Re: what should I do when....

> Philippe,
>     What you are suggesting is a waste of time. Most buisnessea don't
> have time to call their ISP's every time they get scanned. Accept the
> fact that you will get scanned and react to attacks that matter. Time
> is money don't waste it chasing ghosts.
>
> Regards,
>      Adriel T. Desautels
>      Mobile: 617-633-3821
>      Sent from mobile device.
>
> On Jul 7, 2008, at 12:53 PM, "Rivest, Philippe"
> <PRivest@...> wrote:
>
>> This is not a good practice.
>> If you just tolerate brute forcing and scanning you are on the wrong
>> track.
>> Imagine if the network usage would double or triple because of these
>> behavior. When will you start to report this to your ISP? When will
>> you start
>> to pressure them that they have clients that need & WANT a secure
>> service
>> (ISP)?
>>
>> As I stated, you should follow your internal procedure, hardened you
>> device
>> after your investigation (&before also..) and contact your ISP.
>>
>> When you have a contract with your ISP you should have a contact for
>> *emergency*. Contact him or normal enterprise service level and have
>> them
>> take a look at the situation.
>>
>> Not doing anything is just accepting that you can be probe and that's
>> not
>> very wise.
>>
>> **Also note that if the guy whos probing you knows nobody ever
>> contacts the
>> ISP for investigation.. do you really think his gonna do nice and
>> limited
>> (rate) scans? His gonna pop everything he has against you to do a full &
>> extensive & complet scan.
>>
>>
>> Merci / Thanks
>> Philippe Rivest, CEH
>> Vérificateur interne en sécurité de l'information
>> Courriel: Privest@...
>> Téléphone: (514) 331-4417
>> www.transforce.ca
>>
>> Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est
>> long.
>> You could print this email, but it does takes a long time to grow trees.
>>
>>
>> -----Message d'origine-----
>> De : listbounce@...
>> [mailto:listbounce@...] De la
>> part de Sergio Castro
>> Envoyé : 4 juillet 2008 19:51
>> À : 'Jorge L. Vazquez'; 'security-basics';
>> security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
>>
>> urityfocus.com; 'security focus listbounce'
>> Objet : RE: what should I do when....
>>
>> Hi Jorge,
>>
>> My recommendation, other than make sure your public IP systems are
>> properly
>> hardened, is to do nothing. Continuous scans and brute force login
>> attempts
>> are the norm on the Internet. For every ISP that pays attention to your
>> complaints, 10 will ignore you.
>>
>> - Sergio
>>
>> -----Mensaje original-----
>> De: listbounce@...
>> [mailto:listbounce@...] En
>> nombre de Jorge L. Vazquez
>> Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
>> Para: security-basics;
>> security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
>>
>> curityfocus.com; security focus listbounce
>> Asunto: what should I do when....
>>
>> for the last 2 days I've been getting lots of connections attempts on my
>> firewall logs(ipcop firewall), from a specific ip based in Canada,
>> the log
>> is showing a
>> *
>> *
>> NEW not SYN?
>>
>> it seems that someone is trying to initiate a connections, or may be
>> a scan.
>> Although the good thing is that the firewall is detecting them therefore
>> stopping them, I'm getting worried of hacker activity, I've already
>> done ip
>> lookup, and dns whois query both of those point to ip and host in
>> Canada it
>> seems to be a company as I got their public website and also private
>> network.....could anyone advice me what's the proper course of
>> actions in
>> this case?....
>>
>> thanks
>> Jorge L. Vazquez
>> www.pctechtips.org
>>
>>
>>
>> __________ NOD32 3243 (20080704) Information __________
>>
>> This message was checked by NOD32 antivirus system.
>> http://www.eset.com
>>
>>