Therefore I used several layer 7 ping tools that generate HTTP, DNS, or SMTP sessions (instead of ICMP echo-requests) and revealed whether the services (and not only the servers) were running. Of course I wanted to know (from the outside) whether all servers are connected correctly (NAT) and whether the firewall permits the connections (policy). I was sitting at the customer’s site replacing the DMZ firewall. However, many companies are denying these ICMP echo-requests from untrust into the DMZ which makes it difficult to test whether all servers are up and running. At least outgoing pings (from trust to untrust) should be allowed without any security concerns. Refer to Why Ping is no Security Flaw! (But your Friend) and Advanced Tracerouting. I really love ping! It is easy to use and directly reveals whether the network works or not. Furthermore I am publishing the pcap file so you can have a look at it by yourself.
In this blogpost I will present some stats about these incoming port scans. Using a network TAP device I captured these 24 hours and analyzed them with Wireshark. That is: All incoming connections are really unsolicited and part of some third-party port scans, worm activities, or whatever. No outgoing connections that could confuse or trigger any scans. This time I was not interested in scanning something, but in the question about “ how many scans happen during one day on my home ISP connection?” Or in other words: What is the Internet background noise as seen by almost any customer? For this I sacrificed my Internet connection at home for 24 hours, while a factory-resetted router established a fresh Internet connection (IPv6 & IPv4) without any end devices behind it. Indeed there are tools such as the ZMap Project “that enable researchers to perform large-scale studies of the hosts and services that compose the public Internet”. If you are following the daily IT news you have probably seen many articles claiming they have scanned the whole Internet for this or that.
0 kommentar(er)
