Security Incidents mailing list archives
RE: What to do if they ignore you
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 14 Apr 2005 15:46:45 -0700
Several people have assumed that these "probes" are not "attacks". I see nothing in your description to warrant this assumption; the persistence and the fact that the traffic seems to be local to a particular /16 sounds to me very like one of the worms that spreads via CIFS (with weak/missing passwords). I do, however, concur that there is very little you can do about a network block whose admins ignore legitimate complaints, except attempt to escalate to their upstream provider. There's a chance that this is also your customers' upstream provider, and that they can be motivated to avoid a recommendation that those customers take their business elsewhere.... Oh, and generally networks shouldn't accept 445/CIFS traffic from the Internet -- block it and move along. David Gillett
-----Original Message----- From: Skip Carter [mailto:skip () taygeta com] Sent: Wednesday, April 13, 2005 10:30 AM To: incidents () securityfocus com Subject: What to do if they ignore you Hello, My company provides outsource security management/monitoring services. In early March we noticed that several of our clients that are in the same /16 block were getting persistent port 445 probes from a couple of systems from a very large corporation's satellite office which is on the same /16 block. I have repeatedly called the companies security manager (on the US east coast) and talked to people at the companies headquarters (on the US west coast). They take my information (I have shown them firewall logs, IDS logs, captured packet traces, and honeypot sessions) but nothing is done about these probes (typically around 1500/day). We have black-holed connections from the offending network block, but many of our clients are small and do not have firewalls with the resources to handle huge lists of blacklisted networks. It has been over a month now, and nothing has changed. They seem to be unable or unwilling to fix their own systems when they have all the information they could ask for in order to track the problem down. Does anybody have any suggestions on what to do to make Goliath behave when you are David ? -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Network Security Services email: skip () taygeta net 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/ Monterey, CA. 93940
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- What to do if they ignore you Skip Carter (Apr 13)
- Re: What to do if they ignore you Jose Maria Lopez Hernandez (Apr 14)
- Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: [incidents] What to do if they ignore you Tim Kennedy (Apr 14)
- Re: What to do if they ignore you Doug Rutherford (Apr 14)
- Re: What to do if they ignore you Byron L. Sonne (Apr 14)
- Re: What to do if they ignore you Paul Schmehl (Apr 14)
- RE: What to do if they ignore you David Gillett (Apr 15)
- Re: What to do if they ignore you Rory (Apr 16)
- Re: What to do if they ignore you David A . Ulevitch (Apr 16)
- <Possible follow-ups>
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
- RE: What to do if they ignore you Nigel van Houten (Apr 14)
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
- RE: What to do if they ignore you Blake Swopes (Apr 14)
- Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: What to do if they ignore you Harlan Carvey (Apr 14)