Frequently Asked Questions: What are the "Incident
Status" Codes?
C - Closed
Incidents are considered closed when one of two things occurs:
- The activity originating from the IP address stops for
7 days
- The responsible party indicates the Incident has been
resolved
Note: If event activity resumes aften an Incident has been
closed, it is automatically re-opened.
[Back to top]
DQ: DNS Lookup Queue
Incidents are routed to the DNS queue when the system can't
immediately determine the responsible domain for the source
IP address associated with the incident.
Backtracing scripts processes incidents in this queue and
perform the first stage of the backtracing processes by performing
various DNS lookups on the source IP address to try to determine
the IP's owner.
If a responsible domain is found using this technique, the
incident is routed to the Incoming queue to determine the
next step, otherwise, the incident is routed to the appropriate
Whois queue for second-level backtracing.
[Back to top]
EQ - Escalation Pending Queue
Incidents in the Escalation Pending Queue are processed by
a mail script which generates a standard alert e-mail including
aggregated event logs and sends it to the appropriate mailbox.
Once the e-mail is sent, the Incident is moved to the Escalated
queue.
[Back to top]
ES - Escalated
Incident has exceeded mNW's escalation thresholds and alert
e-mail has already been sent to the responsible party.
If event activity continues for more than 72 hours after
the escalation notice, the incident is automatically re-escalated.
Such re-escalations will occur indefinitely until the problem
is considered resolved.
[Back to top]
ET - Escalation Threshold Met
Incidents are moved from the Incoming queue to the Escalation
Threshold Met queue when the system detects that an Incident
has exceeded mNW Escalation thresholds.
Incidents in this queue are then evaluated to ensure that
an appropriate escalation mailbox is known for the responsible
domain. If a mailbox is known, then the Incident is routed
to the Escalation Pending queue. If not, the incident is routed
to the Validate Mailbox queue.
[Back to top]
HQ - Hold Queue (Filtered)
mNW creates an Incident for every source IP address that
is reported. However, the majority (greater than 90%) are
not the result of hostile intent and are likely benign. Incidents
that do not exceed escalation criteria are routed to the Hold
queue and are constantly re-evaluated as new event data is
received. If thresholds are exceeded at any future point,
the Incident will be escalated.
[Back to top]
IQ: Incoming Queue
The Incoming queue is a main "brain" of system system which
decides what action if any needs to be performed on an Incident.
When various worker scripts complete their processing, the
incident is temporarily moved to the Incoming queue so that
the main system logic can determine what should be done with
the Incident next (e.g. do more elaborate backtracing, put
incident in a HOLD state, or generate an e-mail escalation).
[Back to top]
U: Unknown Queues
If the responsible domain can't be determined after completing
the DNS and Whois backtracing process, Incidents are routed
the the appropriate Unknown queue. Incidents in the Unknown
queues are reviewed periodically by mNW administrators and
volunteers who perform more elaborate manual backtracing.
Due to the need for manual processing, it is not uncommon
for incidents to remain in Unknown queues for many hours.
Note: The TWNIC whois server is only intermittently
available thus automatic lookups are not always possible.
The JPNIC Whois server uses a completely different format
that other servers and is not currently processed automatically.
[Back to top]
VX - Validate mailbox
Incidents in the Validate mailbox queue cause an automated
script to interrogate the reponsible domain's mail server
to determine what mailbox should be used to send an alert
e-mail to (e.g. abuse@, security@, postmaster@, etc.)
If is identified, the Incident is then routed to the Escalation
Pending queue, otherwise it is routed back to the appropriate
Unknown queue for further manual analysis.
[Back to top]
W: Whois Queues
When bracktracing is unsucessful using DNS information,
the system performs IP Whois lookups on the source IP. Whois
lookups are performed recursively by first querying the main
ARIN database. For IP addresses outside North or South America,
ARIN will often provide referral information so that more
specific lookups can be performed by other regional Whois
servers (e.g. RIPE for Europe, APNIC for Asia, etc..). mNW
automatically routes incidents through all possible Whois
servers until the most detailed Whois information is obtained.
Here is a complete list of Whois servers mNW utilizes:
- ARIN - North and South America
- RIPE - Europe
- APNIC - Asia/Pacific
- KRNIC - South Korea
- TWNIC - Taiwan
- BRNIC - Brazil
- JPNIC - Japan
- LACNIC - Latin America
Note: The TWNIC whois server is only intermittently
available thus automatic lookups are not always possible.
The JPNIC Whois server uses a completely different format
that other servers and is not currently processed automatically.
[Back to top]
|
