RE: Incident response to being scanned

["Fields, James" <James.Fields () bcbsfl com>]

Bob,

I see the same here.  I'm also trying to come up with a standard methodology
for dealing with these.  We do automatic temporary blocking of source
addresses based on a limited selection of IDS signatures, but that doesn't
fix the problem - in particular a lot of these are probably coming from
infected systems elsewhere, and the owners may not know they have a problem.

At my company we have a Computer Security department that is supposed to
handle "policy" while I handle infrastructure - the actual implementation of
the corporate policy in the hardware.  Our CS guys have never given us a
really good incident response procedure to cover this.

In the absence of that, I have taken the stance that if it is one hit from
one source, I don't bother reporting it.  If it is true scanning - multiple
hits from the same source, or from several sources on the same subnet, I try
one (and only one) attempt to reach the abuse address for that network if
one exists.

By the way - I've been getting more and more from European colleges and
universities lately, and many from companies that have the same first octet
in the IP address block as ours.

-----Original Message-----
From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net] 
Sent: Friday, April 25, 2003 1:16 AM
To: security-basics () securityfocus com
Subject: Incident response to being scanned



In reviewing my firewall and web server logs, I see repeated attempts from 

several ip addresses to scan my network as well as infect my webserver 

with code red.  The source addresses are not always the same.  I am 

confident that I don't have any holes in my firewall and my webserver is 

up to date.  I perform weekly vulnerability scans of my equipment to make 

sure I am covered. 



What is considered the best practice for dealing with these incidents? 

Should I be filing abuse reports with the ISPs of the source IPs?  This 

obviously takes time.  I am looking for a business case to justify the 

time spent responding.  



Thanks

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------




Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or 
omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue 
Shield of Florida, Inc.  The information contained in this document may be confidential and intended solely for the use 
of the individual or entity to whom it is addressed.  This document may contain material that is privileged or 
protected from disclosure under applicable law.  If you are not the intended recipient or the individual responsible 
for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of 
this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK 
YOU.




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------