Re: i've been port scanned. now what

[Peter Cordes <peter@llama.nslug.ns.ca>]

On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel wrote:
> Hello.
> My packet filter ruleset catched somebody on port scanning one of our host.
> He or she tryed to scan a very big port range from tcp 1 up to 32000 (think
> with nmap), but my packet filter denied his/her queries (the kernel
> generated 1 mb log in 3 minutes with the denied packets). I have his/her
> ipv4 address, and i would like to ask, what should i do know? i figured out
> from the ripe.net whois db, that the ip is owned by one of the ISP's from my
> country, is it possible, that the scanner cracked the isp's machine, then
> pushed the scan from there?

 It's a lot more likely that the person that scanned you is simply one of
the ISP's customers.  The ISP owns the IPs they assign to their customers'
machines.

 If all the guy did was scan, then don't do anything unless he does it again
or something.  If there were any signs of an actual attack, like sending
nastygrams to your web server or something, then you should contact his ISP
and show them the log.

 (My philosophy is that portscanning is more or less innocent and curiosity
driven, and so shouldn't be punished unless it causes a DoS or something.
If you feel otherwise, you might want to show the logs you have to the
scanner's ISP, with timestamp, so they can figure out who had that IP at
that time.  I think that would be going to more trouble than it's worth,
though.)


-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE