Security Basics mailing list archives
Re: Incident response to being scanned
From: "security () nuvox net" <security () nuvox net>
Date: 25 Apr 2003 16:44:46 -0400
Yes, you should file complaints with the responsible ISP(s).
From the ISP POV, one complaint may not make a blip, but it will work
towards hitting the 'issue' threshold. That is, an ISP may ignore one complaint about one IP, but multiple complaints raise the likelihood of action being taken. Depending on the apps involved, setting your own thresholds is of course recommended. One hit on your network may not warrant a complaint, but 1000 hits definately should. One option: Create a generic email that you can simply plug the offending IP and log files in to. Detail that your network detected this issue and you are reporting it. Include the IP range your network uses (you don't have to be IP specific), the type of software you used to discover the hit, and your contact info. Be cordial. This option requires some time to create initially, but sets you up to generate complaints with very little effort. The most important thing you can do is keep your network up to date, and it sounds like you've got that down. Don't scan 'attackers' and don't try to contact them directly. -- Scott Lesley (nifty signature withheld) On Fri, 2003-04-25 at 01:16, Bob Kelley wrote:
In reviewing my firewall and web server logs, I see repeated attempts from several ip addresses to scan my network as well as infect my webserver with code red. The source addresses are not always the same. I am confident that I don't have any holes in my firewall and my webserver is up to date. I perform weekly vulnerability scans of my equipment to make sure I am covered. What is considered the best practice for dealing with these incidents? Should I be filing abuse reports with the ISPs of the source IPs? This obviously takes time. I am looking for a business case to justify the time spent responding. Thanks
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
- RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)