Re: How do you fight an attack in progress?

Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Michele.JordanEast.Sun.COM)
Fri, 19 Sep 1997 15:03:02 -0400 (EDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: BVE: "Re: Port 788 (Was: hitting the "on" switch)"
• Previous message: Grigorof, Adrian: "How do you fight an attack in progress?"
• Next in thread: Paul Ferguson: "Re: How do you fight an attack in progress?"

mjr said:
 
> These days I consider myself to be under attack when 2 things occur:
> 1) there is some kind of potential attack analysis (a scan of some
> sort, or other fact-gathering)
> 2) a follow-up is launched based on the previous fact-gathering.
>

When I was at Sprint doing X.25 traffic analysis for potential fraud, this
was exactly our definition. If we saw an address range scan, we then watched
the source address to see if they attempted to do anything to the hosts they
found. If so, we called the customer. No point in calling them to say that
someone may have identified their host existed, but we haven't seen any further
activity. Only started the whole "stop delivering those call connection
requests!" debate.

-Michele

• Next message: BVE: "Re: Port 788 (Was: hitting the "on" switch)"
• Previous message: Grigorof, Adrian: "How do you fight an attack in progress?"
• Next in thread: Paul Ferguson: "Re: How do you fight an attack in progress?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT