Security Incidents: Re: Interesting reply

["Buhrmaster, Gary" <gtb () SLAC STANFORD EDU>]

Hi,

*A* port scan may be uninteresting.  Knowing that
someone is doing hundreds or thousands of port
scans becomes more interesting.  Unless one reports
the port scans to the originators upstream ISP,
they can not corrolate the scans.  It is not the
particular incident, it is the total body of
evidence that can matter.  Just as police
departments know who the "usual suspects" are,
an ISP that gets repeated reports about a
particular source might want to investigate
further.

As for time spent, I can report a scan in a few
minutes.  I spend less than an hour a week doing
the reports.  And more than once it has been
reported that the other end found a compromised
system.  And every fewer compromised system is one
less that can be used against me, or against
someone else.

Gary

> -----Original Message-----
> From: H Carvey [mailto:keydet89 () YAHOO COM]
> Sent: Wednesday, September 27, 2000 2:56 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Interesting reply
>
>
> > Interesting reply to a scanning alert I sent out.
> Nothing personal to anyone...but if you've got time to
> report every little port scan that you get (call it
> what you will...scan, probe, whatever...) then you've
> got a LOT of time on your hands!
>
> After reading this list, and others on SF...I still
> fail to see why so many folks are reporting port
> scans, expecting the folks at ISPs to "do something"
> about them.  First off...port scans, in and of
> themselves, are nothing more than a minor annoyance at
> best (insert appropriate analogy here).  If a scan
> reaches a level that it's consuming an inordinate
> amount of bandwidth, then it ceases to be a scan and
> becomes a DoS attack.
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Send instant messages & get email alerts with Yahoo! Messenger.
> http://im.yahoo.com/