On Mon, Mar 03, 2003 at 11:26:38PM -0600, Kevin Hodle wrote: > With most broadband providers, this is an obsolete method of port > scanning. Broadband companies like comca$t have very strict egress > filters, Obsolete? Hardly. While many broadband and dialup providers have finally implemented some form of egress filtering, most aren't what I would consider "very strict". Usually attackers can at least spoof any IP on the same class C. My ATT cable modem can spoof a range of literally thousands of IPs. And that is all that matters for many users who are simply trying to camoflauge their exact IP. Sure, many cable modem/DSL/dialup users can't spoof entirely arbitrary IP addresses directly, but they often can do that from the first corporate/university/Korean box that they own. And those boxes likely have superior bandwidth for scanning anyway. Of course, I don't advocate compromising systems or even using decoys to hide scanning activity. I proudly perform virtually all of my Nmap scanning from my own networks, and rarely receive complaints. This is because I try to keep the scans unintrusive and targetted (not millions of machines). I also get consent first where practical. And for those who insist on spoofed scans, at least consider the new Nmap Idlescan technique described at http://www.insecure.org/nmap/idlescan.html . It is much sexier than decoys, and also more stealthy. Of course it is slower than decoys, but you can't have everything! Cheers, Fyodor http://www.insecure.org/ ---------------------------------------------------------------------------- Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow. Download a free 15-day trial: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 08:56:26 PST