RE: Scan of TCP 552-554

From: Dave Paris (dparisat_private)
Date: Fri Aug 01 2003 - 11:31:26 PDT

Next message: Adcock, Matt: "RE: Suspicious firewall logs"

Previous message: Schmehl, Paul L: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Next in thread: Chris Shepherd: "Re: Scan of TCP 552-554"
Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Not to point out the wholly obvious or anything, but...

Regardless of your response to the portscan, by the time you react it has
already "used your link" and cost you bandwidth.

To put it another way... it doesn't matter if you use a shotgun, broom, or
overcooked linguine - the guy is standing on your porch and already
traversed your front lawn.

While I can appreciate the cost of bandwidth from a firsthand perspective,
this is simply the price of playing.  If you can't afford it, find an
alternative or move on.

-dsp

-----Original Message-----
From: Rodrigo Barbosa [mailto:rodrigobat_private]
Sent: Friday, August 01, 2003 1:26 PM
To: Chris Shepherd
Cc: incidentsat_private
Subject: Re: Scan of TCP 552-554

On Fri, Aug 01, 2003 at 08:25:08AM -0400, Chris Shepherd wrote:
[...]
> Why take that action for a port scan? You're going to be a very busy admin
if
> you do all that just for a simple port scan. Those things are unimportant,
but
> might be useful if logged, or better yet, dropped. :) There's nothing
wrong
> with a port scan in and of itself, it is just a simple check to see which
> services you have listening.

As long as I'm the one paying for my Internet uplink (and those are
EXPENSIVE here in Brazil), I don't want any traffic on it that is
not authorized. And a portscan is definitively samething I did not
authorized.

> A policy of having a live person react to a port scan is a little farther
than
> I'd be willing to go ever, which is why I simply have my firewall refuse
to
> talk on any port that doesn't have a service running. Closed ports are not
a
> security risk,

Don't be so sure. IIRC, there was a bug on same platform that was only
exploitable on "closed" ports.

> nor are portscans. The security risks come into play on the
> services you already are running. The biggest reason why someone in your
shoes
> might want to consider using DROP vs REJECT is that it offers a higher
delay in
> accessing those services. Regardless of your firewall, if you have a
service in
> place, that is far more likely to become the subject of attack, and
wanting to
> conceal those services from port scanning is a more intelligent approach
(IMO)
> than wanting to try and conceal the firewall's existence. The point of
> intrusion shouldn't be at the firewall if it is properly configured, but
> rather, the hosts behind it that are by necessity running servers (Apache
or
> IIS for example).

Security risks are one thing. Costing me money is another. Security holes
costs money, but portscans use my link. Even worms that are unable
to infect my system costs money.
[...]

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Adcock, Matt: "RE: Suspicious firewall logs"
Previous message: Schmehl, Paul L: "RE: WORM_MIMAIL.A Anyone have any info on what this does yet?"
In reply to: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Next in thread: Chris Shepherd: "Re: Scan of TCP 552-554"
Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 11:46:10 PDT