Re: Interesting reply

[Crist Clark <crist.clark () GLOBALSTAR COM>]

H Carvey wrote:
> Crist,
>
> Herein, I think, lies the key to the differences of
> opinion that I seem to have with most other posters...
>
> > The reason I do it (when time permits) is because
> > that I generally
> > believe that about 90% of the scans are coming from
> > a rooted or
> > otherwise compromised box.
>
> 90%?!?  I've seen the comment with "large majority" or
> "vast majority", but never a percentage.  Also, I have
> yet to see any evidence presented in this forum (or
> any other) that would support such a thesis.

Oops, I did not fully qualify that. I would guess, and this is
gut feeling as opposed to a scientific analysis, that 90% of the
scans /that are not coming from dial-up or coax cable blocks/
are compromised or otherwise abused boxes. I was not clear
that I was cutting that group out in that guesstimate even
though I go on to exclude them below.

> > If it is from a dial-up
> > or coax cable
> > block, I typically don't bother for the reasons you
> > cite; it is
> > less likely to be a compromised box.
>
> Dial-up...maybe.  Cable modem...I would think such
> boxes, particularly Win32 ones, would more likely be
> compromised.

But think of all the script kiddies with their new h4x0R boxen
(a default install of RedHat waiting to be exploited by some
other kiddie) wetting their pants over their new broadband
connection and scanning 0.0.0.0/0 for every exploit under the
sun.

> > I look at it this way, if someone out there was
> > getting scanned
> > by a host that ARIN says I own, I would _really_
> > want someone to
> > tell me about it.
>
> I'm all for telling someone that they might have a
> compromised box.  I've reported boxes that appeared in
> logs w/ UDP datagrams sent to port 53 on
> 255.255.255.255 (dest IP).  However, in today's day
> and age, there are commercial, shareware, and freeware
> vulnerability scanners (I've written my own for NT),
> making it a trivial exercise for SA's to automate
> security management of even heterogenous systems.
> Yes, if someone finds a box of mine that might be
> compromised, I would like to know...but the compromise
> would have to be an inside, malicious job as I would
> have already set up a proactive security management
> and monitoring program.

But you always have to remember despite all of the measures
you take, someone may still slip through. Believing that
you are invulnerable is the surest way to learn otherwise.
If all of your kewl scans and IDS don't pickup a problem, it
is not 100% assurance there is none there. All the more need
for some admin Out There to let you know when he sees funky
stuff coming from your address block. Finally, if a user
with valid access is abusing the system or if there is, as
you put it, "an inside, malicious job," I want to know
about that too.

To reiterate what the original point I was trying to make,
I feel that reporting scans to the source can be a
worthwhile endevour. Large ISPs probably have neither the
time nor inclination to deal with users who are doing scans
or have compromised boxes. Therefore, I personally do not
bother when it is clearly a dial-up, coax cable, DSL, etc.
source. However, in most (not all) other cases, I feel that
letting the administrator of the systems know about the
scan would be useful since I generally assume the scans
are probably not authorized by the actual owners and
administrators of the systems. I feel this way since I know
that I, personally, would really want to know if there was
suspicious traffic seemingly coming from systems that
fall under our netblocks.

Oh, yeah, in spite of all that, notification of scan sources
is still not a high priority for me. I only do it when I have
the time.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926