Incident report guideline

The best way to report a problem is to send an e-mail to certs@cesnet.cz and include a complete description of the problem. CESNET-CERTS members will deal with the reported incident as soon as possible and will inform you that the problem, if any, has been solved and removed. You will receive a reply from certs@cesnet.cz and the e-mail will be signed by our PGP Key.

Basic rules for creating an incident report

  • The report should be a simple text-based e-mail, with an attachment if necessary.
  • Only one IP address or address block per report, please.
  • The Subject should contain the IP address or address block and incident type (spam, virus, scanning, DDOS, hacking, phishing, pharming, alleged misuse of copyrighted work, …).
  • A report about scanning must contain a small extract from a log showing the problem, e.g.,
    • timestamp, time zone and time accuracy
    • source and destination IP addresses
    • source and destination ports
    • protocol used (TCP/UDP/ICMP).
  • A report about spam or virus must contain a copy of the mail header from the alleged infected or spamming e-mail. The header should not be changed in any way.
  • A report about spam (unsolicited commercial email) should contain both the full mail header and the original body text.
  • A report about an alleged misuse of copyrighted work must contain the following details:
    • timestamp, time zone, and whether NTP is used
    • IP address where the copyrighted work is stored
    • services used to publish or share the copyrighted work (BitTorrent, FTP, …)
    • type (name…) of copyrighted work
  • A report about phishing or pharming should contain the URL and source of the web page if possible.
  • Every report must contain your name and organization name. For urgent matters please include your phone number.
  • A report must be sent from a valid e-mail address.
  • Please indicate whether the message is informative only or if you expect an answer.

Basic incidents CESNET-CERTS deals with

Any offence against the Czech law, e.g.,

  • threats to physical safety of human beings,
  • compromise of restricted confidential service accounts or software installations, in particular those with authorised access to confidential data,
  • denial of service attacks,
  • large-scale attacks of any kind, e.g., phishing attacks, password cracking attacks, virus and spam dissemination,
  • compromise of individual user accounts, i.e., unauthorised access to a user or service account,
  • alleged misuse of copyrighted work.

To report or not to report?

We do not expect everyone to be a computer security expert. That is a role of the CESNET-CERTS team.

We do not even expect everyone to be able to properly recognize, classify and describe a security incident. So if you hesitate whether to report or not to report, report it. Any missing information will be asked for if necessary.

Thanks for your cooperation!

The CESNET-CERTS Team