Re: Ok, we've been scanned.. ..now what!

[Robert Bussey <robert () PCIWIZ COM>]

So goes life on the Internet. I would assume that many other on your IP
block were scanned as well. That's what people do. Sometimes, usually the
weekend, people will scan entire classes of IP addresses. My advice is to
not get your panties up in a ball and simply disregard these as mischievous
probes. Worry about it if they start trying to penetrate your network. I'm
sure (hopefully) you have plenty of other things to worry about than some
script kiddies wacked out on Jolt and Ding Dongs.

-----Original Message-----
From: Steven M. Klass [mailto:sklass () ANDIGILOG COM]
Sent: Monday, August 07, 2000 7:45 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Ok, we've been scanned.. ..now what!


Hey all,

        Well this weekend was a particularly active weekend for the
scanners..  It
appears that I have been scanned several hundred times by the same
moron.  What is the proper procedure for telling these idiots to know it
off.  I mean I know that it is coming from the aol spectrum from a
traceroute, so what's next?  Do any of you have scripts to deal with
this.  I was thinking about possibly implementing a dynamic ipchains
protocol that sees a scan and after n times blocks that idiot for a week or
so, on all ports.  Does anyone have such a beast that would like to share
that with me?  I also thought about more devious things, like nmaping the
moron and flooding his available ports..  Fight fire with fire..  Any ideas?
Steven M. Klass
Physical Design Engineering Manager

Andigilog Inc.
7404 W. Detroit Street, Suite 100
Chandler, AZ 85226
Ph: 602-940-6200 ext. 18
Fax: 602-940-4255

sklass () andigilog com
http://www.andigilog.com/