Re: How do you fight an attack in progress?

[Paul Ferguson <ferguson () cisco com>]

At 01:36 PM 9/19/97 -0500, Andy Howard wrote:

> The scan itself is not dangerous.... just rattling the door knob.  Some
> Web search and indexing sites do this.... there are some legitimate
> reasons to get the door knob rattled.


This is a subtle point which is important to understand.

For instance, what do you automatically think when your
logs report that a udp/161 'scan' is being done on sequential
host addresses? Well, if you've seen NOC monkeys haplessly
enable SNMP discovery mode (for instance on an HP*OpenView
system), then you know what I'm talking about.  ;-)

The point is that it 'scans' may sometimes not be malicious,
but rather the result of some moron somewhere on the opposite
side of the planet. And even when it is, you still need to
contact them to tell them to 'Cut it out', but it pays to be
somewhat intelligent before sounding the alarm

By the same token, there is usually a big difference between
sequential port scanning (which is almost always malicious in
nature) and sequential host scanning, which may be quite
legitimate. Another legitimate example, besides the SNMP
discovery foobar I mentioned above, is PING'ing hosts within
a range of addresses. In fact, this is done on a fairly
frequent basis, to determine the scope of address utilization
and the growth of the Internet itself.

As an aside, see: http://www.nw.com

- paul


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: ferguson () cisco com                         c i s c o S y s t e m s