Re: What is the Pattern here ?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Wed, 04 Aug 2004 21:37:59 -0500
In article <2FVPc.170589$OB3.firstname.lastname@example.org>,
>> -D <decoy1 [,decoy2][,ME],...>
>> Causes a decoy scan to be performed which makes it appear
>Interesting tool, not something I think I need but I like to check it
>out anyway, thanks
There have been win32 versions for at least several of the last releases.
>If they are Honeypots they are broken.
>Why are they activly probing me ? I didn't probe them and many time I
>Ignore them for hours before I check them out.
How do you know they aren't being spoofed, and you are doing the "attack"
of their real target for them.
>I wonder if the Web Accellerators that are nothing more than Servers are
>being abused by Spammers.
Given that nearly all dialup hosts are run by people who shouldn't be using
a computer - I'd certainly believe it. Last I looked at my spam email logs,
a third of the spam was coming from r00ted windoze boxes on Comcast and
ATT, and only a tiny fraction from professional spam servers in .cn, .it,
>I should have added that was true but MS leaving the door open
>by default deserves some of the blame too.
They are just doing what the sheep that buy it want. A _very_ large
percentage of windoze users don't want to know anything, and even the
smallest security function that gets in the way of these fools clicking
on some icon (about half of which don't even know what the icon means),
annoys them. That's why microssoft has included the options of "remember
my password", and open (or install) everything by default without asking
me stupid questions. It's obviously an enormous security hole, but the
sheep don't know (or want to know) or care.
>No but I have a rule for each one to give me more info on my searches
>for that service.
>I use a Block All at the end of the Rules List and all the other Trojan
>Rules are just notes for general info.
Why bother? Block the stuff and ignore it.
>I could delete the whole Trojan list and it wouldn't make any difference
No, but it would waste a lot less of your time, CPU cycles, and diskspace.
>Sorry, I wrote PCTool and meant PCAnywhere (I don't use it much).
>I don't run ANY tools from a Website and mostly use a Dos Batch File.
Are you sure about that? You might want to run a sniffer while using
those tools, and see where the packets are going. Remember, 53 is DNS,
and 43 is whois. Neither service found on port 80 of some server.
>I allow it for my ISP only at the moment but am still undecided about
>that as I can block that with no effect.
>I've read pro's and con's on it and haven't made up my mind about it.
NSA recommends denying echo, redirect, and netmask, and allowing the rest.
http://www.nsa.gov/snac/index.html. I disagree, suggesting that you allow
0, 3, 4 and 11 INBOUND, 3, 4, and 8 OUTBOUND, while denying all else. Some
may consider type 4 (Source Quench) as undesirable (possible DOS). YMMV
>The Port 443 I block.
[compton ~]$ grep -w 443 rfcs/port-numbers
https 443/tcp http protocol over TLS/SSL
https 443/udp http protocol over TLS/SSL
Inbound, I'd agree, as you are not running a Secure web site, but
>I always use a Block all except when adding a new App that requires a
>lot of rules.
That's the difference in philosophy between a so-called personal firewall
and a real firewall box. We don't worry about applications needing
specific access, because we only look at the service and protocol involved.
We also don't install rouge applications.
>> Are you saying 'Block All' doesn't mean Block _ALL_ ??? What happens if
>> someone sends you a protocol Type 2 (IGMP) or Type 92 (MTP) packet? Does
>> your firewall toss up it's hands and go into the corner to cry?
>No the Block All (UDP/TCP) works.
[compton ~]$ egrep '(icmp|tcp|udp)' /etc/protocols
icmp 1 ICMP # internet control message protocol
tcp 6 TCP # transmission control protocol
udp 17 UDP # user datagram protocol
That's great, but protocol 6 is not protocol 17, is not protocol 2 or any
of the other 135 protocols that can be carried in an IP frame. See
>Without the Block All and the Rules Assistant on sometimes a UDP drops
>through the list and no action is logged.
As long as it's dropped, and no one on the inside of the firewall is not
complaining about broken services, then that's fine.
>> Why do you care? The firewall blocked it. Anything else you may do is
>> just wasting CPU cycles, and not providing a useful service to you.
>Why not have a info box to list what uses that service both good and bad ?
If you have nothing better to do than to look at each and every packet you
see - that's fine. People like me don't have time for that.
>Just like some Files when you click Properties and you get the info Tab.
You forget that not all of us are running windoze. This system doesn't have
a single icon, menu bar, or similar in sight. Or do you think those commands
I've been showing are from some exotic section of windoze that you haven't