Date: Sat, 15 May 1999 18:09:22 -0600 From: Wes Peters <wes@softweyr.com> To: Peter Wemm <peter@netplex.com.au> Cc: Kris Kennaway <kkennawa@physics.adelaide.edu.au>, Matthew Dillon <dillon@apollo.backplane.com>, danny <danny@pentalpha.com.hk>, freebsd-security@FreeBSD.ORG Subject: Re: network scan? Message-ID: <373E0CB2.D98C9E75@softweyr.com> References: <19990515204158.C390F1F58@spinner.netplex.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Wemm wrote:
>
> Kris Kennaway wrote:
> > On Wed, 12 May 1999, Matthew Dillon wrote:
> >
> > > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359
> > > :a.b.c.1:1080 in via ed0
> > > :...
> > >
> > > I get this all the time from people scanning for netbios. I
> > > usually just ignore them. If I'm in a bad mood I send a nasty gram
> > > to the originating network.
> >
> > In this case they're looking for an open SOCKS proxy (so they can use it to
> > bounce attacks against other machines, most likely). I usually do what Matt
> > does as well - if they're scanning really heavily then I might slap a blanket
> > ban on their IP address(es). Don't forget though that TCP connection
> > initiations (i.e. the initial step of the 3-way handshake) can be forged if
> > they're designed to just bounce off your firewall (i.e. not actually connect
> > to anything which may be listening) - so watch out for cutting off
> > connectivity to a legitimate client.
>
> In this particular case, it's a site in China. They have a heavily
> censored internet gateway, and I see lots of probes from china (and other
> areas in Asia that have enforced proxy use and heavily censored feeds)
> looking for *:1080 (socks), *:3128 (squid) and *:8080 (squid and/or other
> proxies including netscape). They are scanning for relays to bounce
> connections off to bypass the censored feed.
This sounds like an opportunity for someone with a FreeBSD machine and
good network connectivity to make themselves a hero. I imagine you'll
have to be agile about network addresses if the censors are any good
at all.
> They are not being malicious, just desperate. Most (but not all) cases
> that I've seen from china are looking for news (journalistic, not usenet)
> sites in their initial scans.
An anonymous gateway service to sites like cnn.com and abcnews.com
might go a long way to helping some of these people. I don't have
the connectivity (yet), but I may have soon; TCI will finally get
digital cable to me day after tomorrow, and @Home shouldn't be too
far away.
Can anyone else throw up a "public proxy" on a standalone machine?
> Sigh, the shape of things to come for *.au too perhaps.. :-(
And to think my Australian friends criticize me for saying the US
Constitution was divinely inspired.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://www.softweyr.com/~softweyr wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?373E0CB2.D98C9E75>