Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Interesting reply

Re: Interesting reply

From: Forrester, Mike <mforrester_at_HSACORP.NET>
Date: Wed, 11 Oct 2000 12:49:21 -0600

> > But think of all the script kiddies with their new
> > h4x0R boxen
> > (a default install of RedHat waiting to be exploited
> > by some
> > other kiddie) wetting their pants over their new
> > broadband
> > connection and scanning 0.0.0.0/0 for every exploit
> > under the
> > sun.
>
> I do...but that doesn't constitute compromised boxes.
> These scans can be effectively ignored...unless, as I
> stated, they become a bandwidth/performance issue.

>From my experience (I work for a broadband ISP), most of our problems with
people scanning is from a compromised system. No, I don't have exact
numbers, but MOST is about right. ;)

>
> > But you always have to remember despite all of the
> > measures
> > you take, someone may still slip through.
>
> The idea is to make it a non-trivial exercise for
> someone to compromise your systems and data. As far
> as "slip" goes...that would indicate either an
> entirely new exploit that isn't even publicly
> available, or failure to close a previously identified
> hole.

This is works only if you have control over the systems in question. Would
you trust your ISP to maintain your system?

>
> > To reiterate what the original point I was trying to
> > make,
> > I feel that reporting scans to the source can be a
> > worthwhile endevour.
>
> I agree that reporting potentially compromised
> systems, based on data, is worthwhile. Reporting each
> kiddie that scans you to his ISP can be futile,
> particularly is the ISP's net use/abuse policy doesn't
> cover that activity.

Sending a quick email is easier than looking up the ISP's AUP. If they
ignore it, well that's their concern. If it's a big problem (an actual
breach of security) and they ignore you. Their upstream provider will
_usually_ listen.

If you have the time to send a email with some log file data, go right
ahead. It can't hurt. We don't cancel everyone who does a port scan (even
though they are against our AUP), but we do track complaints against our
users. If one of our users does a lot of port scanning of a bunch of
different systems and we get complaints, they'll be looking for another ISP.

Basically, what I'm saying is email a complaint if you want to, but don't
expect any response. Some ISP's care and some don't. We do. You may be
wasting your time with some ISP's, but that's your call to make...

Mike Forrester - Systems Security Engineer
High Speed Access Corp. - Denver, CO USA
mforrester_at_hsacorp.net - +1 303 256 2000
Received on Oct 12 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos