|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: What to do if they ignore you
From: David Gillett (gillettdavid
fhda.edu)
Date: Thu Apr 14 2005 - 17:46:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Several people have assumed that these "probes" are not "attacks".
I see nothing in your description to warrant this assumption; the
persistence and the fact that the traffic seems to be local to a
particular /16 sounds to me very like one of the worms that spreads
via CIFS (with weak/missing passwords).
I do, however, concur that there is very little you can do about
a network block whose admins ignore legitimate complaints, except
attempt to escalate to their upstream provider. There's a chance
that this is also your customers' upstream provider, and that they
can be motivated to avoid a recommendation that those customers take
their business elsewhere....
Oh, and generally networks shouldn't accept 445/CIFS traffic from
the Internet -- block it and move along.
David Gillett
> -----Original Message-----
> From: Skip Carter [mailto:skiptaygeta.com]
> Sent: Wednesday, April 13, 2005 10:30 AM
> To: incidentssecurityfocus.com
> Subject: What to do if they ignore you
>
>
>
> Hello,
>
> My company provides outsource security management/monitoring services.
>
> In early March we noticed that several of our clients that are in the
> same /16 block were getting persistent port 445 probes from a couple
> of systems from a very large corporation's satellite office which is
> on the same /16 block.
>
> I have repeatedly called the companies security manager (on
> the US east
> coast) and talked to people at the companies headquarters (on the US
> west coast). They take my information (I have shown them
> firewall logs,
> IDS logs, captured packet traces, and honeypot sessions) but
> nothing is
> done about these probes (typically around 1500/day).
>
> We have black-holed connections from the offending network
> block, but many
> of our clients are small and do not have firewalls with the
> resources to
> handle huge lists of blacklisted networks.
>
> It has been over a month now, and nothing has changed. They
> seem to be
> unable or unwilling to fix their own systems when they have all the
> information they could ask for in order to track the problem down.
>
> Does anybody have any suggestions on what to do to make Goliath behave
> when you are David ?
>
>
> --
> Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX:
> 831-641-0647
> Taygeta Network Security Services email: skiptaygeta.net
> 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
> Monterey, CA. 93940
>
>
>
>
>
>
>
>
>
>
>
>
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]