[unisog] CHE 3/15: The Growing Vulnerability of Campus Networks
E. Larry Lidz
ellidz at eridu.uchicago.edu
Tue Mar 12 19:25:21 GMT 2002
Tom Perrine writes:
>We are at the point where the only reason to notice scans is for our
>security research, to generate some statistics and to "prove" that we
>still need to "do" security.
We have found two benefits from looking at scans, above and beyond the
o We find a large number of our compromises by investigating scans.
Often we'll see a scan hit our network, and by looking at the network
audit logs, we can see that the scanner also connected to a wierd port
on a machine or two. That port will often turn out to be a copy of ssh.
Alternatively, we'll notice a connection going out from a scanned
machine to an ftp or web site right after the scan -- the intruder
downloading tools. Of course, this requires a comprehensive network
o While I don't have hard numbers to prove it, it certainly appears that
we see more scans of our network when we are lax in reporting the scans
to the source than we see when we report the scans within a day or two
of the scan.
I think long term, we're not going to be able to sustain the level
of work each scan takes us, and we'll probably have to cut back on
it. However, for most scans, it currently takes us only two or three
minutes per scan to investigate and send off a report to an appropriate
contact. I think we can cut that down by 50% still by improving some of
our database backends.
I suspect the next step for us will be to send our reports to someone
like DShield who will forward it on to the appropriate contact rather
than doing it ourselves. Of course, often having the direct dialog with
the other end is useful.
E. Larry Lidz Phone: (773)702-2208
Sr. Network Security Officer Fax: (773)834-8444
Network Security Center, The University of Chicago
More information about the unisog