| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 15898 | 2002-02-20 08:31:00 | Fighting back against port scans... | Guest (0) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 36398 | 2002-02-20 08:31:00 | Every so often (in fact quite often) my Norton Internet Security program alerts me to possible 'intrusion attempts' - i.e. port scans, and reports the i.p. number. I'd like to start reporting these to whoever I need to (the initiator's ISP?) as a small way of fighting back. Questions... 1) am I correct to assume all these would be potential hostile scans?..or would some possibly be genuine for whatever reason? 2) If hostile, who do I report it to, only knowing the ip number? 3) If I do a trace on the ip number using say Neo Trace, will it be accurate, or could the ip number have changed in the meantime?? Thanks! |
Guest (0) | ||
| 36399 | 2002-02-20 09:23:00 | Dont bother. The only way you can positively conclude that it is a port scan and not valid traffic, is if you had a great number of probes on different ports from the same originating IP. Anything else and it could quite easily be innocent traffic. Even if you do determine that a user has scanned you, there is very little that can be done. As a firewall log (text file) can hardly count as evidence, the best that can be hoped for is for an ISP to take your word for it and cancel the internet account. As far as Im aware, simply scanning another computer is not illegal, just against common courtesy as well as most ISP's codes of behaviour. If you REALLY want to go ahead with it, tracing the IP with something like Neotrace will give you the domain name to which the IP is registered, then simply send an email to abuse@domain.com Personally its a lot of bother for something that wont actually give you any benefits. You would be better off to largely ignore the firewall alerts as maybe 80% of them will be legit anyhow. |
Guest (0) | ||
| 36400 | 2002-02-20 10:16:00 | Depends on what information your Nortons log gives you, if it says sub7 port scan or something backdoor you could report it to the ISP. I would not be too concerned with tcp and udp probes, many are fairly harmless. Most NZ ISP's will take seriously these sorts of port probes and cancel the account or warn the user of there conditions of use. No point though in reporting every single probe, keep it to the serious stuff. AOL and some other USA ISP's don't take complaints seriously though the same complaint about a sub7 probe to some of the EU countries will see a swift response as it is illegial in some of those countries to scan and becomes a police matter. SmartWhoIs2 will give you the ISP for a ip number. If you do complain you need to copy and paste a copy of the log into the message along with your complaint. |
Guest (0) | ||
| 36401 | 2002-02-20 11:43:00 | Several times now by using neotrace I have Emailed the ip block holder and informed them and while their reply is often unhelpfull in most cases the port probes have ceased. | Guest (0) | ||
| 1 | |||||