Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CounterAttack

From: Martin Peikert <lists () nolog org>
Date: Fri, 01 Aug 2003 10:23:06 +0200
Hello,

Dolbow, Phil wrote:
> If your network is PROBED by another system, where do you draw your
> line?
the same where s/PROBED/ATTACKED - in my opinion a probe is a prelude to further attacks and therefore I can see no difference. (Sometimes the difficulty is to decide: Is this a probe or not?) 


A) Log the data and otherwise do nothing.
B) Probe the other system.
C) Infiltrate the other system, but do no damage.
D) Shut the other system down.
E) Destroy the other system.
F) Destroy the other system and all others around it.
*none* of the above. There are more possibilities between "shut up" and "fire back as hard as I can" and I really miss one thing:
Try to find out who's probing/attacking you and *contact* the admins of the attacker's IP to prevent further probes/attacks.
It's possible that the administrator of the host that attacked your network didn't know about that - I've contacted admins that didn't know what their users did or even that their network was compromised - the reaction was almost positive. 

If it's not a fixed IP, contact the ISP.
I would never fight back before I tried to contact the other side - in almost every case a fight would not be necessary at all.
Other possibilities: You could log the probe/attack and sue the attacker. You could drop all from IPs that probed/attacked you. I think there are more.
Anyway, if an attack was successful - do you really think a counterstrike would prevent the attacker from further attacks? 


GTi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: