you are right! But what the normal person does not think of, is that is
evidence and if I'm not at that office when it gets scanned I want to be
mailed I wont set up my network to appease a hacking tool that's crazy or
tone one down. if the user initiating it had not gone ahead and did what he
did the end result would not take place. I can limit the amount of mail
that I receive but I choose not too. the point I'm trying to make is that
these people doing these scans have no clue what else is being triggered
and in the event they hit a firewall that sends email to a sys admin on
every dropped packet, which I want to see, they just stepped deeper into
the pot , as a investigator of cyber crime I can tell you what you said is
exactly becoming the more and more prevalent,
sys admins get tired of receiving the email alerts and then disable the
alerting I have seen it many many times and continue to see it then when a
bad rule is found and they get in, I see scratched heads. This isn't the
norm and most of are curious who is turning our door handles and I used the
example of 8000 because like a idiot <see I'm not perfect> I had a agent
scan the firewall after a few rule changes and forgot to turn the alerter
off <laugh> but I saw first hand what can happen when one is let go. this
is a real life example a burglar enters a home and gives the owner a heart
attack... he just murdered the victim. back in my days of law enforcement
this was the example of the same argument you can argue a) he never
intended to kill the owner just wanted the TV or b) if he didn't enter the
home then the owner would be alive. I bring this up because it reminded me
of that example I heard long ago..
Cheers
Bill
-----Original Message-----
From: John Adams [SMTP:[EMAIL PROTECTED]]
Sent: Saturday, February 19, 2000 5:11 PM
To: Bill Lavalette noc/sec Administrator
Cc: 'Security Related'; [EMAIL PROTECTED]
Subject: RE: Someone is scanning me
On Sat, 19 Feb 2000, Bill Lavalette noc/sec Administrator wrote:
> The Bottom Line is this. YOU HAVE NO BUSINESS SCANNING ANYONE'S
> MACHINE!!!!! unless it is requested by the owner/company
>
> its that simple folks the bullshit "it causes no harm" is moronic one
> nmap scan can produce 8000 email alerts seems to me that is a denial of
> service. why because a) you had no business to scan my machines b) you
> were not asked to scan my machines and c) your actions spurred off
another
> action. so with this secondary and "unknown" action you have committed a
> denial of service have a nice day!
You know, in one way I agree with you, because I don't like people
scanning my machines either, but the 8000-email argument is pretty silly.
Just because you didn't have the sense to write an aggregation component
to your notifcation software and YOU caused yourself to get 8000 spams,
doesn't mean you should qualify the scan as a DoS. People who write
monitoring software should consider that these sort of events are going to
happen and if anything, at LEAST buffer your notifications.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
