Re: Incident response to being scanned

["Paris Stone" <paris () ciscoinstructor com>]

I'm getting the same thing on my cable feed.  I started blacklisting with ip-tables
and relized that I was blacklisting entire 'cable modem service provider'
networks.  I'm not too worried about my linux/apache box being infected w/ code red
but the bandwidth being consumed by all the zombie machines out there is a big
problem.  Make that note to the ISP of the offending box and I'm sure their staff
will want to 're-claim' the wasted bandwidth.  It worked for me on a couple of
occasions.

security () nuvox net (security () nuvox net) wrote:
> Yes, you should file complaints with the responsible ISP(s).
>
> > From the ISP POV, one complaint may not make a blip, but it will work
> towards hitting the 'issue' threshold.  That is, an ISP may ignore one
> complaint about one IP, but multiple complaints raise the likelihood of
> action being taken.
>
> Depending on the apps involved, setting your own thresholds is of course
> recommended.  One hit on your network may not warrant a complaint, but
> 1000 hits definately should.
>
> One option: Create a generic email that you can simply plug the
> offending IP and log files in to. Detail that your network detected this
> issue and you are reporting it. Include the IP range your network uses
> (you don't have to be IP specific), the type of software you used to
> discover the hit, and your contact info. Be cordial.  This option
> requires some time to create initially, but sets you up to generate
> complaints with very little effort.
>
> The most important thing you can do is keep your network up to date, and
> it sounds like you've got that down. Don't scan 'attackers' and don't
> try to contact them directly.
>
>
>
>
>
> On Fri, 2003-04-25 at 01:16, Bob Kelley wrote:
> > In reviewing my firewall and web server logs, I see repeated attempts from
> > several ip addresses to scan my network as well as infect my webserver
> > with code red.  The source addresses are not always the same.  I am
> > confident that I don't have any holes in my firewall and my webserver is
> > up to date.  I perform weekly vulnerability scans of my equipment to make
> > sure I am covered.
> >
> > What is considered the best practice for dealing with these incidents?
> > Should I be filing abuse reports with the ISPs of the source IPs?  This
> > obviously takes time.  I am looking for a business case to justify the
> > time spent responding.
> >
> > Thanks
>
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today to
> ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
> ----------------------------------------------------------------------------

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Paris Stone
CISSP, CCNP, CNE/CNI, MCSE/MCT,
Master CIW Administrator, CIW Security Analyst, NSA
A+, Network+, iNet+
http://www.ciscoinstructor.net/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"The rich man is not the one with the most, but the one who needs the least"



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------