Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] Port scans, what do to?!
  • From: Boris Lorenz <bolo@xxxxxxx>
  • Date: Mon, 17 Dec 2001 13:21:48 +0100 (CET)
  • Message-id: <XFMail.011217132148.bolo@xxxxxxx>
Yuppa,

On 16-Dec-01 spiekey wrote:
> Hi Gurus ;P
>
> I see it in a pretty relaxing way when i get log entries from a ip 0.0.0.0 or
> a scan from someone. I never tried to scan back or something, whats the
> point?! ( Portsentry is actually banning about one ip a every 2nd day)
>
> Do u usually just irgnore them? Write a mail to your ISP ? How do i know if a
> boy was pressing a few buttons or if someone seriusly tried to gain access?

Unless you have an old WinNT installation (which will prolly crash if being
heavily scanned), the technical consequences of scans are minimal, except for
some log entries and other minor disturbances. A scan for itself therefore does
not necessarily represent an attack, although most (serious) attacks include
more or less sophisticated scans.

Very roughly, most scans fall into one of these categories:

- Someone has read details about certain exploitable security holes and scans
the net for promising targets

- An attacker wants to abuse improperly installed services like Wingate, Squid
or Sendmail (e.g. for anonymous surfing, spamming, etc.)

- Pure curiousity ("I don't know what a scanner really does, but it works and
it's fun!")

- A system is infected with active Trojans (Code Red, Nimda, Sircam,
Magistr.b...) which "phone home" and try to infect other machines by scanning
their respective subnets

> Where is the line between script kiddy and attacker?

This is were intrusion detection comes into play. Portsentry, which is some
sort of crude IDS system, too, provides basic anti-scanning facilities and also
is able to drop offending routes, but it does not help in determining the real
source, nature, and the target of the scan and other activities connected with
it.

For instance, if an attacker scans/probes your host and finds a vulnerable FTP
server, he/she may decide to attack this service, which would create totally
different attack signatures than scans; portsentry would not be helpful here,
and without a proper IDS system, you would prolly never notice that something's
going on until the box is rooted.

With IDS systems like Snort you would be able to see other activities of
suspicious IPs; you'd see portscans, probes, exploit signatures, etc. This
would provide a better picture of attacks and much better basis for further
investigations.

As a rule of thumb, I would report attacks (e. g. a preliminary scan, version
probes of certain services and exploit attempts, all from the same IP), but not
simple scan sweeps for common holes or installed Trojans (NetBus comes into
mind). Of course it's useless to report scans for services you do not offer,
too.

Remember, if you report too frequently, you may suffer from the "cry Wolf"
syndrome; your ISP may be annoyed by your constant "false alarms" and may react
sloppily if something really serious happens.

> Spiekey

Boris Lorenz <bolo@xxxxxxx>
---

< Previous Next >
References