Re: A port scan is not an Incident (was No one wants responsibility)

[David Brumley <dbrumley () RTFM STANFORD EDU>]

> > In browsing through the RR web pages I found that their AUP no longer
> > contains any reference to hacking, cracking or other intrusions.
>
> Most of what I've seen from you on this list has been reports from your
> copy of BlackICE. Port scans, in and of themselves, do not warrant being
> reported as hacking/intrusion attempts. Have a heart folks. Scanning
> might be annoying, but that's it. It's part of being on the net.

This is silly.  If you notice a suspicious person around your premises,
you can call the cops (if you are so inclined) to investigate.  Reporting
scans is the same thing.

There is very little reason for anybody to be probing stanford.edu.  For
example, someone is probing for tcp port 1.  Chances are they're looking
for sgi machines.  While there is a possibility that there is a legitimate
reason for this, chances are they're looking for boxes to hit with one of
the numerous exploits.

I've dealt with several thousand incidents.  In all but a few reported
scans, one of our systems was compromised.  Did reporting the scan
help?  You betcha.  Were we able to do anything about it?  Yes. either we
found a host compromised or someone with an experiment gone awry.

ISP's, especially cable modem providers like RR, may also have compromised
machines/customers.  A note should help them locate those
customers. Should RR care if customers are compromised?  I would argue
yes.  If I find out the answer is "no", that's fine, but then i'll make
sure they can't talk to our hosts (their loss, not mine :).

If, for example, we see a scan from 10.0.0.1.  We inform the
provider.  The next day, we get another scan.  I will then deny IP from
10.0.0.*.  So, in our case it's in the providers interest to fix the
problem, as other customers may be effected by their unwillingness to
follow up on reported scans.

Is being suspicious illegal?  No.  Is it worth following up?  You
betcha.  What do you do when you get a bad reply?  You fence off the
suspicious people.

signed,
david

P.S. - BlackICE doesn't really report port scans.  It reports someone
contacting a port on you machine.  I'm betting that this is why the ISP's
have failed to respond, not that they don't care about network scans.

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Quidquid latine dictum sit, altum viditur.