Security Incidents mailing list archives

Re: Handling Scans.

From: Guillaume Filion <gfk () LOGIDAC COM>
Date: Mon, 12 Feb 2001 21:29:40 -0500

I've been wanting to do something like this for a long time, but
never got enough time/motivation/skills. Spamcop.net has an algorithm
that finds out who to send the abuse message to, I've been using this
service for about a year (several times a day) and it has been wrong
only once (that I know of).

Here's what is does with www.securityfocus.com's ip (66.38.151.10):
-----
"nslookup 66.38.151.10" (getting name) [show] 66.38.151.10 =
www.securityfocus.com
"nslookup www.securityfocus.com" (checking ip) [show] ip = 66.38.151.10
No abuse.net record for www.securityfocus.com
"nslookup www.securityfocus.com" (checking ip) [show] ip = 66.38.151.10
Using shortest default abuse.net entry - abuse.net
www.securityfocus.com = postmaster () securityfocus com
paranoid reverse DNS passes - using postmaster () securityfocus com
"dig -x 66.38.151.10 soa " (digging for Start Of Authority) [show] - not found
"dig -x 66.38.151 soa " (digging for Start Of Authority) [show] -
root () ns1 broadband net
abuse.net ns1.broadband.net = jbradley () GT CA, postmaster () broadband net

Found abuse address:postmaster () broadband net, jbradley () GT CA,
postmaster () securityfocus com
----

A draft algo would be something like this, the script receives $ip:
-----
## Check the IP's validity
$name='host $ip';
$nameip='host $name';
if ($nameip!=$ip) {
       # problem, do something... (?)
}

## Direct IP
$abuse='whois -h whois.abuse.net $name';
if (domain($abuse)==domain($nameip)) {
      #paranoid reverse DNS passes
       $abuseall+=$abuse;
}

## DNS zone's SOA
do {
    $digip=popByte($ip); # Removes that last byte at each call
    $soa='dig -x $digip soa';
} until (!empty($soa))
$abuse='whois -h whois.abuse.net $soa';
$abuseall+=$abuse;

## Last ressort, ARIN/RIPE/APNIC/DODNIC contact
if (empty($abuseall) {
    $whoisserver=findAuthority($ip); # This finds the authority base
on the ip (the programmer could look at whois -h whois.arin.net ripe)
    $arincontact=arinParseContact('whois -h $whoisserver $ip');
    $abuse='whois -h whois.abuse.net $arincontact';
    $abuseall+=$abuse;
}

return $abuseall;
-----
Please note that this won't compile on anything, it's just an idea of
how this could work...

I hope someone will be able to find the time to implement something like this.

I certainly would like feed-back on this,
GFK's

I use portsentry at home to scan em back and then block thier ip. It saves
the information to a file that I can use. I would think something like snort
would be nice for generating the email but really that is the easy part.
Finding who to send it to and waiting on hold is that part that stinks.

Mike

-----Original Message-----
From: abel wisman [mailto:abel () able-towers com]
Sent: Monday, February 12, 2001 12:31 PM
To: Reeves, Mike; INCIDENTS () SECURITYFOCUS COM
Subject: Re: Handling Scans.


This matter is interesting, and i was thinking about it upion reading the
previous posting.
As a shell/web host, the numbers of scans that pass by daily are staggering,

certainly i would like to sit down and write to all isp's about their
'clients" doing this, however time is a elusive artivle nowadays.

Has (in addition to the question already asked) anybody mae (perhaps) a
automated system based on for instance iplog, snort or tripwire, where mail
is generated to do this automatically?

would be an interesting feature

abel wisman
ABLE Towers LLC

www.able-towers.com
www.url.org

On Monday 12 February 2001 10:28, Reeves, Mike wrote:

 I was trying to get some community type feedback on what people usually do
 in handling scans of thier networks. At home I usually look back at the
 person scanning me. I get scanned about 5 times a day. Should I take the
 time to contact the admin or should I just let it go? What do most people
 do?

 Mike K. Reeves
 Networking Services Engineer,
 Synchrony Communications, Inc.
 MCSE Microsoft Certified System Eliminator
 "Geek by nature... Linux By Choice..."


--
Guillaume Filion
Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/
PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA

Current thread:

Re: Handling Scans., (continued)
- - Re: Handling Scans. Russell Fulton (Feb 13)
    - Re: Handling Scans. deviate (Feb 13)
  - Re: Handling Scans. Eelco Duijker (Feb 15)
- Re: Handling Scans. Joe Shaw (Feb 13)
  - Re: Handling Scans. Michael Boman (Feb 13)
- Re: Handling Scans. Richard Johnson (Feb 13)
- Re: Handling Scans. Harlan S. Barney, Jr. (Feb 13)
- Re: Handling Scans. Booke, Raymond (Feb 12)
- Re: Handling Scans. Reeves, Mike (Feb 12)
- Re: Handling Scans. Timothy Lyons (Feb 12)
- Re: Handling Scans. Guillaume Filion (Feb 12)
- Re: Handling Scans. Abe Getchell (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
- Re: Handling Scans. Reeves, Mike (Feb 13)
  - Re: Handling Scans. Valdis Kletnieks (Feb 13)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. John Nemeth (Feb 14)
- Re: Handling Scans. Justin Shore (Feb 14)
  - Re: Handling Scans. John Oliver (Feb 14)