What abuse do I report?


Every personal firewall will have different levels of severity and different ways of indicating that to you. Some however, can be overly zealous in their estimations of damages, and/or weak in their explanation, and the average user could believe the worst, when in fact, nothing malicious has occured.

What you decide to report on is ultimately up to you, but here is a summary and analysis of a few different categories of ‘attack’:


Exceptions

First, keep in mind that, when on campus, your connection is automatically scanned by UF security computers. If you are on campus, you may view the ongoing scans at http://infosec.ufl.edu/admins/scans.shtml and make exceptions accordingly in your firewall.


Sweeps

Also known as port probing and port scanning, these type of events have two different forms. In the first, a large group of computers on the internet are all swept for a particular port that would indicate a certain type of program running (like a webserver). The second targets just one machine, and will usually sweep up and down all the ports on that machine to see if it can identify all the services on a given machine. There are also combinations of these two that will sweep more than one port on more than one computer.

One of the major disadvantages of a personal firewall as opposed to a corporate or large-scale network firewall is the inability to distinguish between these two. Because of this, a program may report an attack that turns out to merely be a small part of a large subnet sweep a hacker, or possibly even a benign service, was conducting.

In general, these are very low severity events.


Service level Probing

Service level probes are probes that are specifically aimed at a program to try to determine more information about the program. There are many different forms of these events that can be as simple and innocuous as a web page request to something as dangerous as a bind inverse query attempt.

These events represent no direct threat in and of themselves, but they are often direct precursors to an attack. Especially when the version query information relates to some service that has a relatively recent remote exploit, such as bind or ssh.

Service probes often warrant reporting for critical services and machines.


Web Exploit

Web exploits are attempts to abuse web servers through http requests. These events will only occur if you are running a webserver, and any personal machine should theoretically only be running a webserver if you yourself have installed one. If you have done so, please seek advice from your local network administrator on securing the webserver.