hehehe...
...probable. Thankfully, I've finally finished Dr. Dorothy
Denning's bland tome on infowar, and am taking a break from the scary
security books, so I don't become a paranoid kook (well, no more so than
I already may be). I'll be rereading cryptonomicon to taper off, and move
on to some wholesome fiction.
tack
> I think sach meant that your thinking of it is scary. :)
>
> We never should have let you have that hacker book!
>
> E
>
> On Thu, 31 May 2001, Daniel Trudell wrote:
>
> > I don't think it's so scary. I get scanned several times a day from
> > different IP's. The key here is that we can tune our IDS's to look for
> > gnutella. Remember that duping people takes people skills, but using
> > script kiddie tools takes none.
> >
> > What's scary is securityfocus's analysis of the protocol. Those
> > theoretical exploits combined with distributed scanning and footprinting
> > gets scary
> >
> > tack
> >
> > On Thu, 31 May 2001, Sach Jobb wrote:
> >
> > > Tack, that is outright scary.
> > >
> > > On Thu, 31 May 2001, Erik Curiel wrote:
> > >
> > > >
> > > > Well, shit, even if no one else is doing it yet, it sounds like a pretty
> > > > good idea to me! I say we do it.
> > > >
> > > > E
> > > >
> > > > On Thu, 31 May 2001, Daniel Trudell wrote:
> > > >
> > > > > ok, so maybe this could be called "entry n in the diary of a
> > > > > /var/log/messages junkie"
> > > > >
> > > > > Gnutella's port is 6346. As a brief refresher....gnutella is like napster
> > > > > with no central server. every peer is also a search server.
> > > > >
> > > > > So anyway....it's fairly disributed, and you can make your own client,
> > > > > seeing as how the protocol is open source. Well, a common way to beat
> > > > > intrusion detection is to do each probe from a seperate IP. I've started
> > > > > to see denied packets (oh miraculous tcpwrappers, I worship thee) in my
> > > > > logs with a source port of 6346 (gnutty) and high level dest ports
> > > > > corresponding to various proxy servers.
> > > > >
> > > > > So with enough paranoia, tequila and inference it becomes possible that
> > > > > people are using gnutella to distribute the sources of sweeps and scans,
> > > > > thereby beating IDS's. It is also possible that a gnutty client out there
> > > > > has a very agressive discovery phase implementation.
> > > > >
> > > > > Anybody noticed anything similar? It seems much more efficiant than
> > > > > cracking boxen to launder identity...dupe people into running your scanner
> > > > > in the background by giving them trojaned gnutella clients...or at least
> > > > > superimposing your probe on top of a gnutella request.
> > > > >
> > > > > tack
> > > > >
> > > > > -------------------------------------------------------
> > > > > "My Penguin style Kung-Fu will beat your Redmond style"
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
--
"My Penguin style Kung-Fu will beat your Redmond style"
