Foreign Attacks (was Re: [Snort-users] Firing off Abuse email based on Snort Traffic)
bmcdowell at ...7861...
bmcdowell at ...7861...
Fri May 30 06:57:09 EDT 2003
I too have noticed that most of the high-scoring offenders appear to be
Asian. (Of course, there's no way to know that those Asian haven't been
somehow hijacked, but that's another topic...) Since my firm provides a
mostly-domestic product, I wonder if it wouldn't be best just to black
hole that whole continent. Or, for that matter, everything but North
America. It seems extreme, but since it shouldn't necessarily cost me
any business, I haven't totally dismissed it yet.
As I see it, there is no good reason to pursue (on your own) an attack
from outside your native land. I have never imagined myself working
hand-in-hand with, say, Korean law enforcement to track down a hacker.
Has anyone else on the list had any positive experiences with foreign
law enforcement? Does anyone take a different stance toward foreign
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Skip Carter
Sent: Thursday, May 29, 2003 8:45 PM
To: Matt Howell
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic
> How do other administrators handle genuine attacks and Portscans from
> International sources?
Persistant portscans we generally respond to by black holing the
or network at the border routers or firewalls. Other attacks tend to
more attention; it helps if you can engage the assistance of security
admins from other Internet locations (we once got the assistance of
US Air Force when one of our investigations and theirs inadvertently
paths; they were a great help in shutting down some Korean attacks!).
BTW: is anybody else seeing slow scans (3 or 4 addresses per day)
coming from Cuba ?
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. INTERNET: skip at ...1552...
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Confidentiality Notice: This e-mail message (including any attachments) may contain confidential and privileged information, and is for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender by replying to this e-mail message, permanently deleting the original message and destroying any hard copies of the original message that may have been created.
More information about the Snort-users