Security Incidents mailing list archives

RE: What to do if they ignore you

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 14 Apr 2005 15:46:45 -0700

  Several people have assumed that these "probes" are not "attacks".
I see nothing in your description to warrant this assumption; the
persistence and the fact that the traffic seems to be local to a 
particular /16 sounds to me very like one of the worms that spreads
via CIFS (with weak/missing passwords).

  I do, however, concur that there is very little you can do about 
a network block whose admins ignore legitimate complaints, except 
attempt to escalate to their upstream provider.  There's a chance 
that this is also your customers' upstream provider, and that they
can be motivated to avoid a recommendation that those customers take
their business elsewhere....
  Oh, and generally networks shouldn't accept 445/CIFS traffic from 
the Internet -- block it and move along.

David Gillett

-----Original Message-----
From: Skip Carter [mailto:skip () taygeta com]
Sent: Wednesday, April 13, 2005 10:30 AM
To: incidents () securityfocus com
Subject: What to do if they ignore you

Hello,

My company provides outsource security management/monitoring services.

In early March we noticed that several of our clients that are in the
same /16 block were getting persistent port 445 probes from a couple
of systems from a very large corporation's satellite office which is
on the same /16 block.

I have repeatedly called the companies security manager (on 
the US east
coast) and talked to people at the companies headquarters (on the US
west coast).  They take my information (I have shown them 
firewall logs,
IDS logs, captured packet traces, and honeypot sessions) but 
nothing is
done about these probes (typically around 1500/day).

We have black-holed connections from the offending network 
block, but many
of our clients are small and do not have firewalls with the 
resources to
handle huge lists of blacklisted networks.

It has been over a month now, and nothing has changed.  They 
seem to be
unable or unwilling to fix their own systems when they have all the
information they could ask for in order to track the problem down.

Does anybody have any suggestions on what to do to make Goliath behave
when you are David ?

-- 
 Dr. Everett (Skip) Carter           Phone: 831-641-0645 FAX: 
 831-641-0647
 Taygeta Network Security Services   email: skip () taygeta net
 1340 Munras Ave., Suite 314         WWW: http://www.taygeta.net/
 Monterey, CA. 93940


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

What to do if they ignore you Skip Carter (Apr 13)
- Re: What to do if they ignore you Jose Maria Lopez Hernandez (Apr 14)
- Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: [incidents] What to do if they ignore you Tim Kennedy (Apr 14)
- Re: What to do if they ignore you Doug Rutherford (Apr 14)
- Re: What to do if they ignore you Byron L. Sonne (Apr 14)
  - Re: What to do if they ignore you Paul Schmehl (Apr 14)
- RE: What to do if they ignore you David Gillett (Apr 15)
- Re: What to do if they ignore you Rory (Apr 16)
  - Re: What to do if they ignore you David A . Ulevitch (Apr 16)
- <Possible follow-ups>
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
- RE: What to do if they ignore you Nigel van Houten (Apr 14)
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
  - RE: What to do if they ignore you Blake Swopes (Apr 14)
  - Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: What to do if they ignore you Harlan Carvey (Apr 14)