Know Who's Out There
Local & Remote Vulns / Loss Type
click to enlarge
We charted the scan sources and targets for the top five active ports, as reported by the Internet Storm Center, on a specified date (see "Top 5 Port Scans for March 18, 2003"), and discovered that a relatively small pool of IP addresses scanned a large number of IP addresses. During this 24-hour period, ISC logged 9,598 unique IP addresses scanning for Port 445, which is used for file sharing (SMB) on Microsoft Windows 2000, and logged 161,532 targets of port scans for Port 445--roughly 16 times as many targets as sources.
From a damage point of view, scans typically are harmless. IDSs classify scans as low-level attacks, but they don't harm servers or services. Common wisdom says scans are precursors to attacks, and though that may be true, there isn't a 1:1 relationship. If Port 445 is open, that doesn't guarantee the attacker will return, but it does make it more likely that he or she will. If an attacker finds services with exploitable vulnerabilities, the attack phase begins. If your servers are vulnerable, attackers may be able to get access to the computer or to data stored on the computer. Attack methods fall into two categories: automated and targeted. Much like scanning, automated attack tools are easy to build and will blindly try attacks against every host in a netblock or find hosts using a port scan and then attack. Either way, these brute-force attacks count on the probability that vulnerable servers will be running. Check your Web server logs and you'll likely see Unicode-encoded URL strings, regardless of the operating system or Web server running.
Automated attacks and worms are opportunistic and, like scans, are part of daily life on the Internet. There isn't much you can do to block these attempts, and unless you can track their origins and get someone at the source organization or upstream ISP to intervene on your behalf, you can't really stop the attacks. Some ISPs and many college campuses will cut off users if they receive enough complaints coupled with evidence that an attack has originated from their networks. Filing a report with the owner of the netblock or its upstream provider is an option if you are under a concerted scan or automated attack.