North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: a record?

  • From: Elmar K. Bins
  • Date: Sun Nov 20 17:13:02 2005

[email protected] (Patrick W. Gilmore) wrote:

> I'm going to repeat what Sean said, because you clearly didn't read  
> what he said:

You're trying to be harsh, even though I don't understand why. I read
what you just rephrased, and I understood it fully, believe me. Let me
explain my lines of thought here.

I am fully aware of people scanning the full range of ports, but then,
it's a _WHOLE LOT_ less full-port-range scans than full-address-range
scans. You will see that in your logs, too.

If the guys have found an interesting machine, they will scan all ports,
sure, but then you _WANT TO DEAL_ with these guys. Whether it is because
they are interested in you, or whether it is because they found a box
worth cracking.

That of course leaves aside the few guys who really try full-port-range
scans on a lot of boxes or, accidentally, the ones I look over. I may
be wrong in assuming they are taking interest, but I take interest in
them and do something. It still is a lot less incidents to focus on.

Saving unnecessary work is all that this is about, not whether or not
I believe something (this being safer than that, that guy having a
specific interest in this, whatever).

Actually, I really don't care about people scanning closed or blocked
ports. Except for a few potential target addresses, that is. But of
course I am not doing this by reading server logfiles and wading
through folks trying dictionary attacks on just-found-to-exist ssh
ports. That's what firewall and ID systems are good at.

Most of the time I get interested when "they" get interested, or when
there's someone coming up, doing something more elaborate than running
one of the easy scripts. Apart from that, I am simply not interested,
because I have other work to do. And if I get rid of "dummy alerts" by
changing the port for a "generic login" service, so be it.

It's a tool to save work. You don't have to use it.