[Intrusions] [LOGS] Summary of large-scale portscanning detects
Andrew Rucker Jones
arjones at simultan.dyndns.org
Mon Jul 19 03:42:19 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joel,
Joel Esler wrote:
| It makes sense why an intruder would scan the beginning of a subnet
and then
| the end, because logically most systems administrators put their servers,
| routers, and web servers at the front or end of their network, so system
| logically it makes sense.
Take a closer look. I think You missed the [...] that Ken has between
the first set and last set of targets. That means he left out the middle
ones, because the pattern was the same.
It doesn't actually make a lot of sense to only scan the beginning or
end of a network. Don't forget that a lot of people use subnets (we have
some 6 or 7 in our little /24 chunk), including ISPs who hand out /30 or
/28 networks. There are also those system administrators who gravitate
to numbers like .100 or .150.
-&
- --
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA+0MaoI7tqy5bNGMRAt0IAKD0tTG7yRC6MHhSNVzNjhEsKQIG3wCfbAa3
bBOn907FT8EkNb66OXqafkk=
=u0BT
-----END PGP SIGNATURE-----
More information about the Intrusions
mailing list