Yuppa, On 16-Dec-01 spiekey wrote:
Hi Gurus ;P
I see it in a pretty relaxing way when i get log entries from a ip 0.0.0.0 or a scan from someone. I never tried to scan back or something, whats the point?! ( Portsentry is actually banning about one ip a every 2nd day)
Do u usually just irgnore them? Write a mail to your ISP ? How do i know if a boy was pressing a few buttons or if someone seriusly tried to gain access?
Unless you have an old WinNT installation (which will prolly crash if being heavily scanned), the technical consequences of scans are minimal, except for some log entries and other minor disturbances. A scan for itself therefore does not necessarily represent an attack, although most (serious) attacks include more or less sophisticated scans. Very roughly, most scans fall into one of these categories: - Someone has read details about certain exploitable security holes and scans the net for promising targets - An attacker wants to abuse improperly installed services like Wingate, Squid or Sendmail (e.g. for anonymous surfing, spamming, etc.) - Pure curiousity ("I don't know what a scanner really does, but it works and it's fun!") - A system is infected with active Trojans (Code Red, Nimda, Sircam, Magistr.b...) which "phone home" and try to infect other machines by scanning their respective subnets
Where is the line between script kiddy and attacker?
This is were intrusion detection comes into play. Portsentry, which is some sort of crude IDS system, too, provides basic anti-scanning facilities and also is able to drop offending routes, but it does not help in determining the real source, nature, and the target of the scan and other activities connected with it. For instance, if an attacker scans/probes your host and finds a vulnerable FTP server, he/she may decide to attack this service, which would create totally different attack signatures than scans; portsentry would not be helpful here, and without a proper IDS system, you would prolly never notice that something's going on until the box is rooted. With IDS systems like Snort you would be able to see other activities of suspicious IPs; you'd see portscans, probes, exploit signatures, etc. This would provide a better picture of attacks and much better basis for further investigations. As a rule of thumb, I would report attacks (e. g. a preliminary scan, version probes of certain services and exploit attempts, all from the same IP), but not simple scan sweeps for common holes or installed Trojans (NetBus comes into mind). Of course it's useless to report scans for services you do not offer, too. Remember, if you report too frequently, you may suffer from the "cry Wolf" syndrome; your ISP may be annoyed by your constant "false alarms" and may react sloppily if something really serious happens.
Spiekey
Boris Lorenz