Firewall Wizards mailing list archives
Re: Response to door knocking
From: Damir Rajnovic <Damir.Rajnovic () eurocert net>
Date: Tue, 2 Feb 1999 09:20:46 +0000
Hello there, At 22:25 -0800 28/1/99, Robert Graham wrote:
What are some legitimate responses to door knocking? Sending out automated e-mail seems to be a pathological response given the likelyhood that IP addresses can be spoofed. How about these ideas:
[rest deleted] I would like to add just few more thing that you should consider. Apart from that packets may be spoofed many probes are originated from dial-in accounts. Not all providers will give static IP addresses to their clients so your information will not lead you anywhere far. While doing your probes you might be perceived as someone who is attacking ISP and I guess that you do not want that. Another not uncommon scenario is that villain is connected to the Internet using dial-in account then log to a previously compromised site and then making further probes from there. So you'll end up probing innocent site. Extreme case is when there is no associated machine with that particular IP number.
Assuming that you take care of the obvious pathalogical cases (be careful about false positives, IP spoofing, and throttling the rate at which you send such messages, etc.), are there any problems with this scheme?
I think yes, not necessarily technical ones. People usually do not expected to be probed back as a response. I am talking about white hats admins whose machines have been illegally used for malicious probing. If you discover that someone is probing you the best thing to do is to report that to contact admin or, even better, report that to CERT or law enforcement and let them deal with it. Cheers, Gaus ========== EuroCERT is operating incident co-ordination role for the European IRT community. In that sense we would appreciate being included on the "Cc:" line of any messages you may send to other sites regarding intruder activity as long as, at least one site is European. Alternatively you may send message direct to us and we will try to locate appropriate contact within Europe or abroad. ========== --------------------------------------------------------------- EuroCERT tel: (+44 1235) 822 382 c/o UKERNA fax: (+44 1235) 822 398 Atlas Centre http://www.eurocert.net Chilton, Didcot Oxfordshire OX11 0QS, UK
Current thread:
- Re: Response to door knocking Ulrich Flegel (Feb 01)
- <Possible follow-ups>
- Re: Response to door knocking Robert Graham (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Paul D. Robertson (Feb 01)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Chris Cappuccio (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- Re: Response to door knocking Amos Hayes (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 02)
- Re: Response to door knocking Robert Graham (Feb 03)
- Re: Response to door knocking Damir Rajnovic (Feb 04)
- Re: Response to door knocking Paul D. Robertson (Feb 04)
- RE: Response to door knocking Webb, Andy (Feb 04)
- Re: Response to door knocking John McDermott (Feb 06)
- Re: Response to door knocking Joseph S D Yao (Feb 08)
- Re: Response to door knocking JohnLNick (Feb 08)