Re: block port scan attackers

From: "Blake Al" <al.blake@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Fri, 2 Aug 2002 09:05:17 +1000
Before you wildy block.....check what you are blocking....I have noticed that 
under heavy traffic our ISA can report 'port scans' or 'intrusion' when it 
receives port 80 packets from legitimate web connections that have timed out or 
otherwise died. The port scan warning is not as fine tuned as it should be IMHO.
Just make sure you dont cut off legitimate traffic......
Regards

-----Original Message-----
From: shane mullins [mailto:tsmullins@xxxxxxxxxxxxxx]
Sent: Friday, 2 August 2002 12:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: block port scan attackers


http://www.ISAserver.org


I block them with an access list on the external interface of my Cisco
router. This has been effective and stops them from even getting to your
equipment.

Shane

----- Original Message -----
From: "Lim, Arthus T." <alim@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, August 01, 2002 9:37 AM
Subject: [isalist] Re: block port scan attackers


> http://www.ISAserver.org
>
>
> If I found out that it was a real attack, how can I be able to block
> them?
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Thursday, August 01, 2002 8:59 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: block port scan attackers
>
> http://www.ISAserver.org
>
>
> If you've received an alert, they were blocked.
> Also, not everything ISA alerts on is malicious behavior; sometimes it's
> just "late" packets.
> You can scan your IP...log for the same date/time as listed in the event
> log to see what was
> happening that ISA interpreted as a scan and decide from there whether
> or not you want to actively
> block them.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
>
> ----- Original Message -----
> From: "Lim, Arthus T." <alim@xxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, July 31, 2002 11:17 PM
> Subject: [isalist] block port scan attackers
>
>
> http://www.ISAserver.org
>
>
>
>
> I'm receiving reports like this in my logs:
>
>
> ISA Server name: TEQUILA
>
> ISA Server detected an all port scan attack from Internet Protocol (IP)
> address 65.121.237.200.
>
> For more information about this event, see ISA Server Help.
>
> How can I block certain external IP addresses in ISA?
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> alim@xxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tsmullins@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
al.blake@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.380 / Virus Database: 213 - Release Date: 24/07/2002
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.380 / Virus Database: 213 - Release Date: 24/07/2002
Re: block port scan attackers

Other related posts:
