Re: Annoy Those Sub7 Scanners.

["Forrester, Mike" <mforrester () HSACORP NET>]

Comments in-line...

<snip>

> > To whom are you "proving beyond all doubt their
> > malicious intentions"?  The cops?  Your logs do not
> > constitute evidence.
>
> The cops disagree with you. Properly handled, logs are more than just
> hearsay, and also contribute to convergence of evidence -- a
> basic concept
> of law.
>
> We have successfully prosecuted using logs. Although they were not our
> only evidence, they did play a key part proving malicious intent.
>
> Others have successfully prosecuted using logs.

We get subpoenas for logs from companies and law enforcement...

> > Their ISP?  They can just as likely ignore you as cancel
> their account.
>
> From what ive experienced, its more the latter. 90% of the
> time the ISP
> cancels the account with "this is a known baddie that ive
> already warned
> once, ive been waiting for proof they are still up to no good".

This is exactly what we do.  Just because you send us a log thay shows one
of our users is scanning you or causing other possible mischief, doesn't
mean we'll cancel them.  However, we keep every legitimate complaint
(supported by logs, etc.) for tracking purposes.  If we notice a trend, they
will usually be looking for another ISP.

> If they ignore you, then you have found a grey or black hat
> network and
> report it to your colleagues so they can firewall out that network.
>
> > So what's the point of all these logs?
>
> Cancelling script kiddies accounts, of course.

We don't like them either, but about 30-40% of our complaints are about
someone whose been trojaned and not a script kiddie.

<snip>

Mike Forrester - Systems Security Engineer
High Speed Access Corp. - Denver, CO USA
mforrester () hsacorp net - +1 303 256 2134