[Snort-users] I'm being attacked, now what?
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Sat Jun 16 02:53:49 EDT 2001
Thanks to all for their input on this. I have obtained some great
information on this subject now!
I have seen mention of a script several times now that allows us IDS guys to
automatically lookup the email of the technical contact of an ISP when a
large attack occurs and send out an automated email. Can anyone post an
example of such a script? It would be nice to be able to automatically email
info to an ISP when an attack/probe occurs on a large scale. It is very time
consuming to send out manual emails to a dozen ISPs everyday!
From: Tremaine Lea
To: Bob Staaf; Sheahan, Paul (PCLN-NW); Snort-users at lists.sourceforge.net
Sent: 6/16/01 2:02 AM
Subject: Re: [Snort-users] I'm being attacked, now what?
I think I might be able to shed some unique insight into this one,
have to say Bob has the right of it.
I work in the AUP department of one the larger ISP's in North America.
Ideally what we like to see is a time/date stamped log that shows the
attacking IP address, along with source and destination port. Big
don't submit multiple IP's in one complaint. It makes our job harder.
if you really want to win our attention, have a short description of the
problem in the subject. Your's may not be the only attack to be
regarding that IP, and we love it when we can group them <g>
ie Subject : IP address/ tcp portscan
Or something along those lines. Oh yeah, and don't swear at us. We
eventually have to contact the 'offender' and we take enough abuse from
A great many of the complaints we recieve turn out to be as a result of
compromised machine being used as a zombie. So please don't assume that
IP attacking you is the genuine source of the attack. At the very least
are helping secure one more machine on the internet, thereby closing it
to a hacker or s'kiddie.
About the only other thing I can suggest is do a bit of research before
submit the info to us. You can't imagine how frustrating it is to
blistering letter from someone demanding we 'take down and eliminate' a
because they had the audacity to ping someones machine... once. Weigh
severity of the attack and report accordingly. A couple of 'icmp
unreachables' do not an attack make ;)
On Friday 15 June 2001 17:00, Bob Staaf wrote:
> The technical contact should but good and most ISPs have an email
> address similar to abuse at ...558... or webmaster at ...558... or visit
> ISP website and check to see how to report network abuse, most have
> info on their site. I usually attach the corresponding parts of the
> with my IP anonymousified so they can see the details of the attack.
> ----- Original Message -----
> From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
> To: "'Bob Staaf '" <rstaaf at ...1457...>; "Sheahan, Paul (PCLN-NW)"
> <Paul.Sheahan at ...2218...>; <Snort-users at lists.sourceforge.net>
> Sent: Friday, June 15, 2001 6:47 PM
> Subject: RE: [Snort-users] I'm being attacked, now what?
> > I agree with you Bob....I have a LOT of other things I need to be
> > rather than whining to ISPs all day. Typically, where are complaints
> > sent, to the technical contact who owns the address space or
> > "security at ...2295..."
> > something similar? Would it be a good idea to include sniffer traces
> > the complaint? What info is best to send over?
> > Thanks again!
> > -----Original Message-----
> > From: Bob Staaf
> > To: Sheahan, Paul (PCLN-NW); Snort-users at lists.sourceforge.net
> > Sent: 6/15/01 4:05 PM
> > Subject: Re: [Snort-users] I'm being attacked, now what?
> > Paul,
> > I started out in the beginning whining to every ISP I could
> > down.
> > You would have to hire a person full time do that if that is what
> > wanted
> > to do. I typically whine if they scan more than a 3 or 4 ports on
> > one
> > server at once. I also whine if they do certain types of scans that
> > typical script kiddie wouldn't be running. You might also want to
> > complain
> > if you see the same IP hitting your server day after day after day
> > if
> > they only do one scan once a day, they may be trying to be
> > inconspicuous,
> > hoping you will miss them. Just some of the things to think about.
> > might want to look at something to help manage the logs like Acid or
> > some
> > other product, it will make the job much easier to spot trends.
> > You know your management better than anyone but, the BEST
> > measure you can take is knowing what is going on with your network
> > keeping a close eye on the logs is one of the best ways to do that.
> > Hope this helps
> > Bob Staaf
> > Southern Web Services
> > Orlando, Fl
> > ----- Original Message -----
> > From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...>
> > To: <Snort-users at lists.sourceforge.net>
> > Sent: Friday, June 15, 2001 3:12 PM
> > Subject: [Snort-users] I'm being attacked, now what?
> > > I wanted to get some feedback from others out there on how they
> > > attacks, whether successful or unsuccessful. I see what appears to
> > valid
> > > attacks in small numbers from random machines. Occasionally, I see
> > tons of
> > > different attacks coming from ONE machine. Though all attacks are
> > > unsuccessful, when does someone scream to the ISP to tell them to
> > their
> > > client, and when does one just ignore it?
> > >
> > > It would obviously be VERY time consuming (and a waste of time) to
> > send
> > > complaints to every ISP. What do people recommend out
> > only
> > > send a complaint when attacks from one node become ridiculously
> > or
> > if
> > > they successfully break in?
> > >
> > > The logs are nice to have, but I know management will ask what are
> > doing
> > > about the attacks we are seeing and what is the time you are
> > > maintaining the IDS server doing for the company?
> > >
> > > Thanks
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Doing things the hard way. Every time.
More information about the Snort-users