Re: Scanning. Is it dangerous?

[scut () NB IN-BERLIN DE (Sebastian)]

On Sat, Apr 29, 2000 at 05:12:54PM +0200, Sarunas Krivickas wrote:

> Hi folks,

Hi.

> As I see, almost everyone there are worried about some kind of scanning for
> own subnets, ports, etc. Do you think it is real danger to you system? So if
> it is true, the scans as a dangerous actions has to be recognized in your
> risk management and IT security policy. Does the simple scan of your system
> has the right place in your policy and also is the trigger to initiate
> actions and rise the alarm? Of course, we are able to recognize DoS or
> something like that, but almost all incidents there are talking about
> simple, usual and not dangerous actions. Yes, you have to think about this
> kind of actions (I do not call it as attack) if your system is totally
> unprotected.

First, I distinguish between two kinds of scanning. The one is the "curious"
person wanting to get your network known. You might see him from dialup
accounts or his real IP address and using things like traceroute, ping or
single host queries (eg. BIND version request on your nameserver). Sometimes
he'd even use TCP fingerprinting techniques on some single hosts. This person
is no risk to your network, he usually only wants to get a rough impression
about what equipment you use, how well you are connected etc.

Then there is the mass scanner, which uses incremental scans of your whole
IP space, first TCP/ICMP pings, followed by a rude portscan and then service
checking. This is usually done from a hacked high bandwidth host on the
other side of the globe. He might not be particularly interested in your
network but in getting as much hosts cracked as possible. Seldomly there
are exceptions that just collect statistical data, but most of the times
a few days later there will be a scripted exploit attempt at any common
vulnerability that was identified in your network.

In case you notice a scan you should do the following:

        - In case you see scans for stuff you don't know (mountd was mentioned
          earlier today), rescan your network yourself and remove any positive
          you wouldn't want to run on that host.
        - If there was a specific scan (say BIND version scan), then check if
          the version you run has any known vulnerabilities.
        - Avoid filtering the IP address that scans you, it won't help. Try to
          collect as much info as possible and record any further packets send
          from this address instead. What time is it at the remote side ?
        - Try to get in contact with the responsible admin on the remote site.
          Do not use email to do that, since it will get most likely dropped.
          If you get scanned from some IP 1.2.3.4 a mail to root@1.2.3.4 will
          be deleted for sure.

> Regards,
> Sarunas

ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -