As for me, when I notice something is happening on our network,
such as a portscan coming in, I usually do a few things, though
some may be considered bad but it's pretty useful in how I deal
with responding to the offending host.
1) Process Logfiles, to create a unified logfile of all activies by the
offending site, and verify the activity of the user, and for how long
they have been doing this, or if it could be misconfigured hardware.
If determined to be a false alarm, quit here, else continue. (this is
where I have my log processor watch for these sites).
2) I do a preliminary portscan, checking for such things as 23,
1080, basically for anything that can be used to bounce
conenctions off of. (see IRC or spam email for the reasoning for
this)
If turns out positive:
3) I check to determine if they are misconfigured, if so I notify the
provider that they are misconfigured, or alternatively if it's an ISP
with many users running wingate, I notify them and ask if they
could block this, if all ISPs would block at least 1080 it would save
alot of grief.
If its Negative:
3) do traceroute into the site, note all major domains, in the route.
(I gave up DNS, because half of the time it's not as effective)
4) whois all major domains, including offending site.
5) I place a monitoring entry in the firewall to watch all incoming
data, and a monitoring entry in the IDS, to log all traffic, until either
I get a response or I block it.
6) E-Mail the offending site, requesting for this to be handled, and
immediately, while requesting for a response
If it is not handled or no response is received within 1 week (this is
totally dependent on what is happening), I send out a second e-
mail, too all people I listed in step 4.
Jason Robertson
Network Analyst
[EMAIL PROTECTED]
http://www.astroadvice.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
