On Sat, Jan 13, 2001 at 05:15:30PM +0200, Konstantinos Margaritis wrote: > What makes me curious is the fact that no ip came from the same > geographical area. Literraly the ips resolved to machines from all the > continents of the world! As if I was under global attack! :-) > Of course these could be spoofed, but surely that is a really tough feat > just for port-scanning.
Not really. nmap -D ip,ip,... will throw in packets from the decoy IPs you give, as well ones with your own source address. (Otherwise it wouldn't be very useful...). I personally never use any of the "secret" stuff to prevent detection in nmap. If someone notices, they can ask me to stop if they don't like it. Trying to hide your activities definitely makes you look bad if someone does notice. If you just use a simple connect() or half-open SYN-only scan, then you have every reason to claim you were just curious (especially if you were just curious). Why would you hide your tracks unless you were hoping to subsequently break in undetected? Well, I guess an answer to that question might be if you wanted to find out something about a computer that some goof rigged up to do stupid stuff if it detected a port scan, or even traffic to ports it didn't like, or if you need to do something tricky to scan a machine through an annoying firewall. I've never been in that situation, so I've always just used the ordinary scans. They're faster and more reliable. With that in mind, I'd be suspicious if I saw people doing FIN, null, or christmas-tree scans. (These are the stealth scans nmap can do, IIRC.) If I saw a connect() or SYN scan, I would be inclined to think that it was just casual curiosity. I don't try to detect scans against my home computer on a cable modem, since I only run sshd, exim, and a few simple things. I have some firewall rules that block ports I don't want people to access, no matter what happens to the config files for the daemons. (e.g. netbios-* ports, in case I screw up and let Samba listen on 0.0.0.0, instead of just the internal IPs.) I'm not too concerned about attacks, since I'm not running anything very complicated. I check on my log messages every now and then, though :) BTW, I did think twice before admitting the above on a public list, but I'll take my chances :) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
