Firewall Wizards mailing list archives
RE: Response to door knocking
From: "Webb, Andy" <Andy.Webb () swinc com>
Date: Wed, 3 Feb 1999 11:38:50 -0600
I usually try to at least make the "dog growl" to continue the analogy. There have been cases where the source was a compromised system - but the admin of that system was quite appreciative of the heads up. Most cases are dial-up users. If they are coming in (apparently) from somewhere that resolves (@home, ATT, etc.) then I send a note to the abuse line. "Hi, Mrs. Wilson? ... Yes, well, your kids shouldn't be poking around, peeking in my windows, trying the doors and such. It's rude. ... Yes, I do keep an eye on things like that. ... Bye now." ======================================================= Andy Webb awebb () swinc com www.swinc.com Simpler-Webb, Inc. Austin, TX 512-322-0071 "Mauve has more RAM" - Dilbert =======================================================
-----Original Message----- From: Damir Rajnovic [mailto:Damir.Rajnovic () eurocert net] Sent: Tuesday, February 02, 1999 3:21 AM To: Robert Graham; firewall-wizards () nfr net Subject: Re: Response to door knocking Hello there, At 22:25 -0800 28/1/99, Robert Graham wrote:What are some legitimate responses to door knocking? Sending out automated e-mail seems to be a pathological response given the likelyhood that IP addresses can be spoofed. How about these ideas:[rest deleted] I would like to add just few more thing that you should consider. Apart from that packets may be spoofed many probes are originated from dial-in accounts. Not all providers will give static IP addresses to their clients so your information will not lead you anywhere far. While doing your probes you might be perceived as someone who is attacking ISP and I guess that you do not want that. Another not uncommon scenario is that villain is connected to the Internet using dial-in account then log to a previously compromised site and then making further probes from there. So you'll end up probing innocent site. Extreme case is when there is no associated machine with that particular IP number.Assuming that you take care of the obvious pathalogical cases (be careful about false positives, IP spoofing, and throttlingthe rate atwhich you send such messages, etc.), are there any problems with this scheme?I think yes, not necessarily technical ones. People usually do not expected to be probed back as a response. I am talking about white hats admins whose machines have been illegally used for malicious probing. If you discover that someone is probing you the best thing to do is to report that to contact admin or, even better, report that to CERT or law enforcement and let them deal with it. Cheers, Gaus ========== EuroCERT is operating incident co-ordination role for the European IRT community. In that sense we would appreciate being included on the "Cc:" line of any messages you may send to other sites regarding intruder activity as long as, at least one site is European. Alternatively you may send message direct to us and we will try to locate appropriate contact within Europe or abroad. ========== --------------------------------------------------------------- EuroCERT tel: (+44 1235) 822 382 c/o UKERNA fax: (+44 1235) 822 398 Atlas Centre http://www.eurocert.net Chilton, Didcot Oxfordshire OX11 0QS, UK
Current thread:
- Re: Response to door knocking, (continued)
- Re: Response to door knocking Robert Graham (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Chris Cappuccio (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
- Re: Response to door knocking John McDermott (Feb 06)
- Re: Response to door knocking Joseph S D Yao (Feb 08)
- Re: Response to door knocking JohnLNick (Feb 08)
- Re: Response to door knocking Robert Graham (Feb 01)