Re: RE: Incident response to being scanned

[Frank Gearhart <fgearhart () adelphia net>]

I agree.  At one job I noticed multiple (> 60/day) scans from two IP addresses.   After determining that the router was 
ignoring them as expected, I looked up the IP addresses and found out that both belonged to a national ISP. I emailed 
the ISP with my logs and forgot about it.  Other than filling my log files with entries, nothing bad was happening.

It does show that "scurity through obscurity"doesn't work.  We were  small local non-profit with no resources other 
than a network. 

Frank Gearhart
> From: "David Gillett" <gillettdavid () fhda edu>
> Date: 2003/04/25 Fri PM 02:18:31 EDT
> To: "'Bob Kelley'" <b0bk3ll3yjr () adelphia net>, 
>       <security-basics () securityfocus com>
> Subject: RE: Incident response to being scanned
>
> > -----Original Message-----
> > From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net]
> >
> > In reviewing my firewall and web server logs, I see repeated 
> > attempts from  several ip addresses to scan my network as 
> > well as infect my webserver  with code red.  The source 
> > addresses are not always the same.  I am  confident that I 
> > don't have any holes in my firewall and my webserver is  up 
> > to date.  I perform weekly vulnerability scans of my 
> > equipment to make  sure I am covered.   What is considered 
> > the best practice for dealing with these incidents?  Should I 
> > be filing abuse reports with the ISPs of the source IPs?  
> > This  obviously takes time.  I am looking for a business case 
> > to justify the  time spent responding.    Thanks
>
>   If a machine is infected with Code Red at this point, it
> probably means that there is nobody who
>
>   (a) understands the problem, and
>   (b) cares about fixing it, and
>   (c) can be found using available tools like whois.
>
> i.e., the best use of your time is to make sure you're not
> vulnerable, and move on.
>
> Dave Gillett
>
>
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
> world's premier event for IT and network security experts.  The two-day 
> Training features 6 hand-on courses on May 12-13 taught by professionals.  
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
> sales pitches.  Deadline for the best rates is April 25.  Register today to 
> ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
> ----------------------------------------------------------------------------

Frank Gearhart
Colorado Springs, CO
fgearhart () adelphia net


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------