RE: Incident response to being scanned

From: Fields, James (James.Fields_at_bcbsfl.com)
Date: 04/25/03

  • Next message: security_at_nuvox.net: "MyNetWatchman comments request"
    To: "'Bob Kelley'" <b0bk3ll3yjr@adelphia.net>, security-basics@securityfocus.com
    Date: Fri, 25 Apr 2003 13:44:58 -0400
    
    

    Bob,

    I see the same here. I'm also trying to come up with a standard methodology
    for dealing with these. We do automatic temporary blocking of source
    addresses based on a limited selection of IDS signatures, but that doesn't
    fix the problem - in particular a lot of these are probably coming from
    infected systems elsewhere, and the owners may not know they have a problem.

    At my company we have a Computer Security department that is supposed to
    handle "policy" while I handle infrastructure - the actual implementation of
    the corporate policy in the hardware. Our CS guys have never given us a
    really good incident response procedure to cover this.

    In the absence of that, I have taken the stance that if it is one hit from
    one source, I don't bother reporting it. If it is true scanning - multiple
    hits from the same source, or from several sources on the same subnet, I try
    one (and only one) attempt to reach the abuse address for that network if
    one exists.

    By the way - I've been getting more and more from European colleges and
    universities lately, and many from companies that have the same first octet
    in the IP address block as ours.

    -----Original Message-----
    From: Bob Kelley [mailto:b0bk3ll3yjr@adelphia.net]
    Sent: Friday, April 25, 2003 1:16 AM
    To: security-basics@securityfocus.com
    Subject: Incident response to being scanned

    In reviewing my firewall and web server logs, I see repeated attempts from

    several ip addresses to scan my network as well as infect my webserver

    with code red. The source addresses are not always the same. I am

    confident that I don't have any holes in my firewall and my webserver is

    up to date. I perform weekly vulnerability scans of my equipment to make

    sure I am covered.

    What is considered the best practice for dealing with these incidents?

    Should I be filing abuse reports with the ISPs of the source IPs? This

    obviously takes time. I am looking for a business case to justify the

    time spent responding.

    Thanks

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-security-basics
    ----------------------------------------------------------------------------

    Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-security-basics
    ----------------------------------------------------------------------------


  • Next message: security_at_nuvox.net: "MyNetWatchman comments request"