help with port scan

Printable View

November 24th, 2003, 05:28 PM
dinowuff

help with port scan

Over the weekend I have seen hundreds of smurf, syn and ack scans from an ip address that belongs to AOL. I have taken measures on my end to reduce the threat from this address but the scans are still proceeding.

I don't want to start attacking that address since it might just be kid (with no clue) running nmap. Does anyone have a "Nice way" to inform a potential attacker that I know who they are and they should stop their activities?
November 24th, 2003, 05:36 PM
phishphreek

maybe setup a fake telnet using something like netcat.

when that person tries to telnet, they will get the message:

"I know who you are, you little fu*&! Stop scanning me!"

You can even display their ip addy and whatnot, depending on how much you want to script.

I believe tedob1 or korpdeth had it already made up, instructions and all, sample scritps etc.

I'll see if I can find them for you.

Found them. Have a look at these tutorials, modify them to fit your needs.

NetCat Part I - Tedob1
NetCat Part II - Tedob1
NetCat Part III - Tedob1
NetCat Part IV - Tedob1
November 24th, 2003, 05:51 PM
steve.milner

If the address is always the same I'd just drop a line to [email protected]

Otherwise just block the address.

What OS are you using - Linux by any chance - Use iptables with mirror - that'll fox 'em

Steve
November 24th, 2003, 06:54 PM
phishphreek

steve.milner: I've been doing some reading up on mirroring using iptables... you might want to hvae a look at this, to make sure you're configured properly. hopefully you've already seen this... but just in case... and for those who are thinking about setting it up.

http://www.netfilter.org/security/20...22-mirror.html
November 24th, 2003, 08:24 PM
dinowuff

phishphreek80: Thanks for the links. I will check out netcat. am using MS OS so I might be limited.

Contacted AOL, no reply. But blocked IP at firewall and bandwidth does not seem to be affected. I'll post an update once I have anything interesting to share.

Again, thanks for the help
December 28th, 2004, 10:19 PM
zencoder

Sounds like my reply is after the fact, but here goes...

The other obvious option is to notify your own ISP and see if they will deal with AOL. The response you get from them can vary widly, depending on your provider. I would definitely not attack the IP though...you're right, it could be a kid or a newcomer playing with scanning tools, or it could be someones grandma with an owned/zombie'd box.
December 28th, 2004, 10:38 PM
|3lack|ce

Zencoder - see that little flashing date in the post just above yours? That means this thread has gone stale - yes, you were just over a year late in responding. Please check the dates before you post.