Security Basics mailing list archives
Re: When does a scan attempt become a focused attack?
From: salgak () speakeasy net
Date: Wed, 22 Oct 2003 18:04:40 +0000
It's simple: When it becomes a bother to the admin, it's an attack. <begin Port-Scan war story> Several years ago, when I was the admin of a dot-com, we suddenly got a bunch of port scans on some very odd ports every hour, on the hour, for 20 or so minutes. Luckily, my IDS logged the IP, and when looking it up, I found it was coming from Bell Labs in New Jersey: talked to the admin there, he confirmed and gave me the name of the researcher the IP belonged to, as well as his email addy. I talked to the scientist, and he said that what he was doing was basic research, and I couldn't stop him. Now at that point, corporate policy was more than three portscans from the same IP in 24 hours was considered an attack. The nice thing about Bell Labs is their web page, showed all the researchers, and their place in the organization. A nice little letter of compliant to his supervisor, his supervisor's supervisor, and the VP who ran that branch of Bell Labs, with all documentation and correspondence to and from the scientist. Within 2 hours, the portscans stopped. A week later, the scientist was no longer on the org chart. . . --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ----------------------------------------------------------------------------
Current thread:
- When does a scan attempt become a focused attack? Hunt, Jim (Oct 21)
- RE: When does a scan attempt become a focused attack? dave kleiman (Oct 22)
- Re: When does a scan attempt become a focused attack? Sebastian Schneider (Oct 22)
- Re: When does a scan attempt become a focused attack? Karma (Oct 22)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- Re: When does a scan attempt become a focused attack? Ivan Hernandez (Oct 23)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- <Possible follow-ups>
- RE: When does a scan attempt become a focused attack? Fields, James (Oct 22)
- Re: When does a scan attempt become a focused attack? salgak (Oct 22)