Incident report guideline

The best way to report a problem is to send an e-mail to certs@cesnet.cz and include a complete description of the problem. CESNET-CERTS members will deal with the reported incident as soon as possible and will inform you that the problem, if any, has been solved and removed. You will receive a reply from certs@cesnet.cz and the e-mail will be signed by our PGP Key.

Basic rules for creating incident report

  • The report should be a simple text-based e-mail, with an attachment if necessary.
  • Only one IP address or address block per report, please.
  • The Subject should contain the IP address or address block and incident type (spam, virus, scanning, DDOS, hacking, phishing, pharming, alleged misuse of copyrighted work, …).
  • A report about scanning must contain a small extract from a log showing the problem, e.g.,
    • timestamp, time zone and time accuracy
    • source and destination IP addresses
    • source and destination ports
    • protocol used (TCP/UDP/ICMP).
  • A report about spam or virus must contain a copy of the mail header from the alleged infected or spamming e-mail. The header should not be changed in any way.
  • A report about spam (unsolicited commercial email) should contain both the full mail header and the original body text.
  • A report about an alleged misuse of copyrighted work must contain the following details:
    • timestamp, time zone and time accuracy
    • IP address where the copyrighted work is stored
    • services used to publish or share the copyrighted work (BitTorrent, FTP, …)
    • type (name…) of copyrighted work
  • A report about phishing or pharming should contain the URL and source of the web page if possible.
  • Every report must contain your name and organization name. For urgent matters please include your phone number.
  • A report must be sent from a valid e-mail address.
  • Indicate whether the message is informative only or expect an answer.

Basic incidents CESNET-CERTS deals with

Any offence against the Czech law, e.g.,

  • threats to physical safety of human beings,
  • compromise of restricted confidential service accounts or software installations, in particular those with authorised access to confidential data,
  • denial of service attacks,
  • large-scale attacks of any kind, e.g. phishing attacks, password cracking attacks, virus and spam dissemination,
  • compromise of individual user accounts, i.e. unauthorised access to a user or service account,
  • alleged misuse of copyrighted work.

Report or not report?

We do not expect everyone to be a computer security expert. This is the role of the CESNET-CERTS team.

We do not even expect everyone to be able to properly recognize, classify and describe a security incident. So, if you hesitate to report or not report, report it. The missing information will be asked if necessary.

Thanks for cooperation


Poslední úprava: 25.06.2018 22:12