Security Incidents mailing list archives
Re: Interesting reply
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Wed, 11 Oct 2000 12:49:21 -0600
But think of all the script kiddies with their new h4x0R boxen (a default install of RedHat waiting to be exploited by some other kiddie) wetting their pants over their new broadband connection and scanning 0.0.0.0/0 for every exploit under the sun.I do...but that doesn't constitute compromised boxes. These scans can be effectively ignored...unless, as I stated, they become a bandwidth/performance issue.
From my experience (I work for a broadband ISP), most of our problems with
people scanning is from a compromised system. No, I don't have exact numbers, but MOST is about right. ;)
But you always have to remember despite all of the measures you take, someone may still slip through.The idea is to make it a non-trivial exercise for someone to compromise your systems and data. As far as "slip" goes...that would indicate either an entirely new exploit that isn't even publicly available, or failure to close a previously identified hole.
This is works only if you have control over the systems in question. Would you trust your ISP to maintain your system?
To reiterate what the original point I was trying to make, I feel that reporting scans to the source can be a worthwhile endevour.I agree that reporting potentially compromised systems, based on data, is worthwhile. Reporting each kiddie that scans you to his ISP can be futile, particularly is the ISP's net use/abuse policy doesn't cover that activity.
Sending a quick email is easier than looking up the ISP's AUP. If they ignore it, well that's their concern. If it's a big problem (an actual breach of security) and they ignore you. Their upstream provider will _usually_ listen. If you have the time to send a email with some log file data, go right ahead. It can't hurt. We don't cancel everyone who does a port scan (even though they are against our AUP), but we do track complaints against our users. If one of our users does a lot of port scanning of a bunch of different systems and we get complaints, they'll be looking for another ISP. Basically, what I'm saying is email a complaint if you want to, but don't expect any response. Some ISP's care and some don't. We do. You may be wasting your time with some ISP's, but that's your call to make... Mike Forrester - Systems Security Engineer High Speed Access Corp. - Denver, CO USA mforrester () hsacorp net - +1 303 256 2000
Current thread:
- Re: Interesting reply Crist Clark (Sep 30)
- <Possible follow-ups>
- Re: Interesting reply H Carvey (Sep 30)
- Re: Interesting reply Forrester, Mike (Oct 11)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply Mikael Gripenstedt (Oct 13)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
- Re: Interesting reply Forrester, Mike (Oct 20)
- Re: Interesting reply Turpin, Jason (Oct 25)
(Thread continues...)