Hello,
Dolbow, Phil wrote:
> If your network is PROBED by another system, where do you draw your
> line?
the same where s/PROBED/ATTACKED - in my opinion a probe is a prelude to
further attacks and therefore I can see no difference. (Sometimes the
difficulty is to decide: Is this a probe or not?)
> A) Log the data and otherwise do nothing.
> B) Probe the other system.
> C) Infiltrate the other system, but do no damage.
> D) Shut the other system down.
> E) Destroy the other system.
> F) Destroy the other system and all others around it.
*none* of the above. There are more possibilities between "shut up" and
"fire back as hard as I can" and I really miss one thing:
Try to find out who's probing/attacking you and *contact* the admins of
the attacker's IP to prevent further probes/attacks.
It's possible that the administrator of the host that attacked your
network didn't know about that - I've contacted admins that didn't know
what their users did or even that their network was compromised - the
reaction was almost positive.
If it's not a fixed IP, contact the ISP.
I would never fight back before I tried to contact the other side - in
almost every case a fight would not be necessary at all.
Other possibilities: You could log the probe/attack and sue the
attacker. You could drop all from IPs that probed/attacked you. I think
there are more.
Anyway, if an attack was successful - do you really think a
counterstrike would prevent the attacker from further attacks?
GTi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Aug 01 2003
Intro
