[Dshield] How representative?

Jeff Kell jeff-kell at utc.edu
Tue Mar 25 15:18:04 GMT 2003


Chateauneuf wrote:
> At 11:59 PM 3/24/2003 +0100, Henric Lindblad authored the following:
> 
>> Honestly I don't think the average DSL/Cable subscriber gets many actual
>> "intrusion attempts"...
>> They do get scanned a lot but most scans don't actually result in a
>> intrusion attempt.

> I'm not so sure that I agree. FWIW, I think that the difference between 
> a port scan and an intrusion attempt is the level of security.

Precisely.  If your setup is completely secured, you drop the packet 
without further question.  You might be able to differentiate between a 
"scan" and an "intrusion attempt" from an ICMP or UDP packet, but for 
TCP issues, you never allow it to get beyond the initial SYN unless you 
have a real live server behind it.  You would have to "honeynet" every 
service to get far enough to detect a TCP-based exploit.

Jeff



More information about the list mailing list