Sign in with
Sign up | Sign in
Your question

What is this?

Last response: in Networking
Share
September 24, 2005 12:38:33 PM

Archived from groups: comp.security.firewalls (More info?)

What is this?
Is it the SPAMMER forget to make use of his proxie?
I am use to see UDP:s from China but it has always been at port 1026/1027.
Is this somthing new or just the same sort of SPAMM only new ports?

Regards Anders.

Tid Kedja GrSnitt Prot. Källa Källport Dest.
Dst port
09:37:34 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
09:37:29 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
09:37:19 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
09:37:19 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
09:37:14 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
09:37:14 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
09:37:09 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
09:37:09 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
09:37:04 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
09:36:59 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
09:36:55 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440


OrgName: Internap Network Services
OrgID: PNAP
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

NetRange: 64.94.0.0 - 64.95.255.255
CIDR: 64.94.0.0/15
NetName: PNAP-05-2000
NetHandle: NET-64-94-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.PNAP.NET
NameServer: NS2.PNAP.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-05
Updated: 2002-06-17

TechHandle: INO3-ARIN
TechName: InterNap Network Operations Center
TechPhone: +1-877-843-4662
TechEmail: noc@internap.com

OrgAbuseHandle: IAC3-ARIN
OrgAbuseName: Internap Abuse Contact
OrgAbusePhone: +1-206-256-9500
OrgAbuseEmail: abuse@internap.com

OrgTechHandle: INO3-ARIN
OrgTechName: InterNap Network Operations Center
OrgTechPhone: +1-877-843-4662
OrgTechEmail: noc@internap.com

# ARIN WHOIS database, last updated 2005-09-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

More about : question

Anonymous
September 24, 2005 2:46:59 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<dg8Ze.146939$dP1.503932@newsc.telia.net>, Anders wrote:

>What is this?
>Is it the SPAMMER forget to make use of his proxie?

SPAM is a product of the Hormel company - I think you mean spam.

>I am use to see UDP:s from China but it has always been at port 1026/1027.

Often messenger spam.

>Is this somthing new or just the same sort of SPAMM only new ports?

No

> Tid Kedja GrSnitt Prot. Källa Källport Dest. Dst port
>09:37:34 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>09:37:29 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>09:37:19 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>09:37:19 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
>09:37:14 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438

man traceroute and look at the -p option. I must not that it's pushing the
odds to see the same source port used on two different hosts. Also, if that
is traceroute, the TTL should be at zero or one, and Atlanta is four or six
hops away. Without looking at the tcpdump to see what is in the headers, I
can't say much more, but I'd also be looking at a '-D' option of nmap as a
possible cause.

>OrgName: Internap Network Services
>OrgID: PNAP
>Address: 250 Williams Street
>Address: Suite E100
>City: Atlanta
>StateProv: GA
>PostalCode: 30303
>Country: US
>
>NetRange: 64.94.0.0 - 64.95.255.255

Search the news groups 'news.admin.net-abuse.*' particularly 'blocklisting'
and 'sightings' - these guys don't have the cleanest reputation.

Old guy
September 24, 2005 11:09:13 PM

Archived from groups: comp.security.firewalls (More info?)

Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <dg8Ze.146939$dP1.503932@newsc.telia.net>, Anders wrote:
>
>
>>What is this?
>>Is it the SPAMMER forget to make use of his proxie?
>
>
> SPAM is a product of the Hormel company - I think you mean spam.
>

Eh, sorry for my miss spelling I try to make use of my Swedish/English
lexicon as much as I can.

>
snip
>
>> Tid Kedja GrSnitt Prot. Källa Källport Dest. Dst port
>>09:37:34 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>>09:37:29 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>>09:37:19 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>>09:37:19 INPUT eth1 UDP 64.94.45.26 10816 my IP 33440
>>09:37:14 INPUT eth1 UDP 64.94.45.18 10816 my IP 33438
>
>
> man traceroute and look at the -p option.

"base UDP port number used in probes (default is 33434)"

So this mean that "64.94.45.18 (fcp-4.chg.pnap.net)/64.94.45.26
(fcp-6.chg.pnap.net)" just done a traceroute on me?

> I must not that it's pushing the odds to see the same source port used
> on two different hosts.

It's pushing me too. ;-)

> Also, if that is traceroute, the TTL should be at zero or one, and Atlanta
> is four or six
> hops away. Without looking at the tcpdump to see what is in the headers, I
> can't say much more, but I'd also be looking at a '-D' option of nmap as a
> possible cause.
>

I think I will block 64.94.0.0 - 64.95.255.255 any way even if they are
decoys.

>
>>OrgName: Internap Network Services
>>OrgID: PNAP
>>Address: 250 Williams Street
>>Address: Suite E100
>>City: Atlanta
>>StateProv: GA
>>PostalCode: 30303
>>Country: US
>>
>>NetRange: 64.94.0.0 - 64.95.255.255
>
>
> Search the news groups 'news.admin.net-abuse.*' particularly 'blocklisting'
> and 'sightings' - these guys don't have the cleanest reputation.
>
> Old guy

"blocklisting" there was only around 1200 heads I downloded 500 of them
and com up with nothing.
"sightings" there was over 170,000 heads I downloded 500 of them with
the same result.

I think I go for the traceroute becuse it happend at almost the same
time and I haven´t seen it again in my log.'

Thank you for taking the time and too force me too downlode and read man
traceroute and man nmap.

regards Anders.
Related resources
Anonymous
September 24, 2005 11:09:14 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<tvhZe.146969$dP1.503923@newsc.telia.net>, Anders wrote:

>Moe Trin wrote:

>> man traceroute and look at the -p option.
>
> "base UDP port number used in probes (default is 33434)"
>
> So this mean that "64.94.45.18 (fcp-4.chg.pnap.net)/64.94.45.26
>(fcp-6.chg.pnap.net)" just done a traceroute on me?

That would be a reasonable assumption. It may not be right, but it's
possible.

>> I must not that it's pushing the odds to see the same source port used
>> on two different hosts.
>
>It's pushing me too. ;-)

Yeah, there's not much you can do about UDP. It's still going to waste
your bandwidth up to the router that drops/blocks it.

>I think I will block 64.94.0.0 - 64.95.255.255 any way even if they are
>decoys.

I already do. They also have a few other address blocks, like

4.20.90.0 - 4.20.90.255 206.98.113.0 - 206.98.113.255
63.175.174.0 - 63.175.175.255 206.191.128.0 - 206.191.191.255
63.251.0.0 - 63.251.255.255 206.229.153.0 - 206.229.153.255
64.74.0.0 - 64.74.255.255 206.253.192.0 - 206.253.223.255
64.94.0.0 - 64.95.255.255 208.33.216.0 - 208.33.219.255
65.209.66.0 - 65.209.66.255 208.146.32.0 - 208.146.47.255
66.150.0.0 - 66.151.255.255 209.191.128.0 - 209.191.191.255
69.25.0.0 - 69.25.255.255 212.118.224.0 - 212.118.255.255
69.25.12.0 - 69.25.13.255 216.52.0.0 - 216.52.255.255
72.5.0.0 - 72.5.159.255 216.223.0.0 - 216.223.63.255
206.64.105.0 - 206.64.105.255

>"blocklisting" there was only around 1200 heads I downloded 500 of them
>and com up with nothing.
>"sightings" there was over 170,000 heads I downloded 500 of them with
>the same result.

Sorry - didn't mean for you to try to download those newsgroups. What I
was suggesting was using http://groups.google.com and going to the
Advanced Group Search function. Out the words 'Internap' and / or 'PNAP' as
the term to search for in those news groups.

Results 1 - 10 of 434 from Jan 1, 2005 to Sep 24, 2005
for Internap group:news.admin.net-abuse.* (0.14 seconds)

Results 1 - 10 of 136 from Jan 1, 2005 to Sep 24, 2005
for PNAP group:news.admin.net-abuse.* (0.14 seconds)

>I think I go for the traceroute becuse it happend at almost the same
>time and I haven<B4>t seen it again in my log.'

The thing that bothered me is that the packets came from two different
addresses, but with the same source port. That is hard to believe.

>Thank you for taking the time and too force me too downlode and read man
>traceroute and man nmap.

I looked at your headers, and it said:

>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050912)

If you are running X, you are probably using a *nix. Not all come with
tcpdump, but it's fairly common. 'nmap' - yeah, that's less common.

Old guy
September 25, 2005 2:55:42 PM

Archived from groups: comp.security.firewalls (More info?)

Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <tvhZe.146969$dP1.503923@newsc.telia.net>, Anders wrote:
>
snip
>
> I already do. They also have a few other address blocks, like
>
> 4.20.90.0 - 4.20.90.255 206.98.113.0 - 206.98.113.255
> 63.175.174.0 - 63.175.175.255 206.191.128.0 - 206.191.191.255
> 63.251.0.0 - 63.251.255.255 206.229.153.0 - 206.229.153.255
> 64.74.0.0 - 64.74.255.255 206.253.192.0 - 206.253.223.255
> 64.94.0.0 - 64.95.255.255 208.33.216.0 - 208.33.219.255
> 65.209.66.0 - 65.209.66.255 208.146.32.0 - 208.146.47.255
> 66.150.0.0 - 66.151.255.255 209.191.128.0 - 209.191.191.255
> 69.25.0.0 - 69.25.255.255 212.118.224.0 - 212.118.255.255
> 69.25.12.0 - 69.25.13.255 216.52.0.0 - 216.52.255.255
> 72.5.0.0 - 72.5.159.255 216.223.0.0 - 216.223.63.255
> 206.64.105.0 - 206.64.105.255
>

69.25.0.0 - 69.25.255.255
69.25.12.0 - 69.25.13.255

It looks to me that this two IP range´s doing the same job, or am I
wrong? Any way they are in my own blocklist now.


>
snip
>
> Sorry - didn't mean for you to try to download those newsgroups. What I
> was suggesting was using http://groups.google.com and going to the
> Advanced Group Search function. Out the words 'Internap' and / or 'PNAP' as
> the term to search for in those news groups.
>
> Results 1 - 10 of 434 from Jan 1, 2005 to Sep 24, 2005
> for Internap group:news.admin.net-abuse.* (0.14 seconds)
>
> Results 1 - 10 of 136 from Jan 1, 2005 to Sep 24, 2005
> for PNAP group:news.admin.net-abuse.* (0.14 seconds)
>

Results 1 - 10 of 9 710 for (Internap). (0,26 seconds)

Results 1 - 10 of 5 730 for "PNAP" (0,16 seconds)

As you stated before they realy don´t have the greatest reputation.

>
snip
>
> I looked at your headers, and it said:
>
>
>>User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050912)
>
>
> If you are running X, you are probably using a *nix. Not all come with
> tcpdump, but it's fairly common. 'nmap' - yeah, that's less common.
>
> Old guy

I have tcpdump, both on my Linux (desktop) and my BSD (firewall), did
look at the tcpdump -i on my desktop while I was checking out my
firewall and it com up with almost ridiculous much information. I think
I gonna take a look at my firewall later this day just for the fun of
it, checking the var log.

Regards and ones again thank you for the time taken.

Anders
Anonymous
September 25, 2005 7:02:49 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<OmvZe.34671$d5.189956@newsb.telia.net>, Anders wrote:

> 69.25.0.0 - 69.25.255.255
> 69.25.12.0 - 69.25.13.255
>
>It looks to me that this two IP range's doing the same job, or am I
>wrong? Any way they are in my own blocklist now.

Thanks - 69.25.12.0/23 was added as a result of abusive traffic from that
block. I later received additional spam from two other blocks, and just
expanded the firewall block to all of Internap/PNAPs space there - the /16.
I had never gone back and deleted the original block. Looks like it's time
to go through the firewall rules to locate duplicates/overlaps. Ah, the
magic of UNIX and pipes - two minutes, and I found two other overlaps.

>As you stated before they realy don't have the greatest reputation.

Yes. I was also only searching in the news.admin.net-abuse.* groups.

>I have tcpdump, both on my Linux (desktop) and my BSD (firewall), did
>look at the tcpdump -i on my desktop while I was checking out my
>firewall and it com up with almost ridiculous much information.

You can use the built-in filtering terms in tcpdump to narrow that down
a lot. For example 'tcpdump -n udp and not port 53' should only give you
UDP traffic in either direction, but not DNS lookups. The -n is also to
avoid adding even more traffic (DNS lookups to identify traffic by hostname).

>I gonna take a look at my firewall later this day just for the fun of
>it, checking the var log.

Normally, I don't look very close at the perimeter firewall. It blocks this
and that, and that is all I care to know. I'm really not interested in knowing
that some host in Korea or Kenya tried to connect to a windoze trojan that I
don't have installed - mainly because I don't have windoze on any system. They
did not connect - and that is all that matters.

Old guy
September 26, 2005 3:25:40 PM

Archived from groups: comp.security.firewalls (More info?)

Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <OmvZe.34671$d5.189956@newsb.telia.net>, Anders wrote:
>
>
> You can use the built-in filtering terms in tcpdump to narrow that down
> a lot. For example 'tcpdump -n udp and not port 53' should only give you
> UDP traffic in either direction, but not DNS lookups. The -n is also to
> avoid adding even more traffic (DNS lookups to identify traffic by hostname).
>
I have run the -n option now, both then I was checking my mail on my ISP
and my acount on hotmail, I also did some reading on some newspapers,
and I can say that there is, as far as I now, no UDP traffic on my LAN
side, but on the WAN side there´s a different story.
>
> Normally, I don't look very close at the perimeter firewall. It blocks this
> and that, and that is all I care to know. I'm really not interested in knowing
> that some host in Korea or Kenya tried to connect to a windoze trojan that I
> don't have installed - mainly because I don't have windoze on any system. They
> did not connect - and that is all that matters.
>
> Old guy
>
Well I do make use of XP from time to time butt mostley for
printing/scanning and recording my old LP´s, so I don´t let it conect to
internet any more, and some time in the future I will get ride of it
one´s and for all.

By the way I did find this in my firewall log to day, it is from China
and I have blocked them long time ago, but it is a litle interesting to
see that they do make use of ICMP to see if I´am really is on the net.

Datum: 09/26 09:10:08 Namn: ICMP PING NMAP
Prioritet: 2 Typ:: Attempted Information Leak
IP-info: 219.134.72.108:n/a -> my IP :n/a
Referenser: saknas SID: 469

09:10:17 INPUT eth1 TCP 219.134.72.108 2465 my IP 25(SMTP)
09:10:11 INPUT eth1 TCP 219.134.72.108 2465 my IP 25(SMTP)
09:10:08 INPUT eth1 TCP 219.134.72.108 2465 my IP 25(SMTP)

Anders
Anonymous
September 26, 2005 6:51:25 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<UUQZe.34736$d5.189930@newsb.telia.net>, Anders wrote:

>I have run the -n option now, both then I was checking my mail on my ISP
>and my acount on hotmail, I also did some reading on some newspapers,
>and I can say that there is, as far as I now, no UDP traffic on my LAN
>side, but on the WAN side there´s a different story.

At my home, I really don't see that much UDP on any of my ISPs (I have
three), and it's mainly messenger spam attempts. At work, the perimeter
firewall is used to translate outgoing UDP (mainly DNS queries) to
source ports above (roughly) 1100. As this is the only normal use we
have for UDP, any _inbound_ UDP to ports below that number (excluding
to port 53 to the externally visible DNS servers) is dropped - it can not
be wanted traffic.

>By the way I did find this in my firewall log to day, it is from China
>and I have blocked them long time ago, but it is a litle interesting to
>see that they do make use of ICMP to see if I´am really is on the net.

Guangdong province network (formerly Kuangtung - capital is Canton, now
spelled Guangzhou). While CHINANET is run by the Army, they are leasing
IPs to "business men" who make money renting IP space and hosts to any
one who wants it.

Ping can be run in parallel - and takes less CPU cycles than trying to
connect to a host that may or may not exist. This reduces the number of
processes running on the spammers host.

>09:10:17 INPUT eth1 TCP 219.134.72.108 2465 my IP 25(SMTP)
>09:10:11 INPUT eth1 TCP 219.134.72.108 2465 my IP 25(SMTP)
>09:10:08 INPUT eth1 TCP 219.134.72.108 2465 my IP 25(SMTP)

Standard TCP behaviour - hello, wait 3 seconds, hello, wait 6 seconds,
hello, wait 12 seconds, give up and try the next address.

Old guy
September 27, 2005 8:38:35 PM

Archived from groups: comp.security.firewalls (More info?)

Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <UUQZe.34736$d5.189930@newsb.telia.net>, Anders wrote:
>
> At my home, I really don't see that much UDP on any of my ISPs (I have
> three),

Lucky You, I have to go to a friend and use his conection to see my
network from the outside.

>and it's mainly messenger spam attempts. At work, the perimeter
> firewall is used to translate outgoing UDP (mainly DNS queries) to
> source ports above (roughly) 1100. As this is the only normal use we
> have for UDP, any _inbound_ UDP to ports below that number (excluding
> to port 53 to the externally visible DNS servers) is dropped - it can not
> be wanted traffic.
>
> Old guy


Moe, one´s again you forced me too read, this time about DNS and
traceroute, and I stumble up on this RFC´s 1034,1035 and the older one´s
882,883 I have not been able to read them yet, but as soon as I get time
for it I will.
One thing I read about was that it is common that someone who want to
figure out about a systemcofiguration can make use of traceroute -S udp
p53, so for time being I happely block that one.

Anders.
Anonymous
September 28, 2005 6:50:05 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<fAe_e.147189$dP1.504096@newsc.telia.net>, Anders wrote:

>Moe Trin wrote:


>> At my home, I really don't see that much UDP on any of my ISPs (I have
>> three),
>
>Lucky You, I have to go to a friend and use his conection to see my
>network from the outside.

One of then isn't that much of a benefit, as they block a most traffic
that isn't "normal". The second has a very restrictive AUP, so I can't
(for example) use nmap to scan my other addresses.

>Moe, one's again you forced me too read, this time about DNS and
>traceroute, and I stumble up on this RFC<B4>s 1034,1035 and the older one's
>882,883 I have not been able to read them yet, but as soon as I get time
>for it I will.

RFC0882 and 0883 are obsolete - not worth reading except for historical
reasons. For gaining understanding of DNS, the DNS-HOWTO has a lot of
good information:

-rw-rw-r-- 1 gferg ldp 91563 Dec 23 2001 DNS-HOWTO

As you are looking at RFCs, you may want to scan RFC1180

1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. Jan-01-1991.
(Format: TXT=65494 bytes) (Status: INFORMATIONAL)

which is also a good read.

>One thing I read about was that it is common that someone who want to
>figure out about a systemcofiguration can make use of traceroute -S udp
>p53, so for time being I happely block that one.

What version of traceoute? I don't recognize the options from either
the original Van Jacobson (LBL) version, Olaf Kirch's re-written version,
or the TCP version from Michael Toren.

Old guy
September 29, 2005 4:29:22 PM

Archived from groups: comp.security.firewalls (More info?)

Moe Trin wrote:
> In the Usenet newsgroup comp.security.firewalls, in article
> <fAe_e.147189$dP1.504096@newsc.telia.net>, Anders wrote:
>
>
>>Moe Trin wrote:
>
>
> One of then isn't that much of a benefit, as they block a most traffic
> that isn't "normal". The second has a very restrictive AUP, so I can't
> (for example) use nmap to scan my other addresses.
>

I make use of callcontrol, this way I can have all my port´s in
dropp/block mode even the more common one like ftp, mail and web.
But I do realise that if I want to make use of my one mail/web and ftp
server I do have to open up a litle.

>
>
> RFC0882 and 0883 are obsolete - not worth reading except for historical
> reasons.

I do like history, but I will read the more current ones first.

>For gaining understanding of DNS, the DNS-HOWTO has a lot of
> good information:
>
> -rw-rw-r-- 1 gferg ldp 91563 Dec 23 2001 DNS-HOWTO
>
> As you are looking at RFCs, you may want to scan RFC1180
>
> 1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. Jan-01-1991.
> (Format: TXT=65494 bytes) (Status: INFORMATIONAL)
>
> which is also a good read.
>

It´s downloded, and I will not only scan them.

>
> What version of traceoute? I don't recognize the options from either
> the original Van Jacobson (LBL) version, Olaf Kirch's re-written version,
> or the TCP version from Michael Toren.
>
> Old guy


Well, in this book (Hacking Exposed, Fourth Edition printed in 2003 by
Stuart McClure, Joel Scambray, and George Kurtz), I did find this about
locking traceroute to use only one particular port of you´re own desire.
Traceroute 1.4a5
(ftp.cerias.purdue.edu/pub/tools/unix/netutils/traceroute/old) is what
they clamed should work, they also declare that it is a modifyed verion
of traceroute, made by Michael Schiffman 1997.
(http://www.hackingexposed.com/) is the home page of the book, my copy
is in Swedish and it is a litle difficult for me to translate it back in
to English.

Anders
Anonymous
September 29, 2005 6:52:00 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<C6R_e.34914$d5.190080@newsb.telia.net>, Anders wrote:

>I make use of callcontrol, this way I can have all my port's in
>dropp/block mode even the more common one like ftp, mail and web.

Don't forget that if you have nothing running on a port, it's closed.
No firewall is needed. For example;

[compton ~]$ netstat -atu
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
[compton ~]$

Not much to exploit there. In fact SSH is only accepting connections
from a handful of addresses on the LAN. So, if I try to connect to a port
without a listener, I see

[compton ~]$ telnet localhost
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
[compton ~]$

>But I do realise that if I want to make use of my one mail/web and ftp
>server I do have to open up a litle.

Yes, but you can restrict the range of addresses allowed to connect.
Depending on the application, this may be a local configuration file, or
it may be done with tcp_wrappers (man 5 hosts_access) if the application
is run out of inetd/xinetd or is compiled with libwrap, or it may have
to be done with a firewall setup. As far as mail goes, unless your host
is published as a MX server (see the DNS stuff), no one other than the
port scanners are going to know you have a mail server, and your ISP
could be blocking inbound 25 anyway (all three of mine do) for spam control.

>I do like history, but I will read the more current ones first.

The basic concept of DNS is relatively simple, but there are a lot of
details to look at. Running a DNS server for a home LAN of less than 10
systems is often a waste of effort (just put everything in /etc/hosts),
but popular Linux distributions often have tools to set up a simple
server that is authoritative for the local LAN, and forwards all other
requests to the ISP, caching the result. For example, Red Hat (Fedora FC4)
has

-rw-r--r-- 1 mirror mirror 22749 Jan 5 23:04
caching-nameserver-7.3-3.noarch.rpm

to configure ISC Bind for this purpose.

>Well, in this book (Hacking Exposed, Fourth Edition printed in 2003 by
>Stuart McClure, Joel Scambray, and George Kurtz), I did find this about
>locking traceroute to use only one particular port of you're own desire.

[compton ~]$ whatis hping2
hping2 (8)- send (almost) arbitrary TCP/IP packets to network hosts
[compton ~]$

>Traceroute 1.4a5 [...] is what they clamed should work,

That's June 1997. Not much changed in the later versions (1.4a6 to 1.4a12
came out in the last quarter of 2000), and the differences are not very
significant.

>they also declare that it is a modifyed verion of traceroute, made by
>Michael Schiffman 1997.

I looked around the web site, but didn't find anything useful relating
to the modification.

Old guy
!