Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SQL Slammer Clean-up: Switching Viewpoints InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SQL Slammer Clean-up: Switching Viewpoints

Published: 2010-10-25
Last Updated: 2010-10-25 19:39:54 UTC
by Kevin Liston (Version: 1)
0 comment(s)

As you've been going through this exercise (http://isc.sans.edu/diary.html?storyid=9664, http://isc.sans.edu/diary.html?storyid=9712, http://isc.sans.edu/diary.html?storyid=9778) you have certainly run into the issue of bad WHOIS contact information, and have likely had bad/no response from the abuse contacts. Hasn't that been frustrating?

Today we put the shoe on the other foot, and take steps to make sure that others don't suffer from our own WHOIS records and abuse-handling processes.

Look up your own net-block(s). Do you have an abuse contact defined? Are the email addresses AND the phone numbers appropriate? If someone sends an email to your abuse address will it be read by a human? If someone calls the phone number will they be able to reach a security/computer person?

Are you RFC 2142 (http://www.ietf.org/rfc/rfc2142.txt) compliant? Most aren't fully compliant (for example I don't think we use noc@the-day.job.)

I just did a quick audit myself. Though mergers and acquisition we have a hand-full of net-blocks. They all don't point to the same domains, but they all have abuse contact records and the owner block is correct. We also route all abuse@* to the same work-flow. So, I would consider that a pass. On the other hand, the phone numbers all reach the main switchboard. Getting routed to the right security contact was challenging, so I would recommend that we update that number.

Keywords: slammercleanup
0 comment(s)
Diary Archives