Mike:
Hello! I'm sorry that my suggestions don't sound
appealing to you. It sounds like you found a potential
weakness in a VNC system, but are dis-inclined to gather
more data about the particulars. My experience with open
source projects over the years is that the person who calls
in the fire is often expected to help aim the hose. :)
Regarding those real-world nmap scans, and those
port-53 DNS scans (the Lion worm, was it?) that securityfocus.com
reported as originating in China somewhere...there is, from
my POV, a big difference. Certainly, I didn't mean to imply
that either of them is unimportant and shouldn't be worried
about. However, it is important IMO to distinguish between
the relative threat level, and that does include taking
stock of the frequency of occurrence.
Like you, I get keyhole scanned several times a day,
people looking for Sub-7 or RPC or whatever. In fact, my own
ISP scans me for running an NNTP server at least once a day. :)
Yet...I don't think I've ever been nmap'd into a denial of
service. Though there was that time when I unleased a Nessus
scan on my firewall from www.vulnerabilities.org, just to see
what'd happen. Ug.
Which gets to your original question: no, until your
post, I've never heard that Xvnc can be DoS'd with an nmap
scan. I'd be very much interested, as you would be, if that
could be confirmed. I don't run Xvnc here, so all the help
I can offer has been.
Good luck!
cheers,
Scott
On Thu, 17 May 2001, Mike Miller wrote:
> On Wed, 16 May 2001, Scott C. Best wrote:
>
> > > If I run nmap on another machine as follows:
> > >
> > > nmap -p 6001 host.machine
> >
> > Instead of running nmap on all those ports (the -p <number>,
> > without the number, scans all the low numbered ports <1024, plus any
> > that come with the nmap config files) have you tried just running it
> > against the 5801/5901 ports? That'd be interesting to see if it
> > crashed your Xvnc again.
>
> I haven't tried it, but I don't like to crash it. Maybe someone else can
> try it.
>
>
> > > This is a very serious problem because it means that a port scan will
> > > kill my VNC session. This has happened to me more than once, but I
> > > didn't realize it until I scanned myself. It means that anyone in the
> > > world can block my use of VNC.
> > >
> > > If there is some way I can protect myself, please let me know.
> >
> > Actually, in my experience, an nmap scan like this is rather
> > unlikely in the "real world".
>
> Like you, I'm in the "real world." It happens sometimes. If by
> 'unlikely' you mean that it doesn't happen often, I agree. If you mean
> "unlikely to happen ever," then I disagree. Lately I've been getting
> scans like this from China. As you suggested, they are not subtle. I
> monitor several machines, so almost nothing seems subtle to me. The fact
> that their activities are obvious doesn't seem to worry most of these
> attackers.
>
> Yes, I could put up a firewall.
>
> This brings me to my original question: Is port 60xx DoS attack a known
> VNC problem?
>
> (I'm not criticizing VNC.)
>
> Mike
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
