[Dshield] Crossing the Line (was: SQLSnake)
jullrich at sans.org
Wed Jul 10 20:05:53 GMT 2002
I think this is a worth while topic to discus: How far can you
go fighting back against internet attacks. Here a my own (non
(1) 'random scans'
things like nimda, code red, sqlsnake and such. Probably should
be handled with as little effort as possible. LaBrea is a great
tool to do this (with DShield reporting of course). To some extend,
it is important to be able to ignore some of these probes to
see the 'real stuff'.
(2) 'targeted scans'
somebody is probing you hard... nessus scan, full nmap and such.
These are the people you want to 'catch'. The best reaction is
probably to drop all traffic to/from these machines at your
perimeter. If the ISP is in the same country as you, maybe
give them a call. Otherwise send a detailed email.
Overall, my personal rule of thumb for network ethics is:
Don't initiate a connection. But you are free to respond (or not to
repond) to an incoming connection with any TCP/IP header you wish.
Don't send any actual payload data in the response.
Some things you should not do:
- 'scan back'
usually considered a bad idea. While you are unlikely to get
arrested for running a quick nmap scan against the source of the
probe, you should consider that (a) the source is probably just
a proxy/zombie (b) scanning back, you provide more information to
- 'hack back'
never ever try to break into a system without clear written
Things you should do:
- capture traffic
collect as much evidence as possible to find out what the
intruder is after. Try to understand if they know about any
vulnerabilities you don't know. A honeypot is optional, but can
Some things that probably wont help:
- law enforcement
will only do good if the intrusion attempt succeeds.
But there have been some convictions now for aggressive port scanning.
- contact your own ISP
unless this turns into a DOS attack, there is little your own ISP
will and can do to help you. If you own a larger network chunk, they
may blackhole the source of the attack. But don't count on it for a single
IP home / small business connection.
jullrich at sans.org Collaborative Intrusion Detection
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020710/48a9cbc8/attachment.bin
More information about the list