From owner-freebsd-security Wed May 12 19:47:37 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id C2F20151A0 for ; Wed, 12 May 1999 19:47:33 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id MAA11171; Thu, 13 May 1999 12:17:31 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA32122; Thu, 13 May 1999 12:18:17 +0930 Date: Thu, 13 May 1999 12:18:16 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Matthew Dillon Cc: danny , freebsd-security@freebsd.org Subject: Re: network scan? In-Reply-To: <199905130222.TAA90284@apollo.backplane.com> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 May 1999, Matthew Dillon wrote: > :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359 > :a.b.c.1:1080 in via ed0 > :... > > I get this all the time from people scanning for netbios. I > usually just ignore them. If I'm in a bad mood I send a nasty gram > to the originating network. In this case they're looking for an open SOCKS proxy (so they can use it to bounce attacks against other machines, most likely). I usually do what Matt does as well - if they're scanning really heavily then I might slap a blanket ban on their IP address(es). Don't forget though that TCP connection initiations (i.e. the initial step of the 3-way handshake) can be forged if they're designed to just bounce off your firewall (i.e. not actually connect to anything which may be listening) - so watch out for cutting off connectivity to a legitimate client. > :... > ipfw: 2010 Unreach UDP 209.156.6.31:1142 209.157.86.63:161 in via de0 > :... > ipfw: 2010 Unreach UDP 209.156.6.31:137 209.157.86.63:137 in via de0 > :... > > Windows machines like to attempt NetBIOS connections to machines on the internet when you do things like connect to a website - a lot of the UDP 137-139 traffic is harmless noise (AFAIK it always connects from port 13x to port 13x as in the above example). There's no excuse for probing SNMP ports though. Kris ---- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message