Hello Ralph, Sunday, May 19, 2002, 12:13:35 PM, you wrote:
RD> I think that's pretty stupid. If I had my network admin investigate every RD> portscan, my staff costs would go up 10x and I'd quickly go bankrupt. RD> Instead we keep our servers very secure, and spend the time and effort RD> only when there is evidence of a break in.
I didn't say investigate every portscan, I said assume every portscan is hostile. There is a big difference.
RD> So you assume it's hostile and do what? Automatically block the source RD> IP? If you do that then you open up a bigger DOS hole. Then if someone RD> sends a bunch of SYN scans with the source address spoofed as your RD> upstream transit providers' BGP peering IP, poof! you're gone. You do the same thing you do with any attack: Log the information and take appropriate action. If you are constantly getting scanned from one netblock, you should be aware of that, the only way to be aware of it is to keep a record of all port scans. A portscan may be innocent, though I agree with those who have said previously that most posrtscans are not innocent, in which case it gets filed away into a database and forgotten. However, if the same network is continuously portscanning your network that network should be stopped. This whole process can be automated, so that it does not involve manual intervention...but don't you think a good network administrator should know what is happening to their network? And, since there is no way to distinguish an innocent portscan from one that is a precursor to an attack, wouldn't it make sense to keep track of all portscans? allan -- allan allan@allan.org http://www.allan.org