Re: Handling Scans.

[Richard Johnson <rdump () RIVER COM>]

At 09:28 -0700 on 2/12/01, Reeves, Mike wrote:
> I was trying to get some community type feedback on what people usually do
> in handling scans of thier networks. At home I usually look back at the
> person scanning me. I get scanned about 5 times a day. Should I take the
> time to contact the admin or should I just let it go? What do most people
> do?


If you have the time, a heads-up to the admins in charge of the network
would probably be appreciated by them.  They might not know of their
possibly compromised host or user account yet.  And if the traffic was
legitimate, you might like to know as well, so you can avoid false alarms
in the future.

Make the reports concise, as those who receive your reports are probably as
short of time as you are.  Don't leave out the necessary details (time,
time zone, representative log entries), etc., but don't write a book.

Also, avoid threatening language or mention of law[yers], as many who
receive your reports can't talk to you if you say things like that -- they
have to refer your message to their lawyers instead.  In such cases, you
might as well not waste your time.

We often use something like this (this month -- it'll change, but you get
the general idea :-) when we send email to security@, the tech contacts, or
the upstream:

    "Sorry to be the bearer of bad news, but one of your IPs apparently
     engaged in a port scan of numerous hosts on our network.  This is not
     normal behavior, leading us to suspect that your host, or a user account
     on that host, may be compromised.  If it was compromised, please let us
     know so we can compare notes about the techniques used.  Thanks!

     (Times are MST = UTC -7, synchronised with ntp)
     Logs from firewall-1:
     ..."


Richard