I'm not making fun; really I'm not... How do you expect to stop the script kiddies and the truly malicious folks out there from scanning / spoofing / attacking you? You could whois the IP to the net owner and let them know that although your firewall stoped their SK traffic, you don't like that they're out there and would they please stop it? You could do that, or you could do what some find amusing; respond to the "attack" traffic with a scan or attack of your own. Only trouble is, if the source IP was spoofed, you've just joined the ranks of the "malicious", since you'll now be targeting the wrong person. What you have to do is learn to scan your IP logs to determine what's worth worrying about. The assholes outnumber you, so the quantity of mailcious traffic seems out of proportion to what "decent folks" would expect to see. As far as the spoofs from "127.0.0.1" that have plagued many an ISA admin, talk to your provider. If they can't manage to keep the most basic router ACLs in place, you might consider moving to another ISP. That's just sloppy. On a side note, say bye-bye to the BlockAttacker script. Vic wrote it as a tutorial of how you could determine traffic data from environment variables that exist during an ISA event. Unfortunately, too many folks have taken it to be their "automatic defense against the bad boys on the Internet". They exceed the directions and attach it to every network alert known to ISA and wonder why their traffic dies after a week. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Fri, 5 Dec 2003 09:04:25 +0800 "Marc Reyes" <marcreyes@xxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi everyone, I'm sure almost all of you had encountered an ISA Alert like this: ISA Server detected a well-known port scan attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx. A well-known port is any port in the range of 1-2048. .... and many other types of intrusion attempts. Its good that ISA is doing its job pretty well.(or is he?) But what else can be done to prevent future and repeated attempts from attacking your network? Is there a "proactive" way of doing this? I have been getting ISA Port Scan Alerts that comes from the same IP consistently for the past 3 days. Any help or insight is appreciated. Thanks in advance. Marc ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')