RE: slow scans?

["Rob Shein" <shoten () starpower net>]

And on top of this, I really question any claim of ability to reliably
detect a scan that takes place over a period of extended time (weeks or
longer) where the attacker keeps changing IP addresses (and by that I mean
totally different networks, not just doing "ipdown" and "ipup" on their
cablemodem-connected linux box).  Between backscatter that may come from DoS
attacks, mis-typed IP addresses (I once had a full blown SNMP scan of my net
because someone did a 16 bit netmask instead of 24 bits), and other noise.
I would assume that anyone so paranoid and sneaky as to jump around so much
would also randomize the order in which ports were scanned, and very
possibly throw some variety into the type of scan as well.  You certainly
couldn't have an alert trigger on this without DoSing your brain with false
alarms.

> -----Original Message-----
> From: Tod Beardsley [mailto:todb () planb-security net] 
> Sent: Sunday, February 16, 2003 1:33 PM
> To: focus-ids () securityfocus com
> Subject: Re: slow scans?
>
>
> Johannes asked:
>
> > What would you do different if you know someone is scanning you 
> > slowly?
>
> About the only reason I can think of to actually care about 
> low-n-slow 
> scans is to provide evidence to The Authorities -- assuming your 
> scanner follows through with an actual attack, is reasonably 
> successful, is detected, is positively identified, is arrested, and 
> goes to trial. Your original scan data would go towards establishing 
> his intent to attack you. (IANAL.)
>
> Most organizations don't particularly care about this 
> (unlikely?) chain 
> of events, if only implicitly, by their lack of a legally robust 
> evidence-handling policy.
>
> -- 
> "It's okay to yell fire in a crowded theater
> if the theater is actually on fire."
> Tod Beardsley | www.planb-security.net