Ehm... what? (Re: Simultaneous Attacks)

[martin.macok () UNDERGROUND CZ (Martin Macok)]

On Fri, Jul 07, 2000 at 02:39:08PM -0700, Ryan Russell wrote:
> On Fri, 7 Jul 2000, Harlan S. Barney, Jr. wrote:
>
> > Today I have detected three simultaneous intrusions into my computer.
> > I report ALL intrusions and expect maximum penalties.

scan != intrusion

> Well, that's the problem we keep going around and around about.  What you
> saw was a probe.  Probes aren't illegal.  

YES! Anytime I here about mass blackholing some ISP (or worst wanting them
taking legal actions) for 'letting' their users to do portscanning or just
simple connecting somewhere it hurts me. 

Unless it really stress your line/traffic it's legal and normal ... don't
care it. Unless someone really breaks into your private don't care it. The
information about if you're running ftpd, telnetd, httpd, smbd, pop3d and
which versions aren't apriori private. If you plugged your computer into
Internet ... hey, you did it, this is Internet/TCPIP!

 - you can always fix your network/hosts to not provide such information
   if you really don't want them propagate.
   (firewalls, daemons, hosts(allow|deny), fix your security!)
 
 - your security is almost on your own, fix it. writing email complaints
   doesn't make you more secure ... and security is our matter, isn't?
   (fix your own network, don't fix the world)

 - you can't be sure about IP's in your syslog, they can be faked.

 - if you are afraid of such scans the problem is somewhere else.

 - be paranoid, expect troubles, but don't make false alarms.

 - remember, when it comes to REAL intrusion, you will not find anything
   interesting in your local syslog ;-)
   (secure your network against real hackers then don't bother about funny
   script kiddies) 

However, it could be good idea _inform_ ISP about scans, especially when
they are being repeated from there just for their information. They could
trace back one bad boy (or girl? ;-} ) and they could also be compromised
well ...

I mean: blackhole what you want on your firewall (you have some, haven't
you?) but don't shout out ".xy is a hord of portscanners and assassins,
everyone must backhole it." Don't expect ISP to jail users for
portscanning. It's not a crime nor bad thing.

Have a nice day

:!nmap -O $YOUR_IP  # just curious

-- 
< Martin Maèok        martin.macok () underground cz           <iso-8859-2> 
  \\  http://kocour.ms.mff.cuni.cz/~macok/  http://underground.cz/  //
    \\\             -=  t.r.u.s.t  n.0  o.n.e  =-                ///


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>