Security Basics mailing list archives

Re: Incident response to being scanned

From: "security () nuvox net" <security () nuvox net>
Date: 25 Apr 2003 16:44:46 -0400

Yes, you should file complaints with the responsible ISP(s).

From the ISP POV, one complaint may not make a blip, but it will work

towards hitting the 'issue' threshold.  That is, an ISP may ignore one
complaint about one IP, but multiple complaints raise the likelihood of
action being taken.

Depending on the apps involved, setting your own thresholds is of course
recommended.  One hit on your network may not warrant a complaint, but
1000 hits definately should.

One option: Create a generic email that you can simply plug the
offending IP and log files in to. Detail that your network detected this
issue and you are reporting it. Include the IP range your network uses
(you don't have to be IP specific), the type of software you used to
discover the hit, and your contact info. Be cordial.  This option
requires some time to create initially, but sets you up to generate
complaints with very little effort. 

The most important thing you can do is keep your network up to date, and
it sounds like you've got that down. Don't scan 'attackers' and don't
try to contact them directly.

--
Scott Lesley
(nifty signature withheld)

 


On Fri, 2003-04-25 at 01:16, Bob Kelley wrote:



In reviewing my firewall and web server logs, I see repeated attempts from 
several ip addresses to scan my network as well as infect my webserver 
with code red.  The source addresses are not always the same.  I am 
confident that I don't have any holes in my firewall and my webserver is 
up to date.  I perform weekly vulnerability scans of my equipment to make 
sure I am covered. 

What is considered the best practice for dealing with these incidents? 
Should I be filing abuse reports with the ISPs of the source IPs?  This 
obviously takes time.  I am looking for a business case to justify the 
time spent responding.  

Thanks



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

Current thread:

Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
  - RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)