Hi,

On a recent thread about ARP, I put forward that the host only subnet mask 255.255.255.255 should prevent someone sniffing traffic on your subnet. I may be wrong and look forward to being corrected if this is not the case.

However, this led me on to think. How do hackers detect home PCs which are using ISPs? I guess there were two levels to that thought? One was 1) Why are the ISPs allowing scanning traffic through and 2) how does the scan work?

I played around a little bit with ping trying to see if it would pick up any other IP addresses by incrementing and decrementing the last 32 bits of my IP address. This did produce a curious response i.e. in some cases I got 'host unreachable' whereas in others I got a time out response.

This made me think that possibly the host existed but either a personal firewall on the host or the ISP sent a time out packet as a standard response to unwanted pings. If this was the case, then everytime I got a time out, it would suggest that this might be a PC. A hacker would then potentially be able to map these PCs and possibly by scanning reasonably frequently get a delta over time picture of who was attached on a permanent basis to the network and who drops on and off.

Clearly the former would be more interesting than the latter in terms of then trying to penetrate and trojanise to create a zombie net.

A UDP scan might also be needed to confirm results (especially since some personal firewalls at least would respond more positively (or negatively???) to this kind of scan). A more intrusive attack would be to try and connect to these potential hosts using telnet especially to non standard ports (likely to light up the personal firewall like a christmas tree) or simply keep scanning until you find someone dumb enough not to have a personal firewall before doing anything.

The question then becomes how can I prevent this kind of scanning activity or at least make the responses less meaningful. I would suggest that one way which would be available to someone using an open source firewall would be to re-program it to give a destination unreachable response to any unwanted pings or UDP based tracert activity. However, this doesn't help with pre-package commercial firewalls? Any suggestions on customisation of host/port stealthing?

But I think ultimately we should be making ISPs responsible to prevent scanning activities by reporting them and requiring blackballing of any repeat offenders (SYNNERS REPENT!)

What really puzzles me however is why having detected my client and presumably discovered that I have a pretty reasonable personal firewall (Norton Symantec plus a bit of customisation of my own) that repeated attempts are made to trojanise my PC (normally the Bla trojan). Is this just automation gone wild or is someone really that dumb?