Re: When does a scan attempt become a focused attack?

[Byron Sonne <blsonne () rogers com>]

> Although you could let the owner of the machine, or the ISP know that their
> machine is performing a scan (they probably don't even realise it) or is
> silly enough to use their personal IP to run an IIS vulnerability scan
> *grin*

I've found that half the time things quiet down a little when you give 
them a good nmap scan back. If they are doing it from their personal 
account or machine, they'll know that I know. If they're doing it from 
an opportunistic or hacked account, than someone else will perhaps turn 
an eye and shut 'em out, or they'll move on to another less noisy 
target. And if nothing happens, oh well. Always worth the education to 
see what real world scans look like. Make sure you save 'em. By knowing 
what is at the end of the attacking connection, you can better tune your 
defenses or just drop their packets on the floor.

Turnabouts fair play I figure, and I'm not trying to crash their box, 
DOS them or anything else. After all, if they're knocking on my door 
sometimes a knock back on theirs calms 'em down.

--

        For good, return good. For evil, return justice.


---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------