Re: Incident response to being scanned

From: H Carvey (keydet89_at_yahoo.com)
Date: 04/27/03

  • Next message: Bob Kelley: "Re: RE: DShield.org Recommended Block List" 
    Date: 27 Apr 2003 11:39:43 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20030425051605.5458.qmail@www.securityfocus.com>

    >What is considered the best practice for dealing with
    these incidents?
    >Should I be filing abuse reports with the ISPs of the
    source IPs? This
    >obviously takes time. I am looking for a business
    case to justify the
    >time spent responding.

    If you're being scanned, that just means that you're
    connected to the Internet. The fact that the scans are
    not successful, and are being dropped, is a good thing.

    I guess my question is why would you waste time
    following up on each and every scan? Perhaps the
    reason you're having trouble developing a business case
    for this investment of time and energy is that...well,
    there isn't one.

    I followed up on a Nimda scan...once. But that's b/c
    the same IP kept showing up in my logs for three
    consecutive days. Other than that...forget it.

    Harlan

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-security-basics
    ----------------------------------------------------------------------------

  • Next message: Bob Kelley: "Re: RE: DShield.org Recommended Block List"

    Relevant Pages

    • Re: interoperability of VPN checkpoint FW1 to ISA
      ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ... Register today to ...
      (Focus-Microsoft)
    • RE: interoperability of VPN checkpoint FW1 to ISA
      ... However, CheckPoint has one little ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • RE: interoperability of VPN checkpoint FW1 to ISA
      ... If you are not the intended recipient be aware that any ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • RE: Log on the domain
      ... whether a given user account can be used from the "console" keyboard ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Security-Basics)
    • Re: Zenworks
      ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Security-Basics)