RE: what should I do when....

["Rivest, Philippe" <PRivest () transforce ca>]

Ok I got like a bazillion emails saying "we don't have time to contact ISP"
or we shouldn't waste time doing so for EVERY attack we get.

I think that's true that you can't follow up on every scan you get. I was
aiming at targeted scans where you see a pattern, where you can think that
they may be some issue. All this, should, be documented in a procedure that
you should follow on every such event. As I did state in:

> As I stated, you should follow your internal procedure, hardened you device
> after your investigation (&before also..) and contact your ISP.

If you see no reason to contact your ISP, please doc it and then don't call.
On the other hand, document what are the steps to follow to call your ISP and
what threshold will require that you call them.

Also, please remember that I said to contact them in case of *emergency*. No
at EVERY POSSIBLE OCCURRENCE YOU CAN FIND.

> When you have a contract with your ISP you should have a contact for
> *emergency*. Contact him or normal enterprise service level and have them
> take a look at the situation.

Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la
part de Rivest, Philippe
Envoyé : 7 juillet 2008 13:53
À : Sergio Castro; Jorge L. Vazquez; security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; security focus listbounce
Objet : RE: what should I do when....

This is not a good practice.
If you just tolerate brute forcing and scanning you are on the wrong track.
Imagine if the network usage would double or triple because of these
behavior. When will you start to report this to your ISP? When will you start
to pressure them that they have clients that need & WANT a secure service
(ISP)?

As I stated, you should follow your internal procedure, hardened you device
after your investigation (&before also..) and contact your ISP.

When you have a contract with your ISP you should have a contact for
*emergency*. Contact him or normal enterprise service level and have them
take a look at the situation. 

Not doing anything is just accepting that you can be probe and that's not
very wise.

**Also note that if the guy whos probing you knows nobody ever contacts the
ISP for investigation.. do you really think his gonna do nice and limited
(rate) scans? His gonna pop everything he has against you to do a full &
extensive & complet scan.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la
part de Sergio Castro
Envoyé : 4 juillet 2008 19:51
À : 'Jorge L. Vazquez'; 'security-basics';
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; 'security focus listbounce'
Objet : RE: what should I do when....

Hi Jorge,

My recommendation, other than make sure your public IP systems are properly
hardened, is to do nothing. Continuous scans and brute force login attempts
are the norm on the Internet. For every ISP that pays attention to your
complaints, 10 will ignore you.

- Sergio

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En
nombre de Jorge L. Vazquez
Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
Para: security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the log
is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a scan.
Although the good thing is that the firewall is detecting them therefore
stopping them, I'm getting worried of hacker activity, I've already done ip
lookup, and dns whois query both of those point to ip and host in Canada it
seems to be a company as I got their public website and also private
network.....could anyone advice me what's the proper course of actions in
this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org



__________ NOD32 3243 (20080704) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com