RE: Incident response to being scanned

From: Fields, James <James.Fields(at)bcbsfl.com>
Date: Fri Apr 25 2003 - 13:44:58 EDT

Bob,

I see the same here. I'm also trying to come up with a standard methodology for dealing with these. We do automatic temporary blocking of source addresses based on a limited selection of IDS signatures, but that doesn't fix the problem - in particular a lot of these are probably coming from infected systems elsewhere, and the owners may not know they have a problem.

At my company we have a Computer Security department that is supposed to handle "policy" while I handle infrastructure - the actual implementation of the corporate policy in the hardware. Our CS guys have never given us a really good incident response procedure to cover this.

In the absence of that, I have taken the stance that if it is one hit from one source, I don't bother reporting it. If it is true scanning - multiple hits from the same source, or from several sources on the same subnet, I try one (and only one) attempt to reach the abuse address for that network if one exists.

By the way - I've been getting more and more from European colleges and universities lately, and many from companies that have the same first octet in the IP address block as ours.

-----Original Message-----

From: Bob Kelley [mailto:b0bk3ll3yjr@adelphia.net] Sent: Friday, April 25, 2003 1:16 AM
To: security-basics@securityfocus.com
Subject: Incident response to being scanned

In reviewing my firewall and web server logs, I see repeated attempts from

several ip addresses to scan my network as well as infect my webserver

with code red. The source addresses are not always the same. I am

confident that I don't have any holes in my firewall and my webserver is

up to date. I perform weekly vulnerability scans of my equipment to make

sure I am covered.

What is considered the best practice for dealing with these incidents?

Should I be filing abuse reports with the ISPs of the source IPs? This

obviously takes time. I am looking for a business case to justify the

time spent responding.

Thanks

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics

---

Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc. The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed. This document may contain material that is privileged or protected from disclosure under applicable law. If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics

---

Received on Mon Apr 28 12:21:14 2003