I don't think it's so scary. I get scanned several times a day from
different IP's. The key here is that we can tune our IDS's to look for
gnutella. Remember that duping people takes people skills, but using
script kiddie tools takes none.
What's scary is securityfocus's analysis of the protocol. Those
theoretical exploits combined with distributed scanning and footprinting
gets scary
tack
On Thu, 31 May 2001, Sach Jobb wrote:
> Tack, that is outright scary.
>
> On Thu, 31 May 2001, Erik Curiel wrote:
>
> >
> > Well, shit, even if no one else is doing it yet, it sounds like a pretty
> > good idea to me! I say we do it.
> >
> > E
> >
> > On Thu, 31 May 2001, Daniel Trudell wrote:
> >
> > > ok, so maybe this could be called "entry n in the diary of a
> > > /var/log/messages junkie"
> > >
> > > Gnutella's port is 6346. As a brief refresher....gnutella is like napster
> > > with no central server. every peer is also a search server.
> > >
> > > So anyway....it's fairly disributed, and you can make your own client,
> > > seeing as how the protocol is open source. Well, a common way to beat
> > > intrusion detection is to do each probe from a seperate IP. I've started
> > > to see denied packets (oh miraculous tcpwrappers, I worship thee) in my
> > > logs with a source port of 6346 (gnutty) and high level dest ports
> > > corresponding to various proxy servers.
> > >
> > > So with enough paranoia, tequila and inference it becomes possible that
> > > people are using gnutella to distribute the sources of sweeps and scans,
> > > thereby beating IDS's. It is also possible that a gnutty client out there
> > > has a very agressive discovery phase implementation.
> > >
> > > Anybody noticed anything similar? It seems much more efficiant than
> > > cracking boxen to launder identity...dupe people into running your scanner
> > > in the background by giving them trojaned gnutella clients...or at least
> > > superimposing your probe on top of a gnutella request.
> > >
> > > tack
> > >
> > > -------------------------------------------------------
> > > "My Penguin style Kung-Fu will beat your Redmond style"
> > >
> > >
> >
> >
>
>
--
"My Penguin style Kung-Fu will beat your Redmond style"
