Hosting Provided By

Re: Incident response to being scanned

From: H Carvey <keydet89(at)yahoo.com>
Date: Sun Apr 27 2003 - 07:39:43 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <20030425051605.5458.qmail@www.securityfocus.com>

>What is considered the best practice for dealing with
these incidents?
>Should I be filing abuse reports with the ISPs of the
source IPs? This
>obviously takes time. I am looking for a business
case to justify the
>time spent responding.

If you're being scanned, that just means that you're connected to the Internet. The fact that the scans are not successful, and are being dropped, is a good thing.

I guess my question is why would you waste time following up on each and every scan? Perhaps the reason you're having trouble developing a business case for this investment of time and energy is that...well, there isn't one.

I followed up on a Nimda scan...once. But that's b/c the same IP kept showing up in my logs for three consecutive days. Other than that...forget it.

Harlan

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics

Received on Mon Apr 28 12:36:44 2003

This message: [ Message body ]
Next message: Bob Kelley: "Re: RE: DShield.org Recommended Block List"
Previous message: Security News: "RE: RE: Incident response to being scanned"
In reply to: Bob Kelley: "Incident response to being scanned"
In reply to Allan Schon: "RE: Incident response to being scanned"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:04:11 EDT