Re: Incident response to being scanned

Yes, you should file complaints with the responsible ISP(s).

>From the ISP POV, one complaint may not make a blip, but it will work
towards hitting the 'issue' threshold. That is, an ISP may ignore one complaint about one IP, but multiple complaints raise the likelihood of action being taken.

Depending on the apps involved, setting your own thresholds is of course recommended. One hit on your network may not warrant a complaint, but 1000 hits definately should.

One option: Create a generic email that you can simply plug the offending IP and log files in to. Detail that your network detected this issue and you are reporting it. Include the IP range your network uses (you don't have to be IP specific), the type of software you used to discover the hit, and your contact info. Be cordial. This option requires some time to create initially, but sets you up to generate complaints with very little effort.

The most important thing you can do is keep your network up to date, and it sounds like you've got that down. Don't scan 'attackers' and don't try to contact them directly.

--
Scott Lesley
(nifty signature withheld)

 


On Fri, 2003-04-25 at 01:16, Bob Kelley wrote:

> 

> 

> In reviewing my firewall and web server logs, I see repeated attempts from 




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  
http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------