So, tell me about yourself...
Its time for a little role reversal
The first phase of any good attack on a machine is intelligence collection.
There are several tools available to do this, and like any good tool
it can be used by both attacker and defender. I will illustrate a common
sequence of events that a fairly sophisticated attacker might make (or at
least one with decent resources). Intelligence gathering usually occurs
in several phases.
This example assumes that the attacking machine is not on the
same subnet as the defending machine
- Silent
- DNS lookup
- Whois lookup
- icmp echo requests
- Moderately quiet
- Half open SYN scanning
- Loggable but not obvious
- Access to common ports
- 1) Sendmail
- 2) telnet
- 3) ftp
- Probably raise an eyebrow
- finger
- rusers
- showmount
- Alarms
- Full port scan
- SATAN
There is only one item on here that cannot be detected.
The Whois lookup.
Also the DNS lookup may not be loggable if you do not control your own DNS.
This will be the case for all dorm users
Watch for these events. If they occur use these tools to determine the source
of the attack.
It is also possible to build a tool which will automatically check up
on people who match a certain logging criteria.
