Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SQL Slammer Clean-up: How to Report InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SQL Slammer Clean-up: How to Report

Published: 2010-10-04
Last Updated: 2010-10-04 00:50:30 UTC
by Kevin Liston (Version: 1)
3 comment(s)

Hopefully you've read the kick-off (http://isc.sans.edu/diary.html?storyid=9637) and have looked at bit at your logs. Perhaps you've worked out what the cost of slammer is to your network on the back of a npkin. In most instances it probabably would cover the price of your lunch, or it's enough to justify the small amount of time this exercise will cost you.

Create a simple spreadsheet listing the IP addresses that have been hitting your perimeter. You'll want to track who the abuse contacts for that network are, when you send your notice, and what kind of response that you get (we'll add more columns later this week.)

Next you'll be running a few WHOIS requests. Everyone has a favorite way to do this (send in your comments on what you think is the easiest way pull abuse contact information.) Depending on your resources, you may have time to tackle all of them, others may only have time to do handle 25 or so. Everyone should try at least ten, if only to get a good sample of the different types of response that you get from your first efforts. Just remember that there are a lot of people doing this along with you this month.

When you compose your first message I want you to keep a few things in mind:

  • Be polite and professional-- you are trying to enlist the help of a stranger. Take a look at some of the emails that come into your abuse contact email if you have access. Mimic the alerts that you respond positively to, avoid the behaviors of those you dislike.
  • Provide logs-- if you don't initially provide logs, that will be their first request of you. Demonstrate that you're on the level with your first message and set them up to succede. It's ideal to provide the logs in GMT, but if that's not convenient, provide the GMT offset for your logs. There is no shame in getting probed/scanned on your perimeter, so there is very little to hide from them.

Feel free to cite these diary entries or use us as a reference. Tom Liston has other (humorous) tips on how to make an abuse report here: http://isc.sans.edu/diary.html?storyid=9325

Take a few minutes to reach out. Statistically-speaking, you're most likely to get no response or an error message (we'll cover how to proceed in those cases later,) so don't be daunted or give up because of that.

-KL

Keywords: slammercleanup
3 comment(s)
Diary Archives