From: Fyodor (fyodor@insecure.org)
Date: Tue Mar 04 2003 - 01:16:42 EST
On Mon, Mar 03, 2003 at 11:26:38PM -0600, Kevin Hodle wrote:
> With most broadband providers, this is an obsolete method of port
> scanning. Broadband companies like comca$t have very strict egress
> filters,
Obsolete? Hardly. While many broadband and dialup providers have
finally implemented some form of egress filtering, most aren't what I
would consider "very strict". Usually attackers can at least spoof any IP
on the same class C. My ATT cable modem can spoof a range of
literally thousands of IPs. And that is all that matters for many
users who are simply trying to camoflauge their exact IP.
Sure, many cable modem/DSL/dialup users can't spoof entirely arbitrary
IP addresses directly, but they often can do that from the first
corporate/university/Korean box that they own. And those boxes likely
have superior bandwidth for scanning anyway.
Of course, I don't advocate compromising systems or even using decoys
to hide scanning activity. I proudly perform virtually all of my Nmap
scanning from my own networks, and rarely receive complaints. This is
because I try to keep the scans unintrusive and targetted (not
millions of machines). I also get consent first where practical.
And for those who insist on spoofed scans, at least consider the new
Nmap Idlescan technique described at
http://www.insecure.org/nmap/idlescan.html . It is much sexier than
decoys, and also more stealthy. Of course it is slower than decoys,
but you can't have everything!
Cheers,
Fyodor
http://www.insecure.org/
----------------------------------------------------------------------------
Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT