Security Incidents mailing list archives
Re: Ok, we've been scanned.. ..now what!
From: Ben Laws <ben () ION AS UTEXAS EDU>
Date: Tue, 8 Aug 2000 12:55:13 -0500
"Steven M. Klass" wrote:
I also thought about more devious things, like nmaping the moron and flooding his available ports.. Fight fire with fire..
Howdy Steven, Scanning is legal, the flooding action you've suggested here (although savory :-) is definitely illegal. Even if the perp scanned you all weekend, that doesn't violate any laws. Don't let 'em push you into committing a DoS yourself. An nmap strobe may give you some useful information however. I'm the curious type.. To protect the innocent be cautious when scanning dialup IPs. Could be another user, not the one you're looking for. You can [try to] file a complaint with the perp's ISP. It's best to include pertinant/voluminous log entries and IDS output if you've got it. Make sure to include what time zone the logs are in so the ISP can cross-reference with their records. If you complain loudly enough, and long enough, you may be able to get the perp kicked off their ISP. But that could take awhile. The short term fix as you suggested is to block the offending IP (or subnet) at the firewall or router. There are some problems with this tactic though... if the perp is coming from a dialup line, their IP can change. If you have other users coming from that IP range, they may be affected by your new rules. If you automate this, there may be some trusted systems you want to exclude from the process... otherwise that's an easy DoS, spoofing a scan from a trusted host with which you need connectivity. So far I stay away from the automated approach to blocking rude IPs. Activity in the 'net backwaters is still light enough for me to stay on top of things. The way it's going though, it's only a matter of time before I embrace this type of automation. Like, maybe, next month :-) ciao, Ben Laws Systems Analyst Hobby-Eberly Telescope UT McDonald Observatory
Current thread:
- Ok, we've been scanned.. ..now what! Steven M. Klass (Aug 08)
- Re: Ok, we've been scanned.. ..now what! Ben Laws (Aug 09)
- Re: Ok, we've been scanned.. ..now what! Bill Pennington (Aug 09)
- Re: Ok, we've been scanned.. ..now what! Valdis Kletnieks (Aug 09)
- <Possible follow-ups>
- Re: Ok, we've been scanned.. ..now what! Robert Bussey (Aug 09)