RE: Incident response to being scanned

• Previous message: Xueyan Liu: "RE: Cable Vs. DSL"
• Maybe in reply to: Bob Kelley: "Incident response to being scanned"
• Next in thread: security_at_nuvox.net: "Re: Incident response to being scanned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Bob Kelley'" <b0bk3ll3yjr@adelphia.net>, security-basics@securityfocus.com
Date: Fri, 25 Apr 2003 13:44:58 -0400

Bob,

I see the same here. I'm also trying to come up with a standard methodology
for dealing with these. We do automatic temporary blocking of source
addresses based on a limited selection of IDS signatures, but that doesn't
fix the problem - in particular a lot of these are probably coming from
infected systems elsewhere, and the owners may not know they have a problem.

At my company we have a Computer Security department that is supposed to
handle "policy" while I handle infrastructure - the actual implementation of
the corporate policy in the hardware. Our CS guys have never given us a
really good incident response procedure to cover this.

In the absence of that, I have taken the stance that if it is one hit from
one source, I don't bother reporting it. If it is true scanning - multiple
hits from the same source, or from several sources on the same subnet, I try
one (and only one) attempt to reach the abuse address for that network if
one exists.

By the way - I've been getting more and more from European colleges and
universities lately, and many from companies that have the same first octet
in the IP address block as ours.

-----Original Message-----
From: Bob Kelley [mailto:b0bk3ll3yjr@adelphia.net]
Sent: Friday, April 25, 2003 1:16 AM
To: security-basics@securityfocus.com
Subject: Incident response to being scanned

In reviewing my firewall and web server logs, I see repeated attempts from

several ip addresses to scan my network as well as infect my webserver

with code red. The source addresses are not always the same. I am

confident that I don't have any holes in my firewall and my webserver is

up to date. I perform weekly vulnerability scans of my equipment to make

sure I am covered.

What is considered the best practice for dealing with these incidents?

Should I be filing abuse reports with the ISPs of the source IPs? This

obviously takes time. I am looking for a business case to justify the

time spent responding.

Thanks

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------

• Previous message: Xueyan Liu: "RE: Cable Vs. DSL"
• Maybe in reply to: Bob Kelley: "Incident response to being scanned"
• Next in thread: security_at_nuvox.net: "Re: Incident response to being scanned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Cable Vs. DSL ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Security-Basics) Re: SMTP Scans ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Incidents) Re: pen-testing an information kiosk (breaking out of the application) ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Pen-Test) Re: interoperability of VPN checkpoint FW1 to ISA ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... Register today to ... (Focus-Microsoft) RE: Zenworks ... world's premier event for IT and network security experts. ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... (Security-Basics)