[Dshield] Crossing the Line (was: SQLSnake)

Johannes Ullrich jullrich at sans.org
Wed Jul 10 20:05:53 GMT 2002

I think this is a worth while topic to discus: How far can you
go fighting back against internet attacks. Here a my own (non
lawyer) opinion:

(1) 'random scans'

things like nimda, code red, sqlsnake and such. Probably should
be handled with as little effort as possible. LaBrea is a great
tool to do this (with DShield reporting of course). To some extend,
it is important to be able to ignore some of these probes to 
see the 'real stuff'.

(2) 'targeted scans'

somebody is probing you hard... nessus scan, full nmap and such.
These are the people you want to 'catch'. The best reaction is
probably to drop all traffic to/from these machines at your
perimeter. If the ISP is in the same country as you, maybe 
give them a call. Otherwise send a detailed email.

Overall, my personal rule of thumb for network ethics is:
Don't initiate a connection. But you are free to respond (or not to
repond) to an incoming connection with any TCP/IP header you wish.
Don't send any actual payload data in the response.

Some things you should not do:

- 'scan back'
  usually considered a bad idea. While you are unlikely to get
arrested for running a quick nmap scan against the source of the
probe, you should consider that (a) the source is probably just
a proxy/zombie (b) scanning back, you provide more information to
the attacker.

- 'hack back'
  never ever try to break into a system without clear written

Things you should do:

- capture traffic
  collect as much evidence as possible to find out what the 
intruder is after. Try to understand if they know about any
vulnerabilities you don't know. A honeypot is optional, but can
be helpful.

Some things that probably wont help:

- law enforcement
  will only do good if the intrusion attempt succeeds.
But there have been some convictions now for aggressive port scanning.

- contact your own ISP
  unless this turns into a DOS attack, there is little your own ISP
will and can do to help you. If you own a larger network chunk, they
may blackhole the source of the attack. But don't count on it for a single
IP home / small business connection.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020710/48a9cbc8/attachment.bin

More information about the list mailing list