nanog mailing list archives

Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx

From: Valdis.Kletnieks () vt edu
Date: Fri, 26 Oct 2001 09:45:08 -0400

On Fri, 26 Oct 2001 09:03:01 -0300, Alex Rubenstein <alex () nac net>  said:

Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning
actually an illegal activity? Was anything actually hacked, cracked, or
0wn3d?


Nope, it's not illegal (yet).  But it might be suspicious...

It's an absurd waste of resources to be emailed by automagic systems every
time someone sends a stray packet.


Well, there's stray packets and there's stray packets...

Source: 209.123.x.229
Destination: Host-x.x.19.254
Date: 26Oct2001
Time: 4:50:23   (Local Calgary Time GMT-7)
Service/Protocol: http


This could be suspicious *if* and *only if* Host-x.x.19.254 is known to
not be an http server.  It may be totally innocuous - I've been known
to put http:// instead of ftp:// in a URL more than once myself.

Might be a user error at your site.  Might be a misconfig at your site.
Might be a malicious user at your site.  They don't know, and they can't
tell.

Because we view this activity as possible intent to breach security, we
ask you to review your logs and take appropriate action against the
offending party responsible for this suspicious activity.


And they're correct - it *could* be.  All they're asking is that you check
it out as per your procedures.  If your procedures include hitting the big
button labeled "refile in trash", that's your decision. ;)

We send a lot of similar notes of our own (though usually it takes more than
one stray packet to get our attention), and we receive a lot of similar notes
about our users (goes with the territory, we're a large university).  We
do what we feel is proper in response (any 'first report' we get that involves
our NTP servers gets an FAQ sent back, we don't often hear back again).
And we're happy to get the reports - we've had more than one incident where
we didn't know we had a problem until we had *multiple* sites reporting that
the *same* box at our site was poking their stuff....
-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Alex Rubenstein (Oct 26)
- Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Valdis . Kletnieks (Oct 26)
- RE: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Vivien M. (Oct 26)
- Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Dan Hollis (Oct 26)
  - Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Alex Rubenstein (Oct 26)
    - Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Christopher A. Woodfield (Oct 26)
- Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Adam McKenna (Oct 26)
  - Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Greg Poirier (Oct 26)
    - RE: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Mike Batchelor (Oct 26)
    - RE: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx batz (Oct 27)
- <Possible follow-ups>
- Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Dan Hollis (Oct 26)
  - Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx Alex Rubenstein (Oct 26)

(Thread continues...)