-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Let me pick up on that phone analogy. Random dials I can see as only
annoying. However, if I get these random calls every day for three or
five days in a row, then I call that harassment, and I will get my
phone company involved and let them handle this.
Same could apply to port scans. Here is how I usually handle them.
Single and infrequent scans are ignored, they fall into the annoyance
category. But repeated scans (same origination or pattern of scan) are
reported to the responsible ISP's. They usually deal with them. When
exactly they start canceling accounts, I don't know. But at several
times, repeated telnet and DNS-ZT attempts have stopped after I
reported them.
Next step up would be DoS and intrusion, at which I would start
gathering evidence and contacting pertinent parties.
Beginning of this year, I came across what looked like a DoS or
fragment scan. On the third day I contacted the NOC of the customers
ISP, and we started investigating. After a packet capture and analysis
it turned out to be either a misconfigured router or web browser. The
fragments were mixed with normal responses from a web server
(cross-referenced with proxy logs). So I called the NOC back and
cancelled the alert. I also sent the webmaster of that originating
site an email and let him know that his equipment was behaving flaky.
Lesson: When you investigate anomalies (intrusion, DoS, weird scan,
spam, AUP violations, etc), go step by step. Don't let the lawyers
loose immediately. Who knows, you may have to call them back and
apologize (and pay for your mistake...)
Regards,
Frank
> -----Original Message-----
> From: Randall, Mark [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 27, 1999 12:21 PM
> To: Derek Martin
> Cc: [EMAIL PROTECTED]
> Subject: RE: trial & charges
>
>
> >To me, this is the same as dialing a random phone number and
> seeing if
> >someone answers. This isn't illegal, though it may be
> annoying, and so
> >long as the person who does it doesn't repeatedly do it when
> you ask him
> >not to, no crime is commited (that I know of, or even if one
> has you're
> >not going to see the Feds go knocking on the caller's
> door...) and no real
> >harm is done. So let it alone. I agree that it COULD be a
> prelude to an
> >attack, but it doesn't have to be, and if that's the case,
> prosecute the
> >ATTACK, not the scan. Scanning is harmless.
>
> An excellent analogy, thank you. I was just about to say
> forget about all
> these analogies entirely, but this one actually seems to fit.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
Comment: PGP or S/MIME (X.509) encrypted email preferred
iQA/AwUBN54JzClma9DCzQQeEQJjnACZAdbvqrOPMKSFg25EqGLCCUsWKWwAoO9k
BZzxXLlnRxjsR+swnJZgqZ60
=GhXX
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
