[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Scan detection
- Subject: Re: [cobalt-security] Scan detection
- From: Graeme Merrall <graeme@xxxxxxxxxxxxx>
- Date: Tue, 13 Aug 2002 11:45:17 +1000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, Aug 12, 2002 at 11:26:10AM -0500, Frank Smith wrote:
> --On Monday, August 12, 2002 09:07:20 -0700 Paul Jacobs
> <paul@xxxxxxxxxxxxxxxxxx> wrote:
>
> >Why is it that after SUN'S new "TCP Hardening" patch and the 8+ new
> >services running on my box now that when you goto "Action Against Detected
> >Scans" and select "Log and Block" you get a message saying " if you enable
> >this option you will be open to
> >DOS attack's! ?.
>
> Because if someone scans your box using forged source addresses, you will be
> blocking the forged addresses, which just might happen to belong to your
> customers. If they forge the IPs to be those of the relatively few AOL
> proxies,
> for example, then the scan could cause you to block everyone from AOL.
I've written a PHP class which may of use it situations like this. It's
available at http://pear.php.net/package-info.php?pacid=55 or you can
try it yourself at http://www.inetix.com.au/code/test_netgeo.php.
Basically the script accepts an IP number as input and in return gives
you geographical information about the IP number as well as some admin
information. Obviously it can't show you an individual associated with
an IP number but it'll help you determine whether the IP is spoofed or
not.
Cheers,
Graeme