Security Incidents mailing list archives
Re: Handling Scans.
From: Richard Johnson <rdump () RIVER COM>
Date: Mon, 12 Feb 2001 15:51:24 -0700
At 09:28 -0700 on 2/12/01, Reeves, Mike wrote:
I was trying to get some community type feedback on what people usually do in handling scans of thier networks. At home I usually look back at the person scanning me. I get scanned about 5 times a day. Should I take the time to contact the admin or should I just let it go? What do most people do?
If you have the time, a heads-up to the admins in charge of the network would probably be appreciated by them. They might not know of their possibly compromised host or user account yet. And if the traffic was legitimate, you might like to know as well, so you can avoid false alarms in the future. Make the reports concise, as those who receive your reports are probably as short of time as you are. Don't leave out the necessary details (time, time zone, representative log entries), etc., but don't write a book. Also, avoid threatening language or mention of law[yers], as many who receive your reports can't talk to you if you say things like that -- they have to refer your message to their lawyers instead. In such cases, you might as well not waste your time. We often use something like this (this month -- it'll change, but you get the general idea :-) when we send email to security@, the tech contacts, or the upstream: "Sorry to be the bearer of bad news, but one of your IPs apparently engaged in a port scan of numerous hosts on our network. This is not normal behavior, leading us to suspect that your host, or a user account on that host, may be compromised. If it was compromised, please let us know so we can compare notes about the techniques used. Thanks! (Times are MST = UTC -7, synchronised with ntp) Logs from firewall-1: ..." Richard
Current thread:
- Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. abel wisman (Feb 12)
- Re: Handling Scans. Bill Munger (Feb 12)
- Re: Handling Scans. E, M (Feb 13)
- Re: Handling Scans. Russell Fulton (Feb 13)
- Re: Handling Scans. deviate (Feb 13)
- Re: Handling Scans. Eelco Duijker (Feb 15)
- Re: Handling Scans. Joe Shaw (Feb 13)
- Re: Handling Scans. Michael Boman (Feb 13)
- Re: Handling Scans. Richard Johnson (Feb 13)
- Re: Handling Scans. Harlan S. Barney, Jr. (Feb 13)
- <Possible follow-ups>
- Re: Handling Scans. Booke, Raymond (Feb 12)
- Re: Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. Timothy Lyons (Feb 12)
- Re: Handling Scans. Guillaume Filion (Feb 12)
- Re: Handling Scans. Abe Getchell (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Valdis Kletnieks (Feb 13)
- Re: Handling Scans. John Nemeth (Feb 14)
(Thread continues...)
- Re: Handling Scans. abel wisman (Feb 12)