Re: what should I do when....

[Adriel Desautels <adriel () netragard com>]

Philippe,
    What you are suggesting is a waste of time. Most buisnessea don't  
have time to call their ISP's every time they get scanned. Accept the  
fact that you will get scanned and react to attacks that matter. Time  
is money don't waste it chasing ghosts.

Regards,
     Adriel T. Desautels
     Mobile: 617-633-3821
     Sent from mobile device.

On Jul 7, 2008, at 12:53 PM, "Rivest, Philippe"  
<PRivest () transforce ca> wrote:

> This is not a good practice.
> If you just tolerate brute forcing and scanning you are on the wrong  
> track.
> Imagine if the network usage would double or triple because of these
> behavior. When will you start to report this to your ISP? When will  
> you start
> to pressure them that they have clients that need & WANT a secure  
> service
> (ISP)?
>
> As I stated, you should follow your internal procedure, hardened you  
> device
> after your investigation (&before also..) and contact your ISP.
>
> When you have a contract with your ISP you should have a contact for
> *emergency*. Contact him or normal enterprise service level and have  
> them
> take a look at the situation.
>
> Not doing anything is just accepting that you can be probe and  
> that's not
> very wise.
>
> **Also note that if the guy whos probing you knows nobody ever  
> contacts the
> ISP for investigation.. do you really think his gonna do nice and  
> limited
> (rate) scans? His gonna pop everything he has against you to do a  
> full &
> extensive & complet scan.
>
>
> Merci / Thanks
> Philippe Rivest, CEH
> Vérificateur interne en sécurité de l'information
> Courriel: Privest () transforce ca
> Téléphone: (514) 331-4417
> www.transforce.ca
>
> Vous pourriez imprimer ce courriel, mais faire pousser un arbre  
> c'est long.
> You could print this email, but it does takes a long time to grow  
> trees.
>
>
> -----Message d'origine-----
> De : listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com] De la
> part de Sergio Castro
> Envoyé : 4 juillet 2008 19:51
> À : 'Jorge L. Vazquez'; 'security-basics';
> security-basics-sc.1207759308.halobnafecliebdpegpn- 
> Jlvazquez825=gmail.com@sec
> urityfocus.com; 'security focus listbounce'
> Objet : RE: what should I do when....
>
> Hi Jorge,
>
> My recommendation, other than make sure your public IP systems are  
> properly
> hardened, is to do nothing. Continuous scans and brute force login  
> attempts
> are the norm on the Internet. For every ISP that pays attention to  
> your
> complaints, 10 will ignore you.
>
> - Sergio
>
> -----Mensaje original-----
> De: listbounce () securityfocus com  
> [mailto:listbounce () securityfocus com] En
> nombre de Jorge L. Vazquez
> Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
> Para: security-basics;
> security-basics-sc.1207759308.halobnafecliebdpegpn- 
> Jlvazquez825=gmail.com@se
> curityfocus.com; security focus listbounce
> Asunto: what should I do when....
>
> for the last 2 days I've been getting lots of connections attempts  
> on my
> firewall logs(ipcop firewall), from a specific ip based in Canada,  
> the log
> is showing a
> *
> *
> NEW not SYN?
>
> it seems that someone is trying to initiate a connections, or may be  
> a scan.
> Although the good thing is that the firewall is detecting them  
> therefore
> stopping them, I'm getting worried of hacker activity, I've already  
> done ip
> lookup, and dns whois query both of those point to ip and host in  
> Canada it
> seems to be a company as I got their public website and also private
> network.....could anyone advice me what's the proper course of  
> actions in
> this case?....
>
> thanks
> Jorge L. Vazquez
> www.pctechtips.org
>
>
>
> __________ NOD32 3243 (20080704) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com