On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:nnorman@micromuse.com | -- Patton
Attachment:
pgpwBB_NltKbw.pgp
Description: PGP signature