ct Re: NMAP probing of network ports

Boris Karloff modelt20 at canada.com
Fri Sep 16 07:59:56 PDT 2005


Thank you for your reply.

Nmap is generating many tcp commands:

arp who-has 192.168.0.x tell 192.168.0.5 

where x is an incremented number from 0 through 255. The
192.168.0.5 address changes from scan to scan, so blocking
the port 192.168.0.5 doesn't work. 

This behavior is similar to the W32.Welchia.Worm that
plagues windoze boxes. 

Any thoughts on how to stop replying to this command?

Thanks.
Harold.

>On Fri, Sep 16, 2005 at 07:36:36AM -0500, Boris Karloff
wrote:
>> It appears that when FreeBSD is sent an invalid packet
>> without the SYN or ACK bits set, it responds with a RESET
>> reply regardless of the ipfw rules. It appears this is
one
>> of the things nmap is exploiting.
>> 
>> Any suggestions on how to modify this behavior?
>
>man blackhole
>
----------------------------------------
Upgrade your account today for increased storage; mail
forwarding or POP enabled e-mail with automatic virus
scanning. Visit
http://www.canada.com/email/premiumservices.html for more
information.


More information about the freebsd-questions mailing list