Security Incidents mailing list archives
Re: A port scan is not an Incident (was No one wants responsibility)
From: Rob McCauley <robmccau () RADONC DUKE EDU>
Date: Wed, 20 Sep 2000 16:27:39 -0400
Have a heart folks. Scanning might be annoying, but that's it. It's part of being on the net.
This is periodically debated on this list and other places. I'd really like to put an end to that debate. I operate under the assumption that, for example, if I see 5 ftp probes/month, then an exploit for wu-ftpd is released, and I see 50 in the month following, that likely those 45 new ones are people looking to exploit systems. The existance of people actively trying to exploit systems is more than annoying, it's a real threat. Insert worn checking doorknobs analogy. Please don't reply with counter arguments to this. What I'm looking for, in all our mutual benefit, is anyone with hard data on the subject. If you have it, or references to useful information in this area, please post it. Interestingly, one way I think we might get useful data is to correlate so-called innocent port scans from as many sources as possible with actual intrusion attempts. Do actual intrusion attempts come from systems which have launched port scans in the recent few days? What caused the scan? What percentage of the time is the scan from a compromised box? We need answers to this, and I'm not hearing them when this is debated. If scans rarely or never precede an attempt to compromise, if most (for some value) scans are truly innocent (we're doing research, typo, etc), and if scans are almost always launched by a legitimate user of the box, then you're right. We can and should block and ignore. If the converse is true, scans are usually a prelude to compromising *something*, even if it isn't mine, with some malicious intent (I want to compromise a box with an unpatched wu-ftpd, for example), and from compromised boxes a fair amount of the time, then they're worth reporting. So, opinions aside (mine included), does anyone have any hard data on this? Rob
Current thread:
- No one wants responsibility Harlan S. Barney, Jr. (Sep 19)
- Re: No one wants responsibility UnixGeek (Sep 20)
- Re: No one wants responsibility Terje Bless (Sep 21)
- A port scan is not an Incident (was No one wants responsibility) Etaoin Shrdlu (Sep 20)
- Re: A port scan is not an Incident (was No one wants responsibility) Rob McCauley (Sep 21)
- Re: A port scan is not an Incident (was No one wants responsibility) David Brumley (Sep 21)
- <Possible follow-ups>
- Re: No one wants responsibility Guilherme Mesquita (Sep 20)
- Re: No one wants responsibility Paul Franson (Sep 20)
- Re: No one wants responsibility Craven, William (Sep 20)
- Re: No one wants responsibility Laumann, Dave (Sep 21)
- Re: No one wants responsibility UnixGeek (Sep 20)