[66142] in North American Network Operators' Group
Re: Stopping ip range scans
daemon@ATHENA.MIT.EDU (jlewis@lewis.org)
Mon Dec 29 09:49:55 2003
Date: Mon, 29 Dec 2003 09:49:21 -0500 (EST)
From: jlewis@lewis.org
To: william@elan.net
Cc: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.44.0312290326440.21468-100000@sokol.elan.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 29 Dec 2003 william@elan.net wrote:
> Recently (this year...) I've noticed increasing number of ip range scans
> of various types that envolve one or more ports being probed for our
> entire ip blocks sequentially. At first I attributed all this to various
What ports are being probed? SOP for script kiddies for at least 10 years
has been find a box you can hack root on, install a vulnerability scanner
for the remote-root vulnerability d'jour, fire it up, and come back in a
day or so to see what you've found. Then hack the newly found vulnerable
boxes, install the scanner on each of them, and repeat the process. Some
of these packages have done things like download the .com zone (back when
F allowed this) and scan all NS's for bind vulnerabilities. Others just
pick a random IP and scan sequentially higher IPs. More recently, some
packages have combined the scanning and hacking.
If you don't want the scans, block everything you don't want at your
router. Otherwise, just make sure your systems are up to date. A common
OS with unpatched known remotely exploitable holes doesn't last long on an
unfiltered internet connection.
----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
