Re: When does a scan attempt become a focused attack?

[salgak () speakeasy net]

It's simple: When it becomes a bother to the admin, it's an attack.

<begin Port-Scan war story>

Several years ago, when I was the admin of a dot-com, we suddenly got a bunch of port scans on some very odd ports 
every hour, on the hour, for 20 or so minutes.

Luckily, my IDS logged the IP, and when looking it up, I found it was coming from Bell Labs in New Jersey: talked to 
the admin there, he confirmed and gave me the name of the researcher the IP belonged to, as well as his email addy.

I talked to the scientist, and he said that what he was doing was basic research, and I couldn't stop him.

Now at that point, corporate policy was more than three portscans from the same IP in 24 hours was considered an attack.

The nice thing about Bell Labs is their web page, showed all the researchers, and their place in the organization.

A nice little letter of compliant to his supervisor, his supervisor's supervisor, and the VP who ran that branch of 
Bell Labs, with all documentation and correspondence to and from the scientist.

Within 2 hours, the portscans stopped.   A week later, the scientist was no longer on the org chart. . .



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------