Security Incidents mailing list archives
Re: Interesting reply
From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Fri, 29 Sep 2000 12:04:13 -0700
H Carvey wrote:
Crist, Herein, I think, lies the key to the differences of opinion that I seem to have with most other posters...The reason I do it (when time permits) is because that I generally believe that about 90% of the scans are coming from a rooted or otherwise compromised box.90%?!? I've seen the comment with "large majority" or "vast majority", but never a percentage. Also, I have yet to see any evidence presented in this forum (or any other) that would support such a thesis.
Oops, I did not fully qualify that. I would guess, and this is gut feeling as opposed to a scientific analysis, that 90% of the scans /that are not coming from dial-up or coax cable blocks/ are compromised or otherwise abused boxes. I was not clear that I was cutting that group out in that guesstimate even though I go on to exclude them below.
If it is from a dial-up or coax cable block, I typically don't bother for the reasons you cite; it is less likely to be a compromised box.Dial-up...maybe. Cable modem...I would think such boxes, particularly Win32 ones, would more likely be compromised.
But think of all the script kiddies with their new h4x0R boxen (a default install of RedHat waiting to be exploited by some other kiddie) wetting their pants over their new broadband connection and scanning 0.0.0.0/0 for every exploit under the sun.
I look at it this way, if someone out there was getting scanned by a host that ARIN says I own, I would _really_ want someone to tell me about it.I'm all for telling someone that they might have a compromised box. I've reported boxes that appeared in logs w/ UDP datagrams sent to port 53 on 255.255.255.255 (dest IP). However, in today's day and age, there are commercial, shareware, and freeware vulnerability scanners (I've written my own for NT), making it a trivial exercise for SA's to automate security management of even heterogenous systems. Yes, if someone finds a box of mine that might be compromised, I would like to know...but the compromise would have to be an inside, malicious job as I would have already set up a proactive security management and monitoring program.
But you always have to remember despite all of the measures you take, someone may still slip through. Believing that you are invulnerable is the surest way to learn otherwise. If all of your kewl scans and IDS don't pickup a problem, it is not 100% assurance there is none there. All the more need for some admin Out There to let you know when he sees funky stuff coming from your address block. Finally, if a user with valid access is abusing the system or if there is, as you put it, "an inside, malicious job," I want to know about that too. To reiterate what the original point I was trying to make, I feel that reporting scans to the source can be a worthwhile endevour. Large ISPs probably have neither the time nor inclination to deal with users who are doing scans or have compromised boxes. Therefore, I personally do not bother when it is clearly a dial-up, coax cable, DSL, etc. source. However, in most (not all) other cases, I feel that letting the administrator of the systems know about the scan would be useful since I generally assume the scans are probably not authorized by the actual owners and administrators of the systems. I feel this way since I know that I, personally, would really want to know if there was suspicious traffic seemingly coming from systems that fall under our netblocks. Oh, yeah, in spite of all that, notification of scan sources is still not a high priority for me. I only do it when I have the time. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926
Current thread:
- Re: Interesting reply Crist Clark (Sep 30)
- <Possible follow-ups>
- Re: Interesting reply H Carvey (Sep 30)
- Re: Interesting reply Forrester, Mike (Oct 11)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply Mikael Gripenstedt (Oct 13)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
(Thread continues...)