Security Incidents mailing list archives
Re: Scanning. Is it dangerous?
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Mon, 1 May 2000 10:49:05 +0200
On Sat, Apr 29, 2000 at 05:12:54PM +0200, Sarunas Krivickas wrote:
Hi folks,
Hi.
As I see, almost everyone there are worried about some kind of scanning for own subnets, ports, etc. Do you think it is real danger to you system? So if it is true, the scans as a dangerous actions has to be recognized in your risk management and IT security policy. Does the simple scan of your system has the right place in your policy and also is the trigger to initiate actions and rise the alarm? Of course, we are able to recognize DoS or something like that, but almost all incidents there are talking about simple, usual and not dangerous actions. Yes, you have to think about this kind of actions (I do not call it as attack) if your system is totally unprotected.
First, I distinguish between two kinds of scanning. The one is the "curious" person wanting to get your network known. You might see him from dialup accounts or his real IP address and using things like traceroute, ping or single host queries (eg. BIND version request on your nameserver). Sometimes he'd even use TCP fingerprinting techniques on some single hosts. This person is no risk to your network, he usually only wants to get a rough impression about what equipment you use, how well you are connected etc. Then there is the mass scanner, which uses incremental scans of your whole IP space, first TCP/ICMP pings, followed by a rude portscan and then service checking. This is usually done from a hacked high bandwidth host on the other side of the globe. He might not be particularly interested in your network but in getting as much hosts cracked as possible. Seldomly there are exceptions that just collect statistical data, but most of the times a few days later there will be a scripted exploit attempt at any common vulnerability that was identified in your network. In case you notice a scan you should do the following: - In case you see scans for stuff you don't know (mountd was mentioned earlier today), rescan your network yourself and remove any positive you wouldn't want to run on that host. - If there was a specific scan (say BIND version scan), then check if the version you run has any known vulnerabilities. - Avoid filtering the IP address that scans you, it won't help. Try to collect as much info as possible and record any further packets send from this address instead. What time is it at the remote side ? - Try to get in contact with the responsible admin on the remote site. Do not use email to do that, since it will get most likely dropped. If you get scanned from some IP 1.2.3.4 a mail to root@1.2.3.4 will be deleted for sure.
Regards, Sarunas
ciao, scut -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
Current thread:
- Scanning. Is it dangerous? Sarunas Krivickas (Apr 29)
- Re: Scanning. Is it dangerous? Sebastian (May 01)
- Re: Scanning. Is it dangerous? Roelof Temmingh (May 01)
- DNS Probes Damian Gerow (May 01)
- Re: Scanning. Is it dangerous? John D. Burkett (May 01)
- Re: Scanning. Is it dangerous? Rune Kristian Viken (May 07)
- Re: Scanning. Is it dangerous? Ryan Russell (May 01)
- Re: Scanning. Is it dangerous? jms (May 02)
- Re: Scanning. Is it dangerous? Jose Nazario (May 03)
- Scanning. Is it a consumer right? ethan preston (May 02)
- Re: Scanning. Is it dangerous? jms (May 02)
- Re: Scanning. Is it dangerous? Russell Fulton (May 01)
- <Possible follow-ups>
- Re: Scanning. Is it dangerous? -reply Joseph, Lorne (May 01)
(Thread continues...)