Security Incidents mailing list archives
Re: A port scan is not an Incident (was No one wants responsibility)
From: David Brumley <dbrumley () RTFM STANFORD EDU>
Date: Wed, 20 Sep 2000 13:12:25 -0700
In browsing through the RR web pages I found that their AUP no longer contains any reference to hacking, cracking or other intrusions.Most of what I've seen from you on this list has been reports from your copy of BlackICE. Port scans, in and of themselves, do not warrant being reported as hacking/intrusion attempts. Have a heart folks. Scanning might be annoying, but that's it. It's part of being on the net.
This is silly. If you notice a suspicious person around your premises, you can call the cops (if you are so inclined) to investigate. Reporting scans is the same thing. There is very little reason for anybody to be probing stanford.edu. For example, someone is probing for tcp port 1. Chances are they're looking for sgi machines. While there is a possibility that there is a legitimate reason for this, chances are they're looking for boxes to hit with one of the numerous exploits. I've dealt with several thousand incidents. In all but a few reported scans, one of our systems was compromised. Did reporting the scan help? You betcha. Were we able to do anything about it? Yes. either we found a host compromised or someone with an experiment gone awry. ISP's, especially cable modem providers like RR, may also have compromised machines/customers. A note should help them locate those customers. Should RR care if customers are compromised? I would argue yes. If I find out the answer is "no", that's fine, but then i'll make sure they can't talk to our hosts (their loss, not mine :). If, for example, we see a scan from 10.0.0.1. We inform the provider. The next day, we get another scan. I will then deny IP from 10.0.0.*. So, in our case it's in the providers interest to fix the problem, as other customers may be effected by their unwillingness to follow up on reported scans. Is being suspicious illegal? No. Is it worth following up? You betcha. What do you do when you get a bad reply? You fence off the suspicious people. signed, david P.S. - BlackICE doesn't really report port scans. It reports someone contacting a port on you machine. I'm betting that this is why the ISP's have failed to respond, not that they don't care about network scans. #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# Quidquid latine dictum sit, altum viditur.
Current thread:
- No one wants responsibility Harlan S. Barney, Jr. (Sep 19)
- Re: No one wants responsibility UnixGeek (Sep 20)
- Re: No one wants responsibility Terje Bless (Sep 21)
- A port scan is not an Incident (was No one wants responsibility) Etaoin Shrdlu (Sep 20)
- Re: A port scan is not an Incident (was No one wants responsibility) Rob McCauley (Sep 21)
- Re: A port scan is not an Incident (was No one wants responsibility) David Brumley (Sep 21)
- <Possible follow-ups>
- Re: No one wants responsibility Guilherme Mesquita (Sep 20)
- Re: No one wants responsibility Paul Franson (Sep 20)
- Re: No one wants responsibility Craven, William (Sep 20)
- Re: No one wants responsibility Laumann, Dave (Sep 21)
- Re: No one wants responsibility UnixGeek (Sep 20)