what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the
log is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a
scan. Although the good thing is that the firewall is detecting them
therefore stopping them, I'm getting worried of hacker activity, I've
already done ip lookup, and dns whois query both of those point to ip
and host in Canada it seems to be a company as I got their public
website and also private network.....could anyone advice me what's the
proper course of actions in this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org

What you have done should have been to follow your internal procedure for
this kind of "suspicious activity". If you don't have one, one should be
created and approved.

Any how, doing a preliminary research is very good and not too much time
consuming. Your next step should be to contact

1- The company that is probing you and give them the information you have.
What kind of "attack" you have, since when and from where.
       
2- Advise that company to investigate and remediate to the "disturbing
event". Tell them to contact you for info & upon completion.

3- Lastly if this gets out of hands I would suggest thinking of the ISP level
as they are also responsible for some level of protection (if this is abusive
for example).
 

Anything you do should be documented with evidence of action and
recommendation you do & take. This is very important to have as it show you
did everything you could with due care and in a timely manner. Keep this
evidence and back it up.

Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de Jorge L. Vazquez
Envoyé : 3 juillet 2008 22:05
À : security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; security focus listbounce
Objet : what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the
log is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a
scan. Although the good thing is that the firewall is detecting them
therefore stopping them, I'm getting worried of hacker activity, I've
already done ip lookup, and dns whois query both of those point to ip
and host in Canada it seems to be a company as I got their public
website and also private network.....could anyone advice me what's the
proper course of actions in this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org

Hi Jorge,

My recommendation, other than make sure your public IP systems are properly
hardened, is to do nothing. Continuous scans and brute force login attempts
are the norm on the Internet. For every ISP that pays attention to your
complaints, 10 will ignore you.

- Sergio

-----Mensaje original-----
De: listbounce@... [mailto:listbounce@...] En
nombre de Jorge L. Vazquez
Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
Para: security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the log
is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a scan.
Although the good thing is that the firewall is detecting them therefore
stopping them, I'm getting worried of hacker activity, I've already done ip
lookup, and dns whois query both of those point to ip and host in Canada it
seems to be a company as I got their public website and also private
network.....could anyone advice me what's the proper course of actions in
this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org



__________ NOD32 3243 (20080704) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

This is not a good practice.
If you just tolerate brute forcing and scanning you are on the wrong track.
Imagine if the network usage would double or triple because of these
behavior. When will you start to report this to your ISP? When will you start
to pressure them that they have clients that need & WANT a secure service
(ISP)?

As I stated, you should follow your internal procedure, hardened you device
after your investigation (&before also..) and contact your ISP.

When you have a contract with your ISP you should have a contact for
*emergency*. Contact him or normal enterprise service level and have them
take a look at the situation.

Not doing anything is just accepting that you can be probe and that's not
very wise.

**Also note that if the guy whos probing you knows nobody ever contacts the
ISP for investigation.. do you really think his gonna do nice and limited
(rate) scans? His gonna pop everything he has against you to do a full &
extensive & complet scan.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de Sergio Castro
Envoyé : 4 juillet 2008 19:51
À : 'Jorge L. Vazquez'; 'security-basics';
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; 'security focus listbounce'
Objet : RE: what should I do when....

Hi Jorge,

My recommendation, other than make sure your public IP systems are properly
hardened, is to do nothing. Continuous scans and brute force login attempts
are the norm on the Internet. For every ISP that pays attention to your
complaints, 10 will ignore you.

- Sergio

-----Mensaje original-----
De: listbounce@... [mailto:listbounce@...] En
nombre de Jorge L. Vazquez
Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
Para: security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the log
is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a scan.
Although the good thing is that the firewall is detecting them therefore
stopping them, I'm getting worried of hacker activity, I've already done ip
lookup, and dns whois query both of those point to ip and host in Canada it
seems to be a company as I got their public website and also private
network.....could anyone advice me what's the proper course of actions in
this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org



__________ NOD32 3243 (20080704) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

If your ports are properly stealthed, and you have scanned your systems and
have no vulnerabilities, you have little to fear from scans.

Now, if your ISP pays attention to you and fights for you and does something
about all those scans coming from China, good for you. You have a really
good ISP.

Regards,

Sergio

-----Mensaje original-----
De: Rivest, Philippe [mailto:PRivest@...]
Enviado el: Lunes, 07 de Julio de 2008 12:53 p.m.
Para: Sergio Castro; Jorge L. Vazquez; security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: RE: what should I do when....

This is not a good practice.
If you just tolerate brute forcing and scanning you are on the wrong track.
Imagine if the network usage would double or triple because of these
behavior. When will you start to report this to your ISP? When will you
start to pressure them that they have clients that need & WANT a secure
service (ISP)?

As I stated, you should follow your internal procedure, hardened you device
after your investigation (&before also..) and contact your ISP.

When you have a contract with your ISP you should have a contact for
*emergency*. Contact him or normal enterprise service level and have them
take a look at the situation.

Not doing anything is just accepting that you can be probe and that's not
very wise.

**Also note that if the guy whos probing you knows nobody ever contacts the
ISP for investigation.. do you really think his gonna do nice and limited
(rate) scans? His gonna pop everything he has against you to do a full &
extensive & complet scan.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De
la part de Sergio Castro Envoyé : 4 juillet 2008 19:51 À : 'Jorge L.
Vazquez'; 'security-basics';
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
c
urityfocus.com; 'security focus listbounce'
Objet : RE: what should I do when....

Hi Jorge,

My recommendation, other than make sure your public IP systems are properly
hardened, is to do nothing. Continuous scans and brute force login attempts
are the norm on the Internet. For every ISP that pays attention to your
complaints, 10 will ignore you.

- Sergio

-----Mensaje original-----
De: listbounce@... [mailto:listbounce@...] En
nombre de Jorge L. Vazquez Enviado el: Jueves, 03 de Julio de 2008 09:05
p.m.
Para: security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the log
is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a scan.
Although the good thing is that the firewall is detecting them therefore
stopping them, I'm getting worried of hacker activity, I've already done ip
lookup, and dns whois query both of those point to ip and host in Canada it
seems to be a company as I got their public website and also private
network.....could anyone advice me what's the proper course of actions in
this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org



__________ NOD32 3243 (20080704) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



__________ NOD32 3244 (20080705) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Philippe,
     What you are suggesting is a waste of time. Most buisnessea don't  
have time to call their ISP's every time they get scanned. Accept the  
fact that you will get scanned and react to attacks that matter. Time  
is money don't waste it chasing ghosts.

Regards,
      Adriel T. Desautels
      Mobile: 617-633-3821
      Sent from mobile device.

On Jul 7, 2008, at 12:53 PM, "Rivest, Philippe"  
<PRivest@...> wrote:

This would be good advice in a perfect world.  If you put a system in  
the Internet, it will be scanned at least a few times a day.  The more  
systems you own, the more scan activity you will see.

After some period of time watching what is the usual noise level of  
scanning, reporting anything unusual that could be either a targeted  
attack or perhaps an attempt to exploit a new vulneraiblity.

Contacting your ISP for every ssh brute force scan on you server with  
password auth disabled will likely just waste your time and theirs.

On Jul 7, 2008, at 1:53 PM, "Rivest, Philippe" <PRivest@...>  
wrote:

More to the point.. .the security of your network is YOUR
responsibility.  Regardless of your internet gateway or provider...
there is no way an ISP can tweak a one size fits all policy, or even
know every single vulnerability any given customer network may have..  
Invest in an IPS or other technology, and make sure all systems are
properly patched at all times.

Adriel Desautels wrote:

<http://www.mbc.edu/>

What Internet cops should I call to defend me from Chinese hackers Philipe?
Because just last night my 1025 and 1026 ports where getting scanned from a
Chinese IP address.

"Bullet-proofing" your systems is as easy as using a firewall. If you know
what you are doing, you have nothing to fear from port scans and brute force
attacks. The only true danger would be a DDOS, but unless you are a high
profile website, such an attack is unlikely to happen. If you DO have a high
profile website, there are precautions you can take against DDOS too.

Jorge, you may want to check out the Internet Storm Center, where you can
see just how common port scans are: http://isc.sans.org/top10.html

Regards,

- Sergio

-----Mensaje original-----
De: Rivest, Philippe [mailto:PRivest@...]
Enviado el: Lunes, 07 de Julio de 2008 01:16 p.m.
Para: Sergio Castro; Jorge L. Vazquez; security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: RE: what should I do when....

Not everyone is BULLET PROOF :)

If your house has metal doors and your windows have steal frame behind. If
you see a potential a strange looking men in a cars in front of your house
at 2am with a flash light knowning his been there for 3hrs.

Do you think you should call the cops are you will estimate that they are
too lazy and just take a chance that you have locked all your doors and
windows?

I do think I would call and take a bat in my hands. Do the same with your
systems! They are ur babies after all :)

Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : Sergio Castro [mailto:sergio.castro@...] Envoyé : 7 juillet 2008
14:04 À : Rivest, Philippe; 'Jorge L. Vazquez'; 'security-basics';
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
c
urityfocus.com; 'security focus listbounce'
Objet : RE: what should I do when....

If your ports are properly stealthed, and you have scanned your systems and
have no vulnerabilities, you have little to fear from scans.

Now, if your ISP pays attention to you and fights for you and does something
about all those scans coming from China, good for you. You have a really
good ISP.

Regards,

Sergio

-----Mensaje original-----
De: Rivest, Philippe [mailto:PRivest@...] Enviado el: Lunes, 07 de
Julio de 2008 12:53 p.m.
Para: Sergio Castro; Jorge L. Vazquez; security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: RE: what should I do when....

This is not a good practice.
If you just tolerate brute forcing and scanning you are on the wrong track.
Imagine if the network usage would double or triple because of these
behavior. When will you start to report this to your ISP? When will you
start to pressure them that they have clients that need & WANT a secure
service (ISP)?

As I stated, you should follow your internal procedure, hardened you device
after your investigation (&before also..) and contact your ISP.

When you have a contract with your ISP you should have a contact for
*emergency*. Contact him or normal enterprise service level and have them
take a look at the situation.

Not doing anything is just accepting that you can be probe and that's not
very wise.

**Also note that if the guy whos probing you knows nobody ever contacts the
ISP for investigation.. do you really think his gonna do nice and limited
(rate) scans? His gonna pop everything he has against you to do a full &
extensive & complet scan.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De
la part de Sergio Castro Envoyé : 4 juillet 2008 19:51 À : 'Jorge L.
Vazquez'; 'security-basics';
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
c
urityfocus.com; 'security focus listbounce'
Objet : RE: what should I do when....

Hi Jorge,

My recommendation, other than make sure your public IP systems are properly
hardened, is to do nothing. Continuous scans and brute force login attempts
are the norm on the Internet. For every ISP that pays attention to your
complaints, 10 will ignore you.

- Sergio

-----Mensaje original-----
De: listbounce@... [mailto:listbounce@...] En
nombre de Jorge L. Vazquez Enviado el: Jueves, 03 de Julio de 2008 09:05
p.m.
Para: security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the log
is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a scan.
Although the good thing is that the firewall is detecting them therefore
stopping them, I'm getting worried of hacker activity, I've already done ip
lookup, and dns whois query both of those point to ip and host in Canada it
seems to be a company as I got their public website and also private
network.....could anyone advice me what's the proper course of actions in
this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org



__________ NOD32 3243 (20080704) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



__________ NOD32 3244 (20080705) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com



__________ NOD32 3248 (20080707) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Ok I got like a bazillion emails saying "we don't have time to contact ISP"
or we shouldn't waste time doing so for EVERY attack we get.

I think that's true that you can't follow up on every scan you get. I was
aiming at targeted scans where you see a pattern, where you can think that
they may be some issue. All this, should, be documented in a procedure that
you should follow on every such event. As I did state in:

>As I stated, you should follow your internal procedure, hardened you device
>after your investigation (&before also..) and contact your ISP.

If you see no reason to contact your ISP, please doc it and then don't call.
On the other hand, document what are the steps to follow to call your ISP and
what threshold will require that you call them.

Also, please remember that I said to contact them in case of *emergency*. No
at EVERY POSSIBLE OCCURRENCE YOU CAN FIND.

>When you have a contract with your ISP you should have a contact for
>*emergency*. Contact him or normal enterprise service level and have them
>take a look at the situation.

Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de Rivest, Philippe
Envoyé : 7 juillet 2008 13:53
À : Sergio Castro; Jorge L. Vazquez; security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; security focus listbounce
Objet : RE: what should I do when....

This is not a good practice.
If you just tolerate brute forcing and scanning you are on the wrong track.
Imagine if the network usage would double or triple because of these
behavior. When will you start to report this to your ISP? When will you start
to pressure them that they have clients that need & WANT a secure service
(ISP)?

As I stated, you should follow your internal procedure, hardened you device
after your investigation (&before also..) and contact your ISP.

When you have a contract with your ISP you should have a contact for
*emergency*. Contact him or normal enterprise service level and have them
take a look at the situation.

Not doing anything is just accepting that you can be probe and that's not
very wise.

**Also note that if the guy whos probing you knows nobody ever contacts the
ISP for investigation.. do you really think his gonna do nice and limited
(rate) scans? His gonna pop everything he has against you to do a full &
extensive & complet scan.


Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest@...
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce@... [mailto:listbounce@...] De la
part de Sergio Castro
Envoyé : 4 juillet 2008 19:51
À : 'Jorge L. Vazquez'; 'security-basics';
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@sec
urityfocus.com; 'security focus listbounce'
Objet : RE: what should I do when....

Hi Jorge,

My recommendation, other than make sure your public IP systems are properly
hardened, is to do nothing. Continuous scans and brute force login attempts
are the norm on the Internet. For every ISP that pays attention to your
complaints, 10 will ignore you.

- Sergio

-----Mensaje original-----
De: listbounce@... [mailto:listbounce@...] En
nombre de Jorge L. Vazquez
Enviado el: Jueves, 03 de Julio de 2008 09:05 p.m.
Para: security-basics;
security-basics-sc.1207759308.halobnafecliebdpegpn-Jlvazquez825=gmail.com@se
curityfocus.com; security focus listbounce
Asunto: what should I do when....

for the last 2 days I've been getting lots of connections attempts on my
firewall logs(ipcop firewall), from a specific ip based in Canada, the log
is showing a
*
*
NEW not SYN?

it seems that someone is trying to initiate a connections, or may be a scan.
Although the good thing is that the firewall is detecting them therefore
stopping them, I'm getting worried of hacker activity, I've already done ip
lookup, and dns whois query both of those point to ip and host in Canada it
seems to be a company as I got their public website and also private
network.....could anyone advice me what's the proper course of actions in
this case?....

thanks
Jorge L. Vazquez
www.pctechtips.org



__________ NOD32 3243 (20080704) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Hi George,
        My initial reaction to this is that you should block all IP addresses
belonging to that company *if* you do not need to communicate with them
via the internet. My secondary reaction is to tell you not to advertise
what sort of technology you are using in public forum (this mailing
list). You don't know if the *attacker* is subscribed to this mailing
list or not.

        My professional recommendation for recourse is that you call the
company that *owns* the IP address in question. Let them know that
suspicious activity is sourcing from their IP address(es) to yours and
tell them that you would like it to stop.

        With that said, I'd also recommend that you evaluate the security of
your IT Infrastructure. You don't sound too confident that you can
prevent the proverbial hacker from penetrating your infrastructure. I
suggest that you consider installing some HIDS and NIDS technologies
like OSSEC + prelude-ids + snort + prelude-lml (Open Source and effective).
       

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

        Join the Netragard, LLC. Linked In Group:
        http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Jorge L. Vazquez wrote:

Quote of the day....  

"Bullet-proofing your systems is as easy as using a firewall"

If it was only true....

-Jason

I have always done what you have said.  If I notice scans from an IP
(mainly SSH brute force attempts) then I will gather the logs and send
them to the security@ or abuse@ contact that is in the WHOIS.  After 3
scans from IP addresses that are owned by the same company I will block
all traffic to/from their entire IP range.  By that time I have already
given them a sufficient number of attempts to correct the problems.  I
once blocked a large data center that had a lot of customers (from all
around ThePlanet, if you catch my drift).  I ran into a lot of problems
where people needed access to websites that were hosted there or the DNS
was hosted there and the site was somewhere else.  I ended up allowing
DNS and HTTP out, but still disallowed connections from them.  Over
three years and they still can't browse our website. :)

--
Nathan

Adriel Desautels wrote: