Security Incidents mailing list archives

Re: What to do if they ignore you

From: Jose Maria Lopez Hernandez <jkerouac () bgsec com>
Date: Thu, 14 Apr 2005 10:00:35 +0200

El mié, 13-04-2005 a las 10:29 -0700, Skip Carter escribió:

Hello,

My company provides outsource security management/monitoring services.

In early March we noticed that several of our clients that are in the
same /16 block were getting persistent port 445 probes from a couple
of systems from a very large corporation's satellite office which is
on the same /16 block.

I have repeatedly called the companies security manager (on the US east
coast) and talked to people at the companies headquarters (on the US
west coast).  They take my information (I have shown them firewall logs,
IDS logs, captured packet traces, and honeypot sessions) but nothing is
done about these probes (typically around 1500/day).

We have black-holed connections from the offending network block, but many
of our clients are small and do not have firewalls with the resources to
handle huge lists of blacklisted networks.

It has been over a month now, and nothing has changed.  They seem to be
unable or unwilling to fix their own systems when they have all the
information they could ask for in order to track the problem down.

Does anybody have any suggestions on what to do to make Goliath behave
when you are David ?


Take a look at: http://www.dshield.org and their Fightback program,
maybe is what you are looking for.

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac () bgsec com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

What to do if they ignore you Skip Carter (Apr 13)
- Re: What to do if they ignore you Jose Maria Lopez Hernandez (Apr 14)
- Re: What to do if they ignore you Kyle Maxwell (Apr 14)
- Re: [incidents] What to do if they ignore you Tim Kennedy (Apr 14)
- Re: What to do if they ignore you Doug Rutherford (Apr 14)
- Re: What to do if they ignore you Byron L. Sonne (Apr 14)
  - Re: What to do if they ignore you Paul Schmehl (Apr 14)
- RE: What to do if they ignore you David Gillett (Apr 15)
- Re: What to do if they ignore you Rory (Apr 16)
  - Re: What to do if they ignore you David A . Ulevitch (Apr 16)
- <Possible follow-ups>
- Re: What to do if they ignore you Harlan Carvey (Apr 14)
- RE: What to do if they ignore you Nigel van Houten (Apr 14)

(Thread continues...)