Next Previous Contents

6. Reporting scanning activity

Blocking the scanner protects us, and tarpitting the scanner helps to protect others, but what really needs to happen is notification of a responsible party so that the scanning activity stops, either through cleaning and securing a compromised or infected host or having the scanner's account terminated and Internet access removed.

To do this, you can watch your logs and manually track down responsible parties and send them email when you're attacked. This is, however, a lot of work.

Fortunately there are resources to automate this process. We'll tie together two tools: LogCheck (now LogSentry) periodically processes new log entries, and DShield serves as a central clearing house for collecting attack data and notifying responsible parties. We'll use LogCheck to collect attack data from our logs, and add the capability to have it mail the relevant portions automatically to DShield.

6.1 LogCheck - notify yourself


6.2 DShield - notify the ISP and others

DShield monitors incoming data from many sites, and when it appears an attack is underway (e.g. enough suspicious traffic is coming from a given IP) then the person responsible for that IP will be determined and notified that a computer in their domain is attacking others.

The benefits to this are:

  1. You don't have to track down the ISP and send the notification yourself.
  2. Dshield collects information from a large number of sources. If the scanner's ISP receives a report that 15,000 hosts have been attacked then they may be more inclined to take action quickly than they would be if they were notified that 15 hosts have been attacked.
  3. Dshield acts as a repository for attack data. The more sites that report attack data to Dshield, the more likely a nascent widespread attack (e.g. Code Red XVI) is to be detected quickly.

6.3 MRTG - graph the activity

(covers configuring SNMP to report tarpit traffic statistics, and configuring mrtg to log and report those statistics)

Next Previous Contents