[Dshield] How representative?
jeff-kell at utc.edu
Tue Mar 25 15:18:04 GMT 2003
> At 11:59 PM 3/24/2003 +0100, Henric Lindblad authored the following:
>> Honestly I don't think the average DSL/Cable subscriber gets many actual
>> "intrusion attempts"...
>> They do get scanned a lot but most scans don't actually result in a
>> intrusion attempt.
> I'm not so sure that I agree. FWIW, I think that the difference between
> a port scan and an intrusion attempt is the level of security.
Precisely. If your setup is completely secured, you drop the packet
without further question. You might be able to differentiate between a
"scan" and an "intrusion attempt" from an ICMP or UDP packet, but for
TCP issues, you never allow it to get beyond the initial SYN unless you
have a real live server behind it. You would have to "honeynet" every
service to get far enough to detect a TCP-based exploit.
More information about the list