[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Port Scanning

To: darrell@gallup.com, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] Port Scanning
From: Kent Hundley <kent_hundley@ins.com>
Date: Thu, 29 Apr 1999 17:23:30 -0500


Unless the scanning is so pervasive that it starts approaching a DoS,
there's not much reason to get worked up about it IMHO.  That's what you
have a firewall for in the first place.

If the scan was truly "spoofed" its likely someone running NMAP and
using the feature to plug in phantom IP's so it's harder to track down
the real IP they're scanning from.  You could spend a lot of time and
effort and probably eventually detect the real IP that's scanning you,
but why? You'll have spent a lot of time and effort to find an IP that
is probably a dialup and the ISP may not have the records to show who
was dialed up on that IP at that time. (depends on how long it took you
to find the real IP and the amount of accounting the ISP performs)

Even if you assume that the ISP had the information, scanning is not
against federal law. (don't know about particular states)  It might be
against an ISP policy, so you might be able to get a persons account
terminated, but that seems like an awful lot of trouble for a problem
that is usually nothing more than a mere nuisance.

In all liklihood the person performing the scan will simply move on to
another site when they scan of your sight turns up nothing useful.  If
you continually see frequent scans, it might mean your being targeted by
an individual or group, but barring that it's probably script kiddies
playing with new scanning tools looking for sites that have unprotected
hosts.  They're not likely to bother with sites that don't return
interesting information in the scans.

Note that my comments apply only to scanning and not an actual attack.
An attack is an entirely different category and is against federal law.
In case of an actual attack you should contact appropriate law
enforcement officials and take time to track down the attacker.

-Kent Hundley

------------------------------------------------------------------
What should a person do if you find someone scanning your ports on the
firewall ?  I contacted the company that was doing it, and they
investigated, and said that it was not them.  They thought someone was
"spoofing" the IP......



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Is there any way to load Checkpoint Firewall-1 on a Cisco router?
Next by Date: Re: [FW1] Is there any way to load Checkpoint Firewall-1 on a Cisco router?
Prev by thread: Re: [FW1] Port Scanning
Next by thread: RE: [FW1] Port Scanning
Index(es):
- Date
- Thread