Security Basics mailing list archives
Re: Incident response to being scanned
From: "Paris Stone" <paris () ciscoinstructor com>
Date: Mon, 28 Apr 2003 16:31:21 +0000
I'm getting the same thing on my cable feed. I started blacklisting with ip-tables and relized that I was blacklisting entire 'cable modem service provider' networks. I'm not too worried about my linux/apache box being infected w/ code red but the bandwidth being consumed by all the zombie machines out there is a big problem. Make that note to the ISP of the offending box and I'm sure their staff will want to 're-claim' the wasted bandwidth. It worked for me on a couple of occasions. security () nuvox net (security () nuvox net) wrote:
Yes, you should file complaints with the responsible ISP(s).From the ISP POV, one complaint may not make a blip, but it will worktowards hitting the 'issue' threshold. That is, an ISP may ignore one complaint about one IP, but multiple complaints raise the likelihood of action being taken. Depending on the apps involved, setting your own thresholds is of course recommended. One hit on your network may not warrant a complaint, but 1000 hits definately should. One option: Create a generic email that you can simply plug the offending IP and log files in to. Detail that your network detected this issue and you are reporting it. Include the IP range your network uses (you don't have to be IP specific), the type of software you used to discover the hit, and your contact info. Be cordial. This option requires some time to create initially, but sets you up to generate complaints with very little effort. The most important thing you can do is keep your network up to date, and it sounds like you've got that down. Don't scan 'attackers' and don't try to contact them directly. On Fri, 2003-04-25 at 01:16, Bob Kelley wrote:In reviewing my firewall and web server logs, I see repeated attempts from several ip addresses to scan my network as well as infect my webserver with code red. The source addresses are not always the same. I am confident that I don't have any holes in my firewall and my webserver is up to date. I perform weekly vulnerability scans of my equipment to make sure I am covered. What is considered the best practice for dealing with these incidents? Should I be filing abuse reports with the ISPs of the source IPs? This obviously takes time. I am looking for a business case to justify the time spent responding. Thanks--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paris Stone CISSP, CCNP, CNE/CNI, MCSE/MCT, Master CIW Administrator, CIW Security Analyst, NSA A+, Network+, iNet+ http://www.ciscoinstructor.net/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "The rich man is not the one with the most, but the one who needs the least" --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
- RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)