RE: Incident response to being scanned

From: Allan Schon <allanschon(at)mckinleymachinery.com>
Date: Fri Apr 25 2003 - 13:07:50 EDT

Bob,
I think filing abuse reports might be rather extreme, unless you suspect that they are actively attempting to attack your network. Rememeber, most of them are either script-kiddies who just downloaded nmap for the first time or incompetent admins who have infected machines, and don't know it.

If I were to do anything at all, I'd try to track down an e-mail address associated with the IPs from your logs and send a polite letter informing them of the problem... Truth be told, though, I would probably just block out the IP, and forget about it entirely...

--Allan

-----Original Message-----

From: Bob Kelley [mailto:b0bk3ll3yjr@adelphia.net] Sent: Friday, April 25, 2003 1:16 AM
To: security-basics@securityfocus.com
Subject: Incident response to being scanned

In reviewing my firewall and web server logs, I see repeated attempts from several ip addresses to scan my network as well as infect my webserver with code red. The source addresses are not always the same. I am confident that I don't have any holes in my firewall and my webserver is up to date. I perform weekly vulnerability scans of my equipment to make sure I am covered.

What is considered the best practice for dealing with these incidents? Should I be filing abuse reports with the ISPs of the source IPs? This obviously takes time. I am looking for a business case to justify the time spent responding.

Thanks

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics

---

Received on Mon Apr 28 12:29:04 2003