Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SQL Slammer Clean-up: Picking up the Phone

Published: 2010-10-19
Last Updated: 2010-10-19 17:59:48 UTC
by Kevin Liston (Version: 1)
5 comment(s)

Last time, we took the reporting up a level ( this time we need to take it up a notch. We’ve been using scripts and email to limit the impact of abuse reporting on your time, and you’ve seen the results: it’s not having much of an effect on the number of attacks hitting your perimeter. This is not unexpected, since the normal abuse-reporting process hasn’t cleaned these systems up already. It’s time to roll up our sleeves and pick up the phone.

I know it is scary to pick up the phone and talk to human beings-- I don’t like it myself. If we were people-people, most of us wouldn’t be into computers.

I’d like to split you up into two groups: people who are reporting attacks on your perimeter, and people who are carrying traffic from infected machines (in other words, the ISPs.)

If you’re responding to attacks I’d like you to identify the attacker that’s closest to you. Most of the IPs hitting my perimeter are China and the US, so in my case, I’d pick a US source. Look for IPs that have businesses or organizations identified in the contact information instead of large ISPs (we’ll deal with them below.) Next, do a little detective work, and research the contact information for that business. Give them a call, and ask for the computer or security person. Introduce yourself and the program. Try not to scare them too much; you’re trying to build community here. Be helpful, because they really need it.

For the ISPs, I understand the common-carrier issue, but that shouldn’t keep you from informing your customer that they have a pretty significant security issue. I’m not asking that you roll out a full-blow user-notification process. With the volumes that I’m seeing this is definitely a one-off process. You’re probably sitting in a pretty good position to not only contact the affected user, but also know their IT staff contacts already. Give them a friendly call and help them out. You might even get more business out of it.

Keep up the effort.

Keywords: slammercleanup
5 comment(s)
Diary Archives