Snort mailing list archives

Re: I'm being attacked, now what?

From: Tremaine Lea <Tremaine () cavelier net>
Date: Sat, 16 Jun 2001 00:02:53 -0600


I think I might be able to shed some unique insight into this one, although I 
have to say Bob has the right of it.  

I work in the AUP department of one the larger ISP's in North America.  
Ideally what we like to see is a time/date stamped log that shows the 
attacking IP address, along with source and destination port.  Big hint... 
don't submit multiple IP's in one complaint.  It makes our job harder.  And 
if you really want to win our attention, have a short description of the 
problem in the subject.  Your's may not be the only attack to be reported 
regarding that IP, and we love it when we can group them <g>

ie Subject : IP address/ tcp portscan

Or something along those lines.  Oh yeah, and don't swear at us.  We 
eventually have to contact the 'offender' and we take enough abuse from them! 
 A great many of the complaints we recieve turn out to be as a result of a 
compromised machine being used as a zombie.  So please don't assume that the 
IP attacking you is the genuine source of the attack.  At the very least you 
are helping secure one more machine on the internet, thereby closing it off 
to a hacker or s'kiddie.

About the only other thing I can suggest is do a bit of research before you 
submit the info to us.  You can't imagine how frustrating it is to recieve a 
blistering letter from someone demanding we 'take down and eliminate' a user 
because they had the audacity to ping someones machine... once.  Weigh the 
severity of the attack and report accordingly.  A couple of 'icmp 
unreachables' do not an attack make ;)



On Friday 15 June 2001 17:00, Bob Staaf wrote:

Paul,

     The technical contact should but good and most ISPs have an email
address similar to abuse () domain com or webmaster () domain com or visit the
ISP website and check to see how to report network abuse, most have that
info on their site.  I usually attach the corresponding parts of the log
with my IP anonymousified so they can see the details of the attack.

Bob

----- Original Message -----
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
To: "'Bob Staaf '" <rstaaf () cfl rr com>; "Sheahan, Paul (PCLN-NW)"
<Paul.Sheahan () priceline com>; <Snort-users () lists sourceforge net>
Sent: Friday, June 15, 2001 6:47 PM
Subject: RE: [Snort-users] I'm being attacked, now what?

I agree with you Bob....I have a LOT of other things I need to be doing
rather than whining to ISPs all day. Typically, where are complaints
sent, to the technical contact who owns the address space or
"security () isp com"

or

something similar? Would it be a good idea to include sniffer traces with
the complaint? What info is best to send over?

Thanks again!

-----Original Message-----
From: Bob Staaf
To: Sheahan, Paul (PCLN-NW); Snort-users () lists sourceforge net
Sent: 6/15/01 4:05 PM
Subject: Re: [Snort-users] I'm being attacked, now what?

Paul,

     I started out in the beginning whining to every ISP I could track
down.
You would have to hire a person full time do that if that is what you
wanted
to do.  I typically whine if they scan more than a 3 or 4 ports on any
one
server at once.  I also whine if they do certain types of scans that a
typical script kiddie wouldn't be running.  You might also want to
complain
if you see the same IP hitting your server day after day after day even
if
they only do one scan once a day, they may be trying to be
inconspicuous,
hoping you will miss them.  Just some of the things to think about.  You
might want to look at something to help manage the logs like Acid or
some
other product, it will make the job much easier to spot trends.
     You know your management better than anyone but, the BEST security
measure you can take is knowing what is going on with your network and
keeping a close eye on the logs is one of the best ways to do that.

Hope this helps

Bob Staaf
Southern Web Services
Orlando, Fl

----- Original Message -----
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
To: <Snort-users () lists sourceforge net>
Sent: Friday, June 15, 2001 3:12 PM
Subject: [Snort-users] I'm being attacked, now what?

I wanted to get some feedback from others out there on how they handle
attacks, whether successful or unsuccessful. I see what appears to be


valid

attacks in small numbers from random machines. Occasionally, I see


tons of

different attacks coming from ONE machine. Though all attacks are
unsuccessful, when does someone scream to the ISP to tell them to stop


their

client, and when does one just ignore it?

It would obviously be VERY time consuming (and a waste of time) to


send

complaints to every ISP. What do people recommend out there....maybe


only

send a complaint when attacks from one node become ridiculously large,


or
if

they successfully break in?

The logs are nice to have, but I know management will ask what are we


doing

about the attacks we are seeing and what is the time you are spending
maintaining the IDS server doing for the company?

Thanks

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Tremaine Lea

Doing things the hard way.  Every time.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

I'm being attacked, now what? Sheahan, Paul (PCLN-NW) (Jun 15)
- Re: I'm being attacked, now what? Paulie (Jun 15)
- Re: I'm being attacked, now what? Bob Staaf (Jun 15)
- <Possible follow-ups>
- RE: I'm being attacked, now what? Sheahan, Paul (PCLN-NW) (Jun 15)
  - Re: I'm being attacked, now what? Bob Staaf (Jun 15)
    - Re: I'm being attacked, now what? Tremaine Lea (Jun 15)
- RE: I'm being attacked, now what? Sheahan, Paul (PCLN-NW) (Jun 15)
  - RE: I'm being attacked, now what? Ryan Russell (Jun 18)