Advice requested

Al Iverson aliversonchicagolists at
Tue May 29 19:48:45 UTC 2007

On 5/29/07, Matthew Black <black at> wrote:
> What would you do if a major US computer security firm
> attempted to hack your site's servers and networks?
> Would you tell the company or let their experts figure
> it out?

On top of the other suggestions, I would add: Make sure you're really
being hacked before complaining. If I had a dollar (or even a nickle)
for every "stop hacking my port 80" complaint I've seen in my career,
I would currently be in possession of all the currency on this planet.

Automated tools make mistakes. Stateless firewalls, personal desktop
alarms, and god knows what else are really great at seeing legitimate
FTP, DNS, HTTP and other traffic and making an incorrect assumption
that it must be due to something nefarious.

That being said, I have actually seen other networks leak like a sieve
due to infected desktops or what not. I've found the quickest way to
find out if they are aware was to call them on the phone and ask to
speck to their IT help desk or security team.

I'd then also null route the offending IPs, and potentially put in a
calendar reminder to consider removing the null route in three months
and observing to see if the unwanted traffic continues.

Al Iverson
Al Iverson on Spam and Deliverabilty, see
News, stats, info, and commentary on blacklists:
My personal website:   --   Chicago, IL, USA

More information about the NANOG mailing list