HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 51 guests and 1 member online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Ethical Hacking Discussions and Related Certificationsarrow Incident Responsearrow Abuse proceed?
EH-Net
May 25, 2012, 06:40:35 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Abuse proceed?  (Read 6912 times)
0 Members and 1 Guest are viewing this topic.
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 857



View Profile WWW
« on: April 16, 2009, 06:14:28 AM »
Hi All,

I was looking for a bit of advice regarding abuse reports:

How regularly do you/should you contact third parties to inform them of suspicious/malicious activity coming from one of their machines?
And where do you draw the line between 'noise' and abuse?

We've got various IDSs, honeypots etc. in place that are continuingly capturing many events sourced from the outside world. Contacting everyone individually/manually is resources we don't have available and automating it seems like a good way to annoy other over-worked admins and get your reports ignored.

How do you handle the same issue?

Cheers
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
vijay2
Full Member
***
Offline Offline

Posts: 220


View Profile
« Reply #1 on: April 16, 2009, 06:24:19 AM »
I know that it can be tough, but I tend to use the classic 3 strike rule.

Ignore the first time unless its blatantly clear that someone was trying to hack you. Second time put its on the radar and third time inform the party.

Off course this requires good log management and correlation stuff but if you are not having that in place .. then I guess you are really not sure whats is in or getting in your network.

Hope this helps

VJ
Logged
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 857



View Profile WWW
« Reply #2 on: April 16, 2009, 10:10:00 AM »
Thanks for the response VJ,

I had a feeling that it would be something similar to that when I could come up with any hard or fast rules. Looks like it's back to gut instinct.
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
timmedin
Sr. Member
****
Offline Offline

Posts: 470



View Profile WWW
« Reply #3 on: April 16, 2009, 08:49:07 PM »
I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.
Logged
twitter.com/timmedin | http://blog.securitywhole.com
Ketchup
Hero Member
*****
Offline Offline

Posts: 1006



View Profile
« Reply #4 on: April 16, 2009, 09:04:27 PM »
I think that the answer is to hack them back  Grin
Logged
~~~~~~~~~~~~~~
Ketchup
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 857



View Profile WWW
« Reply #5 on: April 17, 2009, 03:02:09 AM »
Quote from: Ketchup on April 16, 2009, 09:04:27 PM
I think that the answer is to hack them back  Grin
hadn't thought of that, where'd I leave db_autopwn?..... Wink

Quote from: timmedin on April 16, 2009, 08:49:07 PM
I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.
The optimist in me wants to think you're wrong, the pessimist thinks you've just hit the nail on the head.

Cheers guys.
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
Data_Raid
Full Member
***
Offline Offline

Posts: 149


View Profile
« Reply #6 on: April 22, 2009, 07:31:17 AM »
Quote from: RoleReversal on April 17, 2009, 03:02:09 AM
Quote from: Ketchup on April 16, 2009, 09:04:27 PM
I think that the answer is to hack them back  Grin
hadn't thought of that, where'd I leave db_autopwn?..... Wink

Quote from: timmedin on April 16, 2009, 08:49:07 PM
I tried so many times to contact people and I have given up. I was Gung Ho when I first started and wanted to help save the world, sadly, the world doesn't care or is full of peons or bureaucracy and no one ever responded or did anything. I did have one response, but no follow up and no resolution. Sadly, I have become cynical and decided to save myself the time and gave up contacting people.
The optimist in me wants to think you're wrong, the pessimist thinks you've just hit the nail on the head.

Cheers guys.

Sadly, I have had this problem myself, proof of abuse, logs and even emails with IP Addresses recorded and they always tracked back to the same ISP. I sent two emails of complaint to the ISP at various email addresses and never even got a reply!
Logged
All men by nature desire knowledge.

Aristotle
Ketchup
Hero Member
*****
Offline Offline

Posts: 1006



View Profile
« Reply #7 on: April 22, 2009, 08:52:31 AM »
The following article suggests contacting the upstream ISP and possible CERT if contacting the directly involved ISP fails.  All of these small ISPs should have an upstream provider. 

http://www.security-forums.com/viewtopic.php?t=2943
Logged
~~~~~~~~~~~~~~
Ketchup
don
Editor-In-Chief
Administrator
Hero Member
*****
Offline Offline

Posts: 3916


Editor-In-Chief


View Profile WWW
« Reply #8 on: April 22, 2009, 09:53:18 AM »
Great suggestion.
Logged
CISSP, MCSE, CSTA, Security+ SME
Andrew Waite
Hero Member
*****
Offline Offline

Posts: 857



View Profile WWW
« Reply #9 on: April 23, 2009, 03:04:02 AM »
Great article Ketchup,

thanks for sharing Cheesy
Logged
-- http://www.infosanity.co.uk
-- http://blog.infosanity.co.uk
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.257 seconds with 23 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge: Build Security Skills to Protect & Defend

els_130x200fixed2.gif
eLearnSecurity Student Course Now Live!
5% Off with Code
ELS-EH-5

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.