Specifications
External Attacks
Inform the system administrator responsible for the address block (via post-
master or the domain’s abuse address). The report of an incident or attack
should contain enough information to ensure that the other party can inves-
tigate the problem. However, consider that your contact person could be the
one who has carried out the attack. Here is a list of possible information to
provide. Decide which of the following pieces of information to give:
Your e-mail address
Telephone number
Your IP address, host name, domain name
The IP addresses, host names, and domain names affected by the hack-
ing incident
The date and time of the intrusion, preferably with the time zone
A description of the attack
Explain how the attack was recognized
Excerpts of the log files relating to the attack
A description of the log file format
Details of advisories and security information that describes the nature
and severity of the attack
What you want the contact person to do: Close an account, confirm the
occurence of an attack, issue a report for information purposes only,
request for further observation
Once you have gone through all the data security and documentation pro-
cedures, set up your firewall again. Raise the log level of each application if
possible. It is likely the cracker will try to infiltrate your system again. This
will be the opportunity to catch the intruder red-handed.
146 Detecting Attacks