Re: A port scan is not an Incident (was No one wants responsibility)

[Rob McCauley <robmccau () RADONC DUKE EDU>]

>                                         Have a heart folks. Scanning
> might be annoying, but that's it. It's part of being on the net.

This is periodically debated on this list and other places.  I'd really
like to put an end to that debate.

I operate under the assumption that, for example, if I see 5 ftp
probes/month, then an exploit for wu-ftpd is released, and I see 50 in the
month following, that likely those 45 new ones are people looking to
exploit systems.  The existance of people actively trying to exploit
systems is more than annoying, it's a real threat.  Insert worn checking
doorknobs analogy.

Please don't reply with counter arguments to this.  What I'm looking for,
in all our mutual benefit, is anyone with hard data on the subject.  If
you have it, or references to useful information in this area, please post
it.  Interestingly, one way I think we might get useful data is to
correlate so-called innocent port scans from as many sources as possible
with actual intrusion attempts.  Do actual intrusion attempts come from
systems which have launched port scans in the recent few days?  What
caused the scan?  What percentage of the time is the scan from a
compromised box?

We need answers to this, and I'm not hearing them when this is
debated.  If scans rarely or never precede an attempt to compromise, if
most (for some value) scans are truly innocent (we're doing research,
typo, etc), and if scans are almost always launched by a legitimate user
of the box, then you're right.  We can and should block and ignore.  If
the converse is true, scans are usually a prelude to compromising
*something*, even if it isn't mine, with some malicious intent (I want to
compromise a box with an unpatched wu-ftpd, for example), and from
compromised boxes a fair amount of the time, then they're worth reporting.

So, opinions aside (mine included), does anyone have any hard data on
this?

Rob