Suggest A Fix PC Support Forums > What to do if your system is attacked

Full Version: What to do if your system is attacked

Suggest A Fix PC Support Forums > Security > Security Tools and Articles > Security Articles - read only

Interceptor

Feb 8 2004, 01:46 PM

I am constantly asked what to do when someone wants to send an email to an attackers provider about a security incident.

Well, here is what you should do:

1. If you choose not to notify your own provider, make sure you have the right address.
Nothing is more frustrating or embarrassing then sending a complaint letter to the wrong address. It also serves to desensitize providers to real threats and attacks later on. I know several people that have sent complaints to WhoIs addresses after doing a lookup, only to be notified that they sent an email to the port authority IANA, or one of the lookups (ARIN, APIC, RIPE) instead of the offender's provider. Make SURE you have the proper email address. Most of the time it will be abuse@(domain).net/com.

2. Do not write a long dialog. The people you are contacting don't have the time nor the desire to read a book. Only include what's important. It's not the provider's fault something happened. KISS (Keep It Simple, Stupid) is what I tell myself sometimes.

3. In your email you want to include the time, date, ip address/port of origin (theirs) and of destination (yours), what type of attack. You do NOT include WhoIs and DNS info.

4. DON'T jump the gun! One alert does not an attack make. Usually one alert from an address means you were included in a simple scan and it's nothing to worry about. If it becomes a regular occurrence via the same location, then feel free to notify someone. They will more than likely be happy to do something about it then. Frivolously sending letters like this leaves you open to legal consequences, so be sure it's what you want to do.

I have a fairly standard letter I use for trojan horse attacks. This letter also has a statement that protects me legally from harm. Of course I get to add a statement that the normal user doesn't, but we won't get into that. Here is one I used for a Sub-7 attack. You'll get the jist of it. The name was to changed to protect the innocent :

(Header)Possible hacker attack from your server

Security has detected an intruder/vandal from your server.

Date: 7/18/01
Time: 9:36:14 PM
Transport: TCP
From: ***.104.70.52
Source Port: 2039
To: ***.243.53.62
Destination Port: 27374 (Known Sub-7 operating port)

CAUTIONARY STATEMENT: Sub-7 is a powerful remote access hacking/attack tool.The owner of the offending system may or may not be aware that their computer contains the Sub7 trojan horse and is being used to locate and attack other systems/networks. In either case, the situation should be promptly investigated and resolved to prevent further incidents.

Thank You,
Joe Shmoe
yaddayadda@eatmyshorts.net

What you should NOT do:

DON'T take matters into your own hands, no matter how angry you are or how tempting it may be. This includes retaliatory measures. Don't even ping them. There are several reasons for this.
The offender can be using an innocent users' system to work through. Several trojan horses set up victim's systems as slaves from which remote attacks can be launched. If you decide to strike back using say, a denial of service attack, you stand the risk of damaging somebody's computer or the network they are connected to. Legally, this makes you a hacker/vandal and subject to severe retaliatory action. The penalties can include fines and/or imprisionment and at the very least violates your user agreement with your own provider.

Do NOT notify the attacker in any way or give them an indication that you are aware of their presence. This tells them you have sophisticated detection methods/tools and raises their curiosity. This can cause an increase in frequency and severity of future attacks...eventually they may be successful in finding a chink in your system's armour and cause you real grief.
Remember, they have nothing but time on their hands and it puts you on the defensive.

Here is a story about such a situation that took place in my area:

A teenage customer using my provider had set up an Internet chat room. One night she apparently angered one of her chatroom visitors who promptly used a denial of service program to launch an attack against her computer afterwhich she retaliated in kind. This prompted her attacker to persuade some friends (8 of them) to launch a coordinated and prolonged attack against her which in turn overwhelmed and brought the provider's main data line completely down, affecting thousands of customers. Needless to say, the FBI became involved in the aftermath and there are several very unhappy families (to say the least).

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.