[nSLUG] kiddy scanners

Dop Ganger nslug at fop.ns.ca
Sun Jun 15 11:44:27 ADT 2003


On Sun, 15 Jun 2003, Mark Lewis wrote:

> Even on dialup with a dynamic ip and frequent dialups during the days i've counted being port or trying to be connected to by atleast 30 diff ips a day. So after some searching i found the site i was looking for http://www.mynetwatchman.com , this is what it does

Only 30? I run a fairly busy webserver, and I usually average around 5000
different IPs a day. Believe me, you're getting off lightly ;->

> myNetWatchman is a:
>   a.. Security Event Aggregator
>   b.. Centralized, web-based firewall log analyzer

Hmmm. I think you'd be better off with portsentry, myself. The vast
majority of scanning traffic I see appears to be trojans and viruses
propagating themselves. Next is proxy searchers, and finally people that
are scanning for specific ports for vulnerabilities. Setting up portsentry
allows you to immediately drop all traffic from these hosts. On top of
that, keeping particularly egregious hosts in a blacklist is good
(cyberangels.nl is one that comes to mind), and also pulling the top hosts
from incidents.org on a daily basis and dropping them in the firewall
helps.

The other type of attacks I see are application layer attacks against the
webserver, which are significantly fewer (10 unique IP addresses
yesterday), albeit more likely to result in issues. The vast majority of
these attacks are code red/nimda/etc (although oddly enough we see
relatively few from Aliant on our Aliant connection, but lots from
Eastlink on our Eastlink connection - though Eastlink are significantly
quicker to respond than Aliant). The solution I use here is a front-end
Apache proxy with mod_eaccess to filter out known bad traffic (filter out
/scripts.*, .*%.*, etc) and also to configure the default host to just be
a redirector to another site.

If you genuinely want to see where attacks are coming from, try looking at
Snort and ACID.

>   c.. Fully automated abuse escalation/management system

Automated abuse reports make me nervous. Let's say I want to get you in
trouble; all I need to do is wait till you're online (watch for any posts
you make to nslug, for example) and then start launching random spoofed
scans around the net using your IP address as the source address, gambling
I'll hit a mynetwatchman user. Voila, complaints to Aliant that x number
of sources complained you were attacking them and you lose your net
connection.

> Now i know some might say why am i bothering with this that i'm on dialup, well, bandwidth is low enough that i dont need all these connections a day and is just my way of fighting back.

If you really want to try fighting back, try using QoS to tarpit bad
ports. For example, set up a class with a rate of 1 kilobit and sending
all traffic on port 1080, 3128, 5900, etc to that. You can also fiddle
with iptables rules to mangle the packets to send back a christmas tree
packet, if you want to really send people for a loop.

Cheers... Dop.




More information about the nSLUG mailing list