Security Basics mailing list archives
Re: RE: Incident response to being scanned
From: Frank Gearhart <fgearhart () adelphia net>
Date: Mon, 28 Apr 2003 20:29:01 -0400
I agree. At one job I noticed multiple (> 60/day) scans from two IP addresses. After determining that the router was ignoring them as expected, I looked up the IP addresses and found out that both belonged to a national ISP. I emailed the ISP with my logs and forgot about it. Other than filling my log files with entries, nothing bad was happening. It does show that "scurity through obscurity"doesn't work. We were small local non-profit with no resources other than a network. Frank Gearhart
From: "David Gillett" <gillettdavid () fhda edu> Date: 2003/04/25 Fri PM 02:18:31 EDT To: "'Bob Kelley'" <b0bk3ll3yjr () adelphia net>, <security-basics () securityfocus com> Subject: RE: Incident response to being scanned-----Original Message----- From: Bob Kelley [mailto:b0bk3ll3yjr () adelphia net] In reviewing my firewall and web server logs, I see repeated attempts from several ip addresses to scan my network as well as infect my webserver with code red. The source addresses are not always the same. I am confident that I don't have any holes in my firewall and my webserver is up to date. I perform weekly vulnerability scans of my equipment to make sure I am covered. What is considered the best practice for dealing with these incidents? Should I be filing abuse reports with the ISPs of the source IPs? This obviously takes time. I am looking for a business case to justify the time spent responding. ThanksIf a machine is infected with Code Red at this point, it probably means that there is nobody who (a) understands the problem, and (b) cares about fixing it, and (c) can be found using available tools like whois. i.e., the best use of your time is to make sure you're not vulnerable, and move on. Dave Gillett --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Frank Gearhart Colorado Springs, CO fgearhart () adelphia net --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- Incident response to being scanned Bob Kelley (Apr 25)
- RE: Incident response to being scanned David Gillett (Apr 28)
- Re: Incident response to being scanned security () nuvox net (Apr 28)
- <Possible follow-ups>
- RE: Incident response to being scanned Fields, James (Apr 28)
- RE: Incident response to being scanned Allan Schon (Apr 28)
- Re: Incident response to being scanned H Carvey (Apr 28)
- Re: RE: Incident response to being scanned Bob Kelley (Apr 28)
- RE: RE: Incident response to being scanned Security News (Apr 28)
- Re: Incident response to being scanned Paris Stone (Apr 28)
- Re: RE: Incident response to being scanned Frank Gearhart (Apr 29)