TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Thanks for your insight and response.
We already have Internet and Email security policy, but we have yet to
draft an Intrusion Detection/Response policy. For now, what I do is, I
investigate the probes where they are coming from. But one can't guarantee
that the source IP address is spoofed. I use NSLOOKUP and other means to
find out
where the source IP address is coming from and then I fire up an email
detailing
the incident, time, and date. Most of the time though, the security admin
on the other side don't even know that their system were compromised and
that they are being used as a launching pad for
attacking other system on the net.
Jaime
Solano County
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 13, 2000 7:56 AM
To: [EMAIL PROTECTED]
Subject: RE:UDP Port Scan
Depends on the organization and policies in place if any.
Normally in most organization of size there's already predetermined
procedures
(or shouldbe) based on a general security policy which may or may not
activate
Incident Response Team (IRT). In some of those organization the IRT is
closely aligned with a Disaster Recovery Team, since both have almost the
same
goal.
Most probes and scans are relatively harmeless in nature, however those
folks
with firewwall systems, depending on the firewall type, can usually use the
strikeback capability to have the system automatically look up certain
information on the source (depending on the firewall type). Sidewinder
Firewall systems offer this capability.
If you don't have that capability or a firewall, then it a case of using the
tools that you have, nslookup, whois, and the ARIN web site. Neither case
is
a gaurantee that the address hasn't been spoofed or that the owner of the IP
address is aware that the system has beeen abused like in the latest DoS
attacks.
You can find more info on the SANS website regarding the ideal duties and
responsibilities of a IRT and they have a guide avaiable for purchase. I
highly that depending on the size of your organization, you put procedures
in
place to determining how to respond to certain types of attach, probes or
whatever. You will also be amazed at the number of large organization that
only have line-of-sight objectives which sounds like where you are.
Check out the www.goCSI.com and SANS website for more info and a wealth of
sources. Hope this helps!
Lee Fisher
------------------( Forwarded letter 1 follows )---------------------
Date: Tue, 4 Apr 2000 09:56:35 -0700
To: ISSForum.E-mail[issforum]@iss.net.inet
From: Jaime.C.Fontelera[jfontelera]@SOLANOCOUNTY.COM.inet
Sender: [EMAIL PROTECTED]
Subject: UDP Port Scan
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I get UDP port scan on my firewall at least 5 a day. How does one respond
to a probe ?
Any suggestions ?
Thanks,
Jaime
