Security Incidents mailing list archives

Re: Scanning. Is it dangerous?

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Wed, 3 May 2000 17:06:06 -0400


On Tue, 2 May 2000, jms wrote:

but with so many isp's thinking they are doing
the world a great service with their zero tolerance attitudes, the
potential for abuse is *enormous*.


this is more a problem with the ISP than with the parties involved, then.
if the ISP doesn't have the capabilities of checking their end to see if
the IP was doing nasty things, then they should not adopt the attitude of
kicking someone off their account with evidence gathered from a third
party whose trust factor is unknown.

as such, i say report probes/scans etc... it's your right to protect your
network, and this is a method of protecting it. it's also your
responsibility, in my opinion [1], to notify ISPs and whoever that their
users may be engaged in activity that violates their AUP.

as such, i word my 'nastygrams' very politely and tenuously. i say, 'it's
possible you have a problem on your hands. this may represent a violation
of your AUP or a compromised machine.' that's it, leaving the problems
resolution up to the ISP. i definitely provide log info (and timezone
info, to help them correlate their logs), and i definitely help if they
ask for more info. but the handling of it is up to them. if the
ISP/whoever isn't doing the job right, that's their problem. if they kick
a user off only on my word, and i have no way of knowing if the packets
were spoofed, that's their fault.

my 1 cent, i guess, on your two cents.

notes:
1. i come from the pre-commercial Internet, where, many of you will
recall, things were far more open and trusting, we all knew we were on the
same side as admins and all worked together. i still try and behave like
this in my dealings with people. i may mutter nasty, terrible things about
hwo a domain is run, but i do try and keep in mind that we're all just
admins, doing the same job.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

Scanning. Is it dangerous? Sarunas Krivickas (Apr 29)
- Re: Scanning. Is it dangerous? Sebastian (May 01)
- Re: Scanning. Is it dangerous? Roelof Temmingh (May 01)
- DNS Probes Damian Gerow (May 01)
- Re: Scanning. Is it dangerous? John D. Burkett (May 01)
  - Re: Scanning. Is it dangerous? Rune Kristian Viken (May 07)
- Re: Scanning. Is it dangerous? Ryan Russell (May 01)
  - Re: Scanning. Is it dangerous? jms (May 02)
    - Re: Scanning. Is it dangerous? Jose Nazario (May 03)
  - Scanning. Is it a consumer right? ethan preston (May 02)
- Re: Scanning. Is it dangerous? Russell Fulton (May 01)
- <Possible follow-ups>
- Re: Scanning. Is it dangerous? -reply Joseph, Lorne (May 01)
- Re: Scanning. Is it dangerous? Don Tansey (May 01)
- Re: Scanning. Is it dangerous? Igor Gashinsky (May 02)