On Tue, 21 Dec 1999, Eric wrote:
> How about just running a port scan against whoever is portscanning you.
> If someone sees port scans coming from a system they are trying to break
> into, it would hopefully scare them off.
A lot of times scans are done from an already compromised host, *if*
they're even watching (and most scanners are script kiddles) then all
it'll do is prompt them to run nmap with a crapload of source addresses
spoofed for 198 "cute" source addresses that portscanning will get *you* and
*your hosts* on a watchlist. At that point, if they do find a vulnerability
in your hosts at a later date, things are going to look more
incriminating for you if they use a compromised host on your network for
the follow-up attacks against the hosts they've spoofed.
Personally, I think that the energy spent on trying to "strike back" is
better spent on defense.
One of the things I'm thinking of playing with is HTTP authentication to
IPFilter for hosts that need connections from anywhere but have a limited
subset of authenticatable users.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
