State of the Art in Scan Detection

Thomas Ptacek | June 23rd, 2005 | Filed Under: Uncategorized

I really wanted my next Bejtlich cite to include a draft proposed code of ethics, to respond to the CISSP thing, but I have to comment on a more recent post:

His thesis, Using NetFlows for Slow Port Scan Detection, argues that NetFlow records can be used to detect stealthy reconnaissance

Virtually all the anomaly companies do this now. Arbor has done it since 2003. The basic technique comes from Solar Designer.

(BTW, doesn’t it rule that most of the “fresh” ideas in network security, like service/OS fingerprinting, come from Phrack?).

Here’s an excellent paper on scan detection (as usual, affiliated with Vern Paxson). A followup Weaver paper argues that if you embedded the original idea into a switch, to suppress scanning outright, you could contain worms. I think that’s sorta clever.