I can say from experience that most ISPs will not take any action just
because you were scanned. I seem to recall someone at SANS drawing an
analogy between host scanning and driving down a street to see who had
their windows open.
In reality there is nothing an ISP can do. No laws have been broken and
with the number of script kiddies out there trying out every scanner that
comes out it just isn't practical to take action every reported scan
event.
I would suggest that if you have been scanned that you simply increase the
level of vigilance since the scan *may* be a prelude to an attack.
Alternatively, if the scan originated from a host with a non-dynamically
assigned IP address ie: not a dialup/DSL/cable modem ISP account, _and_
you are really concerned then simply block the IP at your border router (
you do have one right ? :- ) ), and/or your firewall.
Realistically though you probaby wouldn't want maintain an ACL with
everybody that ever scanned you. So what to do ?
- Set up a good router/bastion/router firewall.
- Use a network based IDS system ( preferably ) inside and outside your
firewall
- Use host based IDS ( tripwire or some such ) on your hosts
- Use swatch or some such to keep an eye on your log files
- Make sure you have good backups - just in case ( I once had a hacker
wipe a machine on his way "out" )
- Make all your hosts as secure as possible without making them unuseable
( probably easier to do with *NIX as opposed to a M$ OS )
If you do all that, then when someone does rattle your doorknobs it will
be a concern, but perhaps not a huge one ( depending on who "you" are of
course ).
Basically what it boils down to is making sure that your systems and
network are as secure as possible and that you have adequate
"early warning" measures in place.
===================================================================
Larry Chin {[EMAIL PROTECTED]} Technical Specialist - ISC
Sprint Canada 2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
Fax: 416.498.3507 M2J 5E6
===================================================================
On Mon, 19 Jul 1999, stbrow - Stacy Brown wrote:
> Forward the logs of the attempt to the ISP contact (often there will be an
>[EMAIL PROTECTED] address for such things). Make sure your logs have a timestamp, and
>include your timezone with it. Also, include a little note describing what the
>would-be hacker was trying to do to you, just in case the abuse contact or admins of
>the ISP are not as astute at hacker activites as you.
>
> Stacy Brown
> Network Business Unit / Security Team
> Acxiom Corp.
>
> > -----Original Message-----
> > From: Dan [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, July 19, 1999 8:32 AM
> > To: [EMAIL PROTECTED]
> > Subject: Response to hack attempt?
> >
> >
> > I'm sure that everyone on this list from time-to-time sees
> > hacking attempts such as port scans, or scans of ranges of
> > IP's on a specific port in their firewall logs.
> >
> > What is your typical response to this kind of activity? I know
> > about tracking down owners of IP's, etc with whois and the
> > Internic DB, but what do you do once you get that
> > information?
> >
> > A lot of this list is dedicated to stopping the hacking
> > attempts, but not much has been said on what to do
> > afterwards.
> >
> > Dan Lenhard
> > Systems Administrator
> > [EMAIL PROTECTED]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
