Re: Attack attempts from 195.86.128.45

From: Fred van Engen (fred.van.engen_at_xbn.nl)
Date: 05/13/03

  • Next message: kyle_at_kylelai.com: "RE: IIS/WebDav Exploit List"
    Date: Tue, 13 May 2003 23:34:52 +0200
    To: Rune Kristian Viken <arcade@kvinesdal.com>
    
    

    Hi,

    On Tue, May 13, 2003 at 10:12:53AM +0200, Rune Kristian Viken wrote:
    > This, quite frankly, is blatant abuse of other people's bandwidth. If I
    > read your post correctly, you're scanning _all ports_, 10.000 ports at a
    > time. 60 bytes goes to the SYN, 60 bytes to the SYN/ACK, 52 more bytes to
    > the ACK. Then the actual data needed to be sent to determine wheter it is
    > a socksproxy, wingate or whatever ... I'll guesstimate at least 100bytes
    > more in each direction, plus the FIN/ACK packets, which means another 52
    > bytes in each direction. This means something in the range of 260bytes
    > incoming per port. 260 * 10.000 = 260.000 bytes per 'increment' of your
    > scan, per IP.
    >

    For closed ports, that will be just an incoming SYN and an outgoing RST.
    Most ports are closed, so the average amount of data sent will be a SYN
    and RST only. That's 60 incoming bytes, or even less if I'm correct.

    > Now, I used to have a 33k6bps always-on connection, with a /27 IP-range.
    > This means your abusive scanning would waste 32*260.000 = 8.3MB for every

    They scan only IP addresses that sent them mail, which is none of your
    addresses if you use your ISP's mail server, or just one if you use your
    own.

    > 'increment' of your scan. If I still had that 33k6 connection, I would get
    > 3.5kb/s incoming .. amounting to you wasting 40 minutes of my total
    > bandwidth for every increment of your self-rightous scanning.
    >

    That would be 1*60*10.000 bytes over your 3.5KB dial-up line, which
    probably even used data compression and TCP header compression. That is
    well below 20 seconds for the 10.000 port scan. And then you're assuming
    a connection that is not very likely for people running a mailserver
    without smarthost.

    > This pain is not acceptable.
    >
    > Your scanning is quite frankly worse than most spammers - for a lot of
    > people. The argument for running blocklist is that spammers waste
    > bandwidth. You waste FAR more bandwidth for a lot of people. This is a
    > thypical example of the 'cure' *killing* the patient instead of helping.
    >

    Bandwidth is not the only problem. Annoyed people is another good
    argument.

    Regards,

    Fred.

    -- 
    Fred van Engen                              XB Networks B.V.
    email: fred.van.engen@xbn.nl                Televisieweg 2
    tel: +31 36 5462400                         1322 AC  Almere
    fax: +31 36 5462424                         The Netherlands
    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies 
    that are enforced to protect WLANs from known vulnerabilities and threats. 
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
    To get your FREE white paper visit us at:    
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------
    

  • Next message: kyle_at_kylelai.com: "RE: IIS/WebDav Exploit List"

    Relevant Pages

    • FS BNIB Draktek High Performance 2930 Router (50 meg VM compatible)
      ... and BoD (Bandwidth on Demand); it also features advanced bandwidth control ... It allows users to access Internet and combine the bandwidth of the dual WAN ... Without the necessity of installing VPN client on individual PC, ... The two dedicated ethernet WAN ports can provide load balancing, ...
      (uk.adverts.computer)
    • FS: Draytek 2930 Router BNIB
      ... and BoD (Bandwidth on Demand); it also features advanced bandwidth control ... It allows users to access Internet and combine the bandwidth of the dual WAN ... Without the necessity of installing VPN client on individual PC, ... The two dedicated ethernet WAN ports can provide load balancing, ...
      (uk.adverts.computer)
    • RE: N00b Question
      ... I agree...a packet shaper would be a gross mis-use for simple blocking. ... but they are better suited for bandwidth ... as easy to block those ports at the router? ...
      (Security-Basics)
    • Re: Identifying a computer
      ... A protocol analyser will identify what he's doing and what ports are ... > We have limited internet-bandwidth, and therefore it is necessary to make ... > is taking to much of the bandwidth, as others will not be able to use the ... I have also tried to ping and ...
      (Security-Basics)
    • Re: is a gigabit switch designed to handle all its devices talking at a giabit?
      ... A typical Dell 24 port has ... more capacity. ... If you actually saturate the bandwidth to beyond the ... multipling the number of ports full duplex by their rate. ...
      (comp.os.linux.networking)