Incident response to being scanned

• Previous message: Callan K L Tham: "Re: Cable Vs. DSL"
• Next in thread: David Gillett: "RE: Incident response to being scanned"
• Reply: David Gillett: "RE: Incident response to being scanned"
• Maybe reply: Fields, James: "RE: Incident response to being scanned"
• Reply: security_at_nuvox.net: "Re: Incident response to being scanned"
• Maybe reply: Allan Schon: "RE: Incident response to being scanned"
• Maybe reply: Security News: "RE: RE: Incident response to being scanned"
• Maybe reply: H Carvey: "Re: Incident response to being scanned"
• Maybe reply: Paris Stone: "Re: Incident response to being scanned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 25 Apr 2003 05:16:05 -0000
To: security-basics@securityfocus.com

In reviewing my firewall and web server logs, I see repeated attempts from
several ip addresses to scan my network as well as infect my webserver
with code red. The source addresses are not always the same. I am
confident that I don't have any holes in my firewall and my webserver is
up to date. I perform weekly vulnerability scans of my equipment to make
sure I am covered.

What is considered the best practice for dealing with these incidents?
Should I be filing abuse reports with the ISPs of the source IPs? This
obviously takes time. I am looking for a business case to justify the
time spent responding.

Thanks

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

• Previous message: Callan K L Tham: "Re: Cable Vs. DSL"
• Next in thread: David Gillett: "RE: Incident response to being scanned"
• Reply: David Gillett: "RE: Incident response to being scanned"
• Maybe reply: Fields, James: "RE: Incident response to being scanned"
• Reply: security_at_nuvox.net: "Re: Incident response to being scanned"
• Maybe reply: Allan Schon: "RE: Incident response to being scanned"
• Maybe reply: Security News: "RE: RE: Incident response to being scanned"
• Maybe reply: H Carvey: "Re: Incident response to being scanned"
• Maybe reply: Paris Stone: "Re: Incident response to being scanned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]