Security Incidents mailing list archives
Re: Template Admin Notification
From: Glenn Forbes Fleming Larratt <glratt () IO COM>
Date: Thu, 25 Jan 2001 17:49:15 -0600
I respectfully disagree - if such attacks were an exception case, I'd happily devote the time and resources to such an approach, but we get portscanned two to six times every single day. Point by point: 1. I agree - but such compromise is affecting the security of my network. I will exercise due diligence in reporting, but I'm going to protect my network as well as I can first. Our SOP calls for blocking as little as possible, and for keeping admin e-mail flowing if possible, but if you're scanning my network for vulnerabilities, I'm going to block you. 2. Agreed, but we do make a concerted e-mail effort to report far anough across the board that at least one white hat hears of it. Furthermore, if they're using a brute force scan, chances are they don't care if you complain, because they're "drive-by" attacking. 3. ...if they're in the U.S., which most of them are not. Why ought I to spend my budget making long distance (or international) phone calls when I have Internet e-mail in front of me, and it's already paid for? This goes hand in hand with the tenet about keeping admin e-mail flowing. Further, the sort of necessary data is much more efficiently and correctly communicated via e-mail. 4. The fact that we blocked the offending traffic soon after we detected it should be message enough. If I tell you that I'm not accepting your traffic, and you do nothing, then I continue to not accept your packets. The onus of doing nothing is borne by those who will not respond to complaints. If, on the other hand, you secure the machine and tell me so, I will without hesitation reinstate you. That too is part of our SOP. It is my experience that fewer than 10% of the complaints we send elicit a response. Further, I've tried the phone call route - I got told by some numbnuts that "scanning isn't against the law". I frankly find it less wasteful of my time to block offending networks and deal from a position of strength, rather than talk to people on the phone who simply don't grok, or don't care. -g On Thu, 25 Jan 2001, Tim wrote:
IMHO, If you're really serious about helping stop whoever is attacking you, rather than ckecking the "I tried to contact them" box, you should be using other than e-mail to contact someone who's host sends malicious traffic at your site. 1. You are most likely seeing traffic from a compromised system. 2. If you suspect that the system is compromised, whoever compromised the system may see or intercept your email message giving them ample opportunity to clean up after themselves. 3. Even if whois doesn't have a phone number, it only takes about 2 more minutes to find one. 4. The fact that you took the time to call sends the message that this matters to you, and that you care about your system's security far more strongly than a form letter. Tim -----Original Message----- From: Alfred Huger [mailto:ah () SECURITYFOCUS COM] Sent: Wednesday, January 24, 2001 8:10 AM Subject: Template Admin Notification Does anyone on the list have a default template email they use to notify admins of attacks from their networks? I would be interested in seeing them posted to the list (or to myself directly if that's not possible). Cheers, -al "Vae Victis" SecurityFocus.com __________________________________________________ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/
-- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glratt () io com http://www.io.com/~glratt There are imaginary bugs to chase in heaven.
Current thread:
- Re: Template Admin Notification, (continued)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 25)
- Re: Template Admin Notification Russell Fulton (Jan 25)
- Unknown Broadcast Traffic claymore (Jan 29)
- Re: Unknown Broadcast Traffic Daniel Martin (Jan 29)
- Re: Template Admin Notification Russell Fulton (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 29)