RE: port scan detected

• From: "Kenny Mann" <Kennymann@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 21 Aug 2003 08:32:31 -0500

<two cents>

Here is what I do sometimes, when I'm in a frisky mood.
Goto command prompt.
Type in "net send <ip address> Please stop scanning me..."
If it sends, they got a 2K or XP box (and have messenger service on) and
they just received a popup box saying that...
This will freak out allot of script kiddies.
If it doesn't work they are most likely running linux or have their
messenger serverice up and they may not some thigns about a computer.
Port scan them a couple times... But I generally only do these if they
are scanning me on a frequent (> 2 times a day for multiple days) basis.
I've also ran across a domain (I forgot the name) which basically scans
the entire web just to do a statistic for commonly known exploits. They
don't publish names, just percentages.

My goal is to make them realize I'm an active admin... (or at least as
active as my boss and the laws will let me ;-))
In a best case scenario I just scared a script kiddie and they will
stop...

On the other hand, some companies have policies against things like
this... (yeah, I like the three dots...)

</two cents>

Kenny

>-----Original Message-----
>From: cismic [mailto:cismic@xxxxxxx] 
>Sent: Wednesday, August 20, 2003 2:12 PM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: port scan detected
>
>
>http://www.ISAserver.org
>
>
>If I only had a package of foil every time someone said that!
>
>-----Original Message-----
>From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] 
>Sent: Wednesday, August 20, 2003 8:26 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: port scan detected
>
>
>http://www.ISAserver.org
>
>
>
>Tom,
>
> 
>
>Interesting thing happened today. After creating a packet 
>filter to block an IP, two days ago, he port scanned me again 
>this morning. Can you explain this? Thanks.
>
> 
>
>Mark
>
> 
>
>  _____  
>
>From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
>Sent: Tuesday, August 19, 2003 4:02 PM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: port scan detected
>
> 
>
>http://www.ISAserver.org
>
>Hi Mark,
>
> 
>
>Sure. Human eyes must evaluate the nature of the attack, and 
>human eyes must evaluate the source location.
>
> 
>
>For example, if the "attack" if some a DNS timeout issue with 
>your DNS server, do you want to block that?
>
> 
>
>Another example, if the "attack" is from another admin testing 
>his "skills" from home, do you want to block that?
>
> 
>
>Another example, the IDS is misconfigured, do you want to 
>block what it says?
>
> 
>
>Another example, a legit host is infected and cleaned. Now 
>that host is blocked. Do you want to block that and then deal 
>with connectivity issues when you forgot about your blocking 
>filters or try to fish out the blocked host address from the 
>thousands you your list?
>
> 
>
>Harden your hosts, use Application and Web filters, never 
>publish a Web site using an IP address, all the basic stuff. 
>That's a lot more effective than blocking addresses willy nilly. 
>
> 
>
>YMMV,
>
>Tom
>
> 
>
>Thomas W Shinder
>
>www.isaserver.org/shinder <http://www.isaserver.org/shinder>  
>
>ISA Server and Beyond: http://tinyurl.com/1jq1
>
>Configuring ISA Server: http://tinyurl.com/1llp 
><http://tinyurl.com/1llp> 
>
> 
>
>       -----Original Message-----
>       From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] 
>       Sent: Tuesday, August 19, 2003 2:13 PM
>       To: [ISAserver.org Discussion List]
>       Subject: [isalist] RE: port scan detected
>
>       http://www.ISAserver.org
>
>       Tom,
>
>        
>
>       Could you elaborate on this "intelligent address 
>blocking"? Thanks.
>
>        
>
>       Mark
>
>        
>
>       
>  _____  
>
>
>       From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
>       Sent: Tuesday, August 19, 2003 1:59 PM
>       To: [ISAserver.org Discussion List]
>       Subject: [isalist] RE: port scan detected
>
>        
>
>       http://www.ISAserver.org
>
>       Ni Brian,
>
>        
>
>       Nor should you. Blocking addresses that scan you is 
>like shooting at cars that drive past your home and look at 
>your windows and front door. :-) Be aware of the attempt, but 
>you'll end up making a critical error sooner or later if you 
>block addresses without putting some intelligence behind the block.
>
>        
>
>       HTH,
>
>       Tom
>
>        
>
>       Thomas W Shinder
>
>       www.isaserver.org/shinder <http://www.isaserver.org/shinder>  

Other related posts:

• » port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---