Query on Incident handling

[nithin kumar]

Hi nulls,

Consider the following scenario ,

A web application is being attacked for a period of time from a particular IP.

As immediate response, general practice is to drop packets or block that particular IP.

My doubt is can we go further and report that IP to our ISP ? 

also notify the owner/admin of that particular IP/IP range ?

--

Regards

Nithin

 

"..If you were waiting for the opportune moment (pause), that was it!”

[Suman Sourav]

Hi Nithin,

You need to go through a proper channel.

Include IRT, legal and management in this and only authorized IRT's SPOC should communicate with the external agencies .

Only pertinent information about the incident should be disclosed to external agencies and here extra care is required.

Keep the incident record updated while dealing with external agencies . I guess you can go through CERT .

Regards
Suman

Sent from my BlackBerry Wireless Handheld from M1, Singapore.

---

From: nithin kumar <nith...@gmail.com>

Sender: null-...@googlegroups.com

Date: Mon, 17 Jun 2013 09:37:31 +0300

To: <null-...@googlegroups.com>

ReplyTo: null-...@googlegroups.com

Subject: [null] Query on Incident handling

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Swift Forensics]

Just block the IP for a few hours (or days), plain and simple. As a courtesy, you may try to inform the owner (if you can identify him) about it. I've seen cases when computers were hacked and used as zombies and the computer owners never knew, its quite common, a smart hacker never uses his own IP. 

You won't get any help from ISP unless you go to them with a police complaint and /or court order. Trying to contact CERT and other agencies for a small simple matter like this will be a waste of everyone's time and you are unlikely to see any action unless the web app belongs to say Robert Vadra! Now depending on the severity of the attacks and any impact that has already occured, (not hypotheticals like if it did get hacked then ..), you may still want to file a complaint and go that route!

Any web app exposed to the internet is going to get hammered from time to time by all kinds of attack vectors, just learn to live with it and design your own blocking rules. However don't go overboard with the idea as it can be disastrous if not implemented properly. There are plenty of guides available on the net for this.

Yogesh Khatri

www.swiftforensics.com

--

[Yodha S]

If jt is wordpress there are plenty of plugins to help you blacklist the ip.
If its a custom development try to throttle your requests AND check for 404 and 500 errors in a particular time period etc...
+1 to swiftforensics answer very well put. Don't panic at an early stage ...

[Rogue Bull]

Blocking an IP most often is not a solution as there could be potential potential customers/ legitimate visitors behind that IP. In this IP scarce world most users access the internet through a Natted IP.
A practical solution would be to employ a WAF. Incapsula WAF is a SaaS offering and works better than cloudflare. They offer free service for <50GB/month bandwidth.

[Rogue Bull]

If you are a total control freak then you might also want to experiment with modSecurity's core rule set. However there have been bypasses of it available in public.

[nithin kumar]

Thank you for the inputs.

I Know we cannot stay completely secure, and attacks keep happening now and then, despite of any hardening, waf and other controls. 

My specific doubt was working as a team up with ISP/CERT, 

I havent tried doing it anyway, If iam not wrong, But as per the context of our discussion, the overall security bodies wont be bothered to put any action on it, unless its making any critical damage to us, which also follows the traditional method of filing complaint and approaching them with our articrafts.

Govt should come up with some methods to closely work with info sec people or with null, Its more of a team work than one man army, Just a opinion .

Kudos, Thank you guys. :)

On Tue, Jun 18, 2013 at 9:55 AM, Rogue Bull <r09u...@gmail.com> wrote:

If you are a total control freak then you might also want to experiment with modSecurity's core rule set. However there have been bypasses of it available in public.

[HAREN BHATT]

My Views :

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

- Follow the IR handling policy and producer in place. If not -  Get an approval from your management for creating one -(Long term planing.) 

- Report this to the attackers ISP - In turn they might ask for evidence (Look into your IS polices and get an written approval from your management for sharing the logs)- If the management denies sharing the data(you can always hide the target IP/URL). 

- Might also share the attacker IP(only) with other internet community like SANS and Dshield - Which will help you to gather more information about the attack - ie: is this a targeted attack(with a moto) or an general attack . 

- Add the attacker IP with servirity 5 on your SIEM tool and set trigger on the IPS . 

  

- Look for IOC's on the target systems. 

- Look for unusual incident reported to help desk for the same network segment.

Last but not the least - it would be helpful for all of us if you can share the attackers IP(Some one from this forum might help you with more info). 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--

Haren

 

Haren Bhatt |

|

hcb...@gmail.com |

http://security-culture.blogspot.com/

 

"We Have A Culture Of Security."

NOTICE: This communication is meant only for the addressee(s) named above and may contain information which is and/or legally privileged. If you are not the named addressee(s), or the agent responsible for receiving and delivering this communication to the named addressee(s), this communication has been sent to you in error, please notify the sender and delete all copies. If so, kindly contact us immediately for retrieval purposes. Unauthorized dissemination, distribution, copying or reliance on this communication is prohibited and may attract criminal penalties.
For privacy reasons all the addressee(s) may be hidden.