Home page logo
/

basics logo Security Basics mailing list archives

Re: Reporting Abuse tips?
From: Tisiphone <tisiphne () gmail com>
Date: Wed, 5 May 2010 19:48:48 -0500

This is an interesting and, I would imagine, a debatable question.

Remember, once you report the activity (keeping in mind that most
hosting companies and ISPs request pcaps / logs), the attacker will
likely deduce that you detected their activity. They will gain some
interesting information in the process. For instance, they might find
out which events you detected, how fast a human responded to the
events, and possibly even what combination or threshold of events
triggered fires. This could be really useful information for a bad guy
in a targeted attack. If the attacker is using bots or similarly
compromised computers to perform the attack, they could probably care
less if one is taken down - they can just move on to another source
host with the new information about your capabilities. Or, if they are
located in a country that provides shady hosting services or has a low
response rate from hosting companies, there may be little action taken
by their ISP.

It sounds like you may have some hope given that the IP is located in
the US. Conversely, if it was truly a non-automated, targeted attack,
I doubt that a seasoned attacker would be sourcing the attacks from an
IP immediately traceable to their person. Does the IP in question show
up on isc.sans.org, Emerging Threats, or in a simple Google search as
malicious? Is there something in the events that suggests the attacks
are tailored specifically for your customer's environment? Is your
customer likely to be targeted by a dedicated attacker due to their
industry?

I suppose something else to consider would be how much of a threat the
attacks really pose to the end user in their current state. As a final
note, if the attacks are causing a denial of service condition, that
is another matter entirely.

I'll be interested to see what people in various industries think.

Cheers,
Tisi

On Tue, May 4, 2010 at 9:21 AM,  <dynetworks () hotmail com> wrote:
Hello group!

I’ve already read some things around the net-but wanted some real answers from people that have had to do it.

Relating to incident response, how do you usually contact an offending host?  And when you do, what do you usually 
say/not say?  Now I know you’re thinking “Well that depends on what’s happening!!”…

So I’ll give you one example to reply with (and you’re free to run with more):

I check logs for a few different clients and one had strange activity over the weekend.  A lot of Active Directory 
query attempts as well as VNC attempts, RDP attempts, and other various queries (all denied).  Basically it was a 
very thorough ‘scan’ but I could see some intelligence on the other side.  No need to go into depth on that…yes, it 
‘could’ have been a well designed script, but I’d rather not debate about that honestly.  This went on for about an 
hour on Saturday morning, again at night, and for a few hours on Sunday.  It all came from one IP address.  After 
some more forensics, this same IP has done some pings, port scans in the past.  I didn’t consider this an incident, 
considering it’s the internet after all.

The IP address is from America - so I’m personally willing to devote some time into notifying the host and trying to 
make sure it doesn’t happen again.  I checked with the customer and they have never heard of this person/company.

Now that we’ve got some context – I have an email and phone number.  How would you proceed?

Thanks for any tips in advance!

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]