Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Re: How do you fight an attack in progress?

Re: How do you fight an attack in progress?

Paul Ferguson (fergusoncisco.com)
Fri, 19 Sep 1997 20:52:19 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Mark Coleman: "Re: How do you fight an attack in progress?"
Previous message: Adam Shostack: "Re: SSL proxy info"
In reply to: Paul D. Robertson: "Re: SSL proxy info"
Next in thread: Mark Coleman: "Re: How do you fight an attack in progress?"

At 01:36 PM 9/19/97 -0500, Andy Howard wrote:

>
>The scan itself is not dangerous.... just rattling the door knob. Some
>Web search and indexing sites do this.... there are some legitimate
>reasons to get the door knob rattled.
>

This is a subtle point which is important to understand.

For instance, what do you automatically think when your
logs report that a udp/161 'scan' is being done on sequential
host addresses? Well, if you've seen NOC monkeys haplessly
enable SNMP discovery mode (for instance on an HP*OpenView
system), then you know what I'm talking about. ;-)

The point is that it 'scans' may sometimes not be malicious,
but rather the result of some moron somewhere on the opposite
side of the planet. And even when it is, you still need to
contact them to tell them to 'Cut it out', but it pays to be
somewhat intelligent before sounding the alarm

By the same token, there is usually a big difference between
sequential port scanning (which is almost always malicious in
nature) and sequential host scanning, which may be quite
legitimate. Another legitimate example, besides the SNMP
discovery foobar I mentioned above, is PING'ing hosts within
a range of addresses. In fact, this is done on a fairly
frequent basis, to determine the scope of address utilization
and the growth of the Internet itself.

As an aside, see: http://www.nw.com

- paul

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: fergusoncisco.com                         c i s c o S y s t e m s

Next message: Mark Coleman: "Re: How do you fight an attack in progress?"
Previous message: Adam Shostack: "Re: SSL proxy info"
In reply to: Paul D. Robertson: "Re: SSL proxy info"
Next in thread: Mark Coleman: "Re: How do you fight an attack in progress?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT