Re: When does a scan attempt become a focused attack?
Date: 10/22/03

  • Next message: Jorge Garcia: "RE: hunt tool"
    To: "dave kleiman" <>, "'Hunt, Jim'" <>,
    Date: Wed, 22 Oct 2003 18:04:40 +0000

    It's simple: When it becomes a bother to the admin, it's an attack.

    <begin Port-Scan war story>

    Several years ago, when I was the admin of a dot-com, we suddenly got a bunch of port scans on some very odd ports every hour, on the hour, for 20 or so minutes.

    Luckily, my IDS logged the IP, and when looking it up, I found it was coming from Bell Labs in New Jersey: talked to the admin there, he confirmed and gave me the name of the researcher the IP belonged to, as well as his email addy.
    I talked to the scientist, and he said that what he was doing was basic research, and I couldn't stop him.

    Now at that point, corporate policy was more than three portscans from the same IP in 24 hours was considered an attack.

    The nice thing about Bell Labs is their web page, showed all the researchers, and their place in the organization.

    A nice little letter of compliant to his supervisor, his supervisor's supervisor, and the VP who ran that branch of Bell Labs, with all documentation and correspondence to and from the scientist.

    Within 2 hours, the portscans stopped. A week later, the scientist was no longer on the org chart. . .

    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that
    makes the complex - easy

  • Next message: Jorge Garcia: "RE: hunt tool"