I think you need to understand the reason you were port scanned in the first place. It is a fishing exercise usually. Look at a port scan as a way of determining if the area holds potential or not. Why to fishermen use fish locators? To see if there are fish in the area and save them some time in their search. They are looking for systems that are not configured properly for the most part. And we all know there are a lot of them around. I for one thing the best defense is to make damn sure you have all your holes patched and after they see you are OK, they move on to other fish to fry. > -----Original Message----- > From: Mike Dee [SMTP:[EMAIL PROTECTED]] > Sent: Tuesday, December 21, 1999 4:30 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: > > In my experience sending immediate notifications to ISP's has been very > fruitful. Many ISP's (worth anything) make it a fact of their AUP > (Acceptable Usage Policy) that any attempts to gain improper access to > others systems is grounds for immediate account termination. Because of > this, you (the target) hold a legal precedent to ensure action is taken. > > I have found that dealing with ISP's, although not always perfect, has had > a > far greater result than dealing with the individuals company or downline > provider. > > Strikebacks, on the other hand, are tricky. Is it okay to break your > neighbors window just because he broke yours. I have found that in most > cases this effectively terminates the activity from that source to yours, > but does not terminate the activity for other targets. Agreed PORT SCANS > are generally accepted as a precursor to some event NOT of good nature, > but > how illeagal are they. From the ISP's standpoint, a clear violation of > AUP. > From the law, still too many unknowns. > > Stick with the notifications and blackhole, I think its your best bet. > > MD > Network Security Consultant > > -----Original Message----- > From: Eric [mailto:[EMAIL PROTECTED]] > Sent: Monday, December 20, 1999 11:47 PM > To: [EMAIL PROTECTED] > Subject: Dealing with port scanners / attackers > > > > I'm getting kind of tired of sending reports of > port scans and attempted break-ins to people who > don't really seem interested in doing something > about the problem. I always ask them to keep me > informed about how they deal with those > responsible, but very few have the courtesy to > actually do so. It leaves me wondering if they > did anything at all or if they just ignored the > problem. > > So something else is needed. > > Suppose we set up a firewall that, when it detects > a port scan, would spoof the source address and > perform a port scan against the port scanner's ISP? > That way, the ISP would see a port scan coming > from one of his own customers and would be more > likely to take an active interest in putting a > stop to it. > > Eric Johnson > > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
