I'm inclined to agree with these folks ... I would rather think that TARPIT would be more to appropos what you would like ... further it would at least make that scan a longish one ... although I suppose that would depend on the scanning software being used..... as well as the true skill level of the scanner. Keep in mind that althought there are a lot of script kiddies out there, there are still some folks with more skill than good graces or brains, and they will manage to do something with what ever you give them ... (Gotta love DROP ... ) Alistair On January 17, 2003 10:26 am, Ranjeet Shetye wrote: > if a spammer locates 2 people with MIRROR on, and sends spam to A while > spoofing's B's address as source, you've got disaster on hand. > > if you really piss off an intelligent spammer (is there such a thing ?), > he/she might set you up by spoofing your IP to N other MIRROR sites, > effectively forcing you to execute a DDoS on yourself. > > Be careful what you wish for :D > > Ranjeet. > > On Sat, 2003-01-18 at 00:27, Linux wrote: > > That's a very good point. > > > > Hmmm... More thinking needed. > > > > Linux_303 > > > > > > ----- Original Message ----- > > From: "SBlaze" <dagent.geo@yahoo.com> > > To: "Linux" <linux@usermail.com> > > Sent: Friday, January 17, 2003 12:22 PM > > Subject: Re: Fighting back > > > > > I think its safe to say we would all like to give a little back to > > > those > > > > who > > > > > repeatedly bombard us with useless scans... What you want to do can > > > "theoretically" be done with the MIRROR jump. Should it be done? > > > Probably > > > > not. > > > > > Once an attacker learns they are in a sence scaning themselves.... they > > > > can > > > > > easily go about some sort of spoofing method in which the SRC IP is a > > > > target as > > > > > opposed to himself. You could easily find yourself a man in the middle > > > of > > > > a DOS > > > > > attack against someone. > > > > > > I wouldn't do this... but hey it's up to you > > > > > > SBlaze > > > > > > --- Linux <linux@usermail.com> wrote: > > > > Hello all, > > > > > > > > I feel that rpc and netbois scans to my network from the outside are > > > > an obvious attempt to see what I have open, and I'm sure all of you > > > > would > > > > agree. > > > > > > Because I run NFS only via my internal network, there are no > > > > machines > > > > that > > > > > > would connect via my external interface. I am going to institute a > > > > rule > > > > that > > > > > > will cause a person scanning on ports 32770:32789 and 137 to redirect > > > > and > > > > > > scan the ports on the src IP address. In essence, anyone scanning > > > > me, > > > > will > > > > > > be basically scanning themselves. > > > > > > > > All I am asking is for some input to this and whether it is a good > > > > idea > > > > or > > > > > > not. > > > > > > > > Thank you, > > > > > > > > Linux_303 > > > > > > ===== > > > "No touchy NO TOUCHY! Emperor Kuzko -=Emperor's New Groove=-" > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > http://mailplus.yahoo.com
