmore
> Subject: Re: scans for pc anywhere anyone?

> I get people knocking on my machine regularly, a few a day
> usually. I don't bother even to reverselookup the ips most
> of the time, but I guess I should automate it and email the
> results to myself.

my internal ids (rather than the noisier external one) emails
me at home and work re alerts. if this one fires then it's either
a false positive that i'll try to tune out, or it means that
someone has got past both my firewalls (yees they are different
types) and i should be concerned! yes i could be sort of dos'd
by this - but i've got some s/w after the event that's set to
reduce this.

would you (and anyone else who keeps logs) just check for the may
27-29 period for this specific attack

and.....

for those who asked me to email the source address i will do so
off list. the address changed half way thru the scan (power
cycle?) - so i'll provide the date/time info also.

cheers

-- 
me - mark evans - optimation.co.nz
"thats the problem with blue green planetoids,
they're blue, green and planetoidy"
This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message