Richard, one of our readers, sent us a very interesting note today. He was investigating a network in Germany that was known to be a source of evil, and decided to launch an nmap scan as an exploratory measure. We do not advocate scanning somebody else's network, even you find that the other network is irritating and disfunctional. Better to work with that network's upstream ISP to see if they can assist in taming the out of control network owners. Here are Richard's comments. Do not try this from your own corporate network The results may be hazardous to your job. On the evening of October 7th, I Nmapped a /24 out of Germany that was a known source of malware and general nefarious activities. I saw the usual ports open 22, 53, 80 on most of the machines I scanned. UPDATE 1 Reader Neal sent us some technical tips on how he gets around the problem Richard pointed out above. After I scan something, or if I suspect I gave out my IP address to someone hostile (email, IRC, etc.), then I immediately change my address BEFORE they have a chance to scan back. There are a couple of different ways to change your IP address... 1. Login to your external firewall (you do have an external firewall, like a Linksys or Dlink, right?). Change the WAN MAC address. However, do NOT commit the change yet! If you reset it now, then you will be unable to connect to your cable modem... 2. Login to your cable modem and click on the reboot/restart button. This causes it to forget the firewall's MAC address. 3. While the cable modem is shutting down/rebooting, commit the new WAN MAC address to your firewall. When the cable modem comes up, it will learn the new WAN MAC address from your firewall. This new MAC address will be assigned a new, routable IP address from the cable modem ISP. You now have a totally new external IP address. Total offline time should be around 15 seconds. (I've got it scripted!) DSL modem: I don't have one, but I'm told it is a similar approach to cable modems or telephone modems (depending on your ISP). Marcus H. Sachs |
Marcus 301 Posts ISC Handler Oct 10th 2008 |
Thread locked Subscribe |
Oct 10th 2008 1 decade ago |
Just to add a bit to this story, I did look to the /24's upstream and it reallyt seemed as if this were a crooked operation all the way up to the provider. It is just a criminal enterprise that is well insulated as many of these operations are, so when I looked upstream I was reminded of being up a creek. It just amazes me how well protected these operations are. Take a look at the Atrivo/Intercage operation that just lost it's only remaining connection to the world. Amazing!
|
Richard 4 Posts |
Quote |
Oct 10th 2008 1 decade ago |
Many of us guys, once in our lives, have to molest a nest of stinging creatures (and run).
|
Anonymous |
Quote |
Oct 10th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!