Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 May 1999 12:18:16 +0930 (CST)
From:      Kris Kennaway <kkennawa@physics.adelaide.edu.au>
To:        Matthew Dillon <dillon@apollo.backplane.com>
Cc:        danny <danny@pentalpha.com.hk>, freebsd-security@freebsd.org
Subject:   Re: network scan?
Message-ID:  <Pine.OSF.4.10.9905131211500.1222-100000@bragg>
In-Reply-To: <199905130222.TAA90284@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 12 May 1999, Matthew Dillon wrote:

> :May 12 18:42:24 server /kernel: ipfw: 26000 Deny TCP 202.38.248.205:4359
> :a.b.c.1:1080 in via ed0
> :...
> 
>     I get this all the time from people scanning for netbios.  I 
>     usually just ignore them.  If I'm in a bad mood I send a nasty gram
>     to the originating network.

In this case they're looking for an open SOCKS proxy (so they can use it to
bounce attacks against other machines, most likely). I usually do what Matt
does as well - if they're scanning really heavily then I might slap a blanket
ban on their IP address(es). Don't forget though that TCP connection
initiations (i.e. the initial step of the 3-way handshake) can be forged if
they're designed to just bounce off your firewall (i.e. not actually connect
to anything which may be listening) - so watch out for cutting off
connectivity to a legitimate client.


> :...
> ipfw: 2010 Unreach UDP 209.156.6.31:1142 209.157.86.63:161 in via de0
> :...
> ipfw: 2010 Unreach UDP 209.156.6.31:137 209.157.86.63:137 in via de0
> :...
> 
> 

Windows machines like to attempt NetBIOS connections to machines on the
internet when you do things like connect to a website - a lot of the UDP
137-139 traffic is harmless noise (AFAIK it always connects from port 13x to
port 13x as in the above example). There's no excuse for probing SNMP ports
though.

Kris

----
"That suit's sharper than a page of Oscar Wilde witticisms that's been
rolled up into a point, sprinkled with lemon juice and jabbed into
someone's eye"
"Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905131211500.1222-100000>