Firewall Wizards mailing list archives

Re: Response to door knocking

From: Damir Rajnovic <Damir.Rajnovic () eurocert net>
Date: Tue, 2 Feb 1999 09:20:46 +0000

Hello there,

At 22:25 -0800 28/1/99, Robert Graham wrote:

What are some legitimate responses to door knocking? Sending out
automated e-mail seems to be a pathological response given the
likelyhood that IP addresses can be spoofed. How about these ideas:

[rest deleted]

I would like to add just few more thing that you should consider.
Apart from that packets may be spoofed many probes are originated
from dial-in accounts. Not all providers will give static IP addresses
to their clients so your information will not lead you anywhere far.
While doing your probes you might be perceived as someone who is attacking
ISP and I guess that you do not want that.

Another not uncommon scenario is that villain is connected to the Internet
using dial-in account then log to a previously compromised site 
and then making further probes from there. So you'll end up probing
innocent site.

Extreme case is when there is no associated machine with that
particular IP number.

Assuming that you take care of the obvious pathalogical cases (be
careful about false positives, IP spoofing, and throttling the rate at
which you send such messages, etc.), are there any problems with this
scheme?


I think yes, not necessarily technical ones.  People usually do not 
expected to be probed back as a response. I am talking about white 
hats admins whose machines have been illegally used for malicious 
probing. If you discover that someone is probing you the best thing 
to do is to report that to contact admin or, even better, report 
that to CERT or law enforcement and let them deal with it.

Cheers,

Gaus

==========
EuroCERT is operating incident co-ordination role for the European IRT
community. In that sense we would appreciate being included on the "Cc:" 
line of any messages you may send to other sites regarding intruder
activity as long as, at least one site is European.  Alternatively you 
may send message direct to us and we will try to locate appropriate 
contact within Europe or abroad.
==========

---------------------------------------------------------------
EuroCERT                                tel: (+44 1235) 822 382
c/o UKERNA                              fax: (+44 1235) 822 398
Atlas Centre                            http://www.eurocert.net
Chilton, Didcot
Oxfordshire OX11 0QS, UK

Current thread:

Re: Response to door knocking Ulrich Flegel (Feb 01)
- <Possible follow-ups>
- Re: Response to door knocking Robert Graham (Feb 01)
  - Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
  - Re: Response to door knocking Amos Hayes (Feb 03)
    - Re: Response to door knocking Chris Cappuccio (Feb 04)
    - Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
  - Re: Response to door knocking Damir Rajnovic (Feb 04)
  - Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
- Re: Response to door knocking John McDermott (Feb 06)
  - Re: Response to door knocking Joseph S D Yao (Feb 08)
- Re: Response to door knocking JohnLNick (Feb 08)