IDS mailing list archives
RE: slow scans?
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 18 Feb 2003 12:02:16 -0500
And on top of this, I really question any claim of ability to reliably detect a scan that takes place over a period of extended time (weeks or longer) where the attacker keeps changing IP addresses (and by that I mean totally different networks, not just doing "ipdown" and "ipup" on their cablemodem-connected linux box). Between backscatter that may come from DoS attacks, mis-typed IP addresses (I once had a full blown SNMP scan of my net because someone did a 16 bit netmask instead of 24 bits), and other noise. I would assume that anyone so paranoid and sneaky as to jump around so much would also randomize the order in which ports were scanned, and very possibly throw some variety into the type of scan as well. You certainly couldn't have an alert trigger on this without DoSing your brain with false alarms.
-----Original Message----- From: Tod Beardsley [mailto:todb () planb-security net] Sent: Sunday, February 16, 2003 1:33 PM To: focus-ids () securityfocus com Subject: Re: slow scans? Johannes asked:What would you do different if you know someone is scanning you slowly?About the only reason I can think of to actually care about low-n-slow scans is to provide evidence to The Authorities -- assuming your scanner follows through with an actual attack, is reasonably successful, is detected, is positively identified, is arrested, and goes to trial. Your original scan data would go towards establishing his intent to attack you. (IANAL.) Most organizations don't particularly care about this (unlikely?) chain of events, if only implicitly, by their lack of a legally robust evidence-handling policy. -- "It's okay to yell fire in a crowded theater if the theater is actually on fire." Tod Beardsley | www.planb-security.net
Current thread:
- slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)
- Re: slow scans? Tod Beardsley (Feb 18)
- RE: slow scans? Rob Shein (Feb 18)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Ron Gula (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)