Date: Wed, 4 Apr 2001 17:51:26 -0500 From: Scott Lambert <lambert@cswnet.com> To: FreeBSD-ISP@FreeBSD.org Subject: Re: Chasing the kiddies (was: Named Keep crashing) Message-ID: <20010404175125.C879@laptop.os2warp.org> In-Reply-To: <Pine.BSF.4.31.0104041612470.45811-100000@web1.nidhog.com>; from chosey@nidhog.com on Wed, Apr 04, 2001 at 04:15:30PM -0400 References: <20010404145617.B879@laptop.os2warp.org> <Pine.BSF.4.31.0104041612470.45811-100000@web1.nidhog.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I assume *most* port scans are prep work for B&E. If a scan is coming from a box labled as <testing for your favorite exploitable software so we can warn the admin to upgrade>.<appropriate domain for such testing with both forward and reverse DNS> I probably will ignore it, at least once I make sure all of my machines are not vulnerable. What other legitimate reasons are there for portscanning being done by someone who is not responsible for that IP space? If the scan comes from one of my admin boxes, it is ok. If some joker is testing out the latest tool so he can go use it at work, I tell him not to do it again. Play in your own backyard. I don't get too exited about the fact that they are scanning. But I do want to make an impression on the kids that this is not acceptable behavior before they advance to B&E. I have on occasion scanned my customers. I was checking for BO servers. We got a lot of compromised windows boxes fixed that way. The cops also go around looking for broken windows and other telltales when they are aware of a problem in the area. They have woken me up with the search lites. I suppose my upstream provider would be permitted to check for whatever problem servers they want to warn me about, but I would prefer they just bring the problem to my attention so I can find and fix them myself. And if they are scanning me it better be from a box with a name that suggests it would be used for such purposes. Otherwise I'll be calling them to tell them that they may have a compromised box on their network. My users, in general, are not sophisticated enough to be aware of and testing for security problems. On Wed, Apr 04, 2001 at 04:15:30PM -0400, Chet Hosey wrote: > Date: Wed, 4 Apr 2001 16:15:30 -0400 (EDT) > From: Chet Hosey <chosey@nidhog.com> > To: <FreeBSD-ISP@FreeBSD.ORG> > Subject: Re: Chasing the kiddies (was: Named Keep crashing) > > Do you assume that all port scans are malicious? Is there a situation in > which a scan would not cause you make such a call? > > ________________________________________________________________________ > > Chet Hosey > <chosey@nidhog.com> > ________________________________________________________________________ > > On Wed, 4 Apr 2001, Scott Lambert wrote: > > > On Wed, Apr 04, 2001 at 01:16:19PM -0600, Forrest W. Christian wrote: > > > Date: Wed, 4 Apr 2001 13:16:19 -0600 (MDT) > > > From: "Forrest W. Christian" <forrestc@imach.com> > > > To: Kal Torak <kaltorak@quake.com.au> > > > Cc: Enno Davids <enno.davids@metva.com.au>, freebsd-isp@FreeBSD.ORG > > > Subject: Re: Chasing the kiddies (was: Named Keep crashing) > > > > > > On Wed, 4 Apr 2001, Kal Torak wrote: > > > > > > > Why should network scanning be a crime at all? If anything should be a crime > > > > its sloppy admins that let there networks get comprimised... > > > > > > But when after you scan, you break in and destroy data, THAT should be the > > > crime I'm talking about. > > > > > > What you don't realize is that a lot of these attacks are now automated > > > rootkits which basically scan for the hole and if they find it, ROOT YOUR > > > MACHINE. > > > > > > This is wrong. > > > > These people who don't think scanning is a problem bother me. I don't have > > time to hunt down all the scanning kiddies, but I don't like them. I do > > hunt down the ones I get complaints on. > > > > Scanning a network is just like "casing" a neighborhood in my book. The > > police will stop you and check your background and want to know if you > > have any business in the area if someone reports you to them. The police > > call it suspicious behaviour which gives them probable cause to stop the > > bad guy. They get what information they can from him and if he is not > > (yet) wanted they let him go. But they watch him. They remember he was > > in the area and if any complaints do come in they go grab him first. > > > > I do the same thing with my scanning kiddies. My kiddies who go scanning > > my network or other people's networks get a phone call. I talk to their > > parents and tell them their kids are on the wrong road and could wind up > > in jail if they ever open one of those doors. Hopefully the parents can > > straighten the kids out. I hope the kids tell the other kids that they > > got busted. It lets them know they can get in trouble for it and will > > hopefully discourage them. > > > > I just wish I could go visit them physically so I could make certain they > > were scared before I let them go. > > > > Entering a computer system is breaking and entering. Send them to jail. > > It doesn't matter if they immediately left without doing anything. If anyone > > enters my home through a window I have left open for ventilation at night, > > they could very possibly be shot or bludgeoned about the head and shoulders > > by a baseball bat or whatever other blunt or sharp object I find first. > > They will most likely end up in jail. It makes no difference that the > > window was open. You just don't cross those lines. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010404175125.C879>