I have to agree with Colin on this. We usually send some kind of notice to
the Sysadm that we have been scanned by one of their systems. One time we
reached the Sysadm while the scan was still going on and he told us he knew
his box was compromised but couldn't stop the scan because it was a
critical mail host and his managers didn't want an outage. He was,
however, building a second box to replace his compromised host.
Being scanned is just part of being a firewall administrator and there are
no rules to go by, since, as far as I know, there are no laws against
scanning someone's network. We were always being scanned, we just first
noticed it when we put systems in place to detect it. If we get no
response from the Sysadm and the scanning continues, we block the ISP's ip
addresses at the border router.
One caveat about reporting scans. It is possible to spoof the source ip
address of the scan so there is always the small possibility that the scan
did not originate from where your logs tells you. Which means pranksters
can scan all of Netscape's domain and try to make it look like some host in
microsoft.com did it. That's why when I report a scan, I basically say
that "Our log indicates...."
-- Joe
At 10:36 AM 3/19/99 +1000, Colin Campbell wrote:
>Hi,
>
>Our usual response to any "sustained" scanning (usually "mscan") goes
>something like:
>
> One of our firewalls detected traffic from your site that indicates
>
> 1) you have a rogue user, or
> 2) you have been hacked
>
> Logs of the activity are attached ....
>
>It is surprising how many replies we get saying, "yeah it was #2". When
>it's #1 we normally get a response saying the user account has been
>terminated. Most of the major ISPs of the world are good. We've only had
>one MAJOR (in .au) ISP refusing to do anything unless we involved the
>police. They claimed they had to protect the "privacy" of their clients.
>
>Colin
>
>On Thu, 18 Mar 1999, Joshua Chamas wrote:
>
>> Hi,
>>
>> I'm new to the firewall crowd, and don't know the proper response when
>> what seems to be wannabe hackers doing a port scan of your subnet.
>> In this case it was someone checking port 12345 which seems to be
>> associated with the win32 trojan/virus NetBus.
>>
>> Since the kid was coming from AOL, I reported the incident to them,
>> but what really should be the appropriate response. I kind of feel
>> like is was a piece of spam I was reporting with how trivial
>> the port scan was. Maybe I need to just accept these incidences
>> as a natural part of maintaining a firewall ?
>>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
