[SGVLUG] Who is that knocking on my ports?
Claude Felizardo
cafelizardo at gmail.com
Mon Jan 12 18:40:25 PST 2009
On Mon, Jan 12, 2009 at 5:50 PM, John E. Kreznar <jek at ininx.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "Emerson, Tom \(*IC\)" <Tom.Emerson at wbconsultant.com> writes:
>
>> 3) generate, in real time, an e-mail report of the breakin attempt --
>> one e-mail per attempt :)
>
> Another thing you can do is launch an nmap scan against the offending
> address. This has often enough led to prompt cessation of the attack
> that I think it's actually sometimes noticed on the other end in real
> time.
>
> - --
> John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13
That might work if the hacker is sitting at the console of the machine
he is attacking you from but what if he's doing multiple hops:
attacker -> intermediate host(s) -> you. If you launched your nmap
scan you'd be scanning the last host before you and not him. What if
that host is at a government facility that doesn't know they have been
compromised yet but that port scan from you would definitely get their
attention.
As for my previous suggestion of a honeypot, I meant something more
like a network tarpit. The idea is that you let the client think it
has a connection but your server doesn't complete the 3 step process
of opening a connection. The TCP stack on the attacker's machine is
held up waiting for acks which it will never get or is told to slow
down. The overall affect is that you slow down the probe rate.
http://en.wikipedia.org/wiki/Tarpit_(networking)
Looks like the original implementation handled SMTP but could you get
it to work with SSH or any other TCP program?
claude
More information about the SGVLUG
mailing list