Before you wildy block.....check what you are blocking....I have noticed that under heavy traffic our ISA can report 'port scans' or 'intrusion' when it receives port 80 packets from legitimate web connections that have timed out or otherwise died. The port scan warning is not as fine tuned as it should be IMHO. Just make sure you dont cut off legitimate traffic...... Regards -----Original Message----- From: shane mullins [mailto:tsmullins@xxxxxxxxxxxxxx] Sent: Friday, 2 August 2002 12:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: block port scan attackers http://www.ISAserver.org I block them with an access list on the external interface of my Cisco router. This has been effective and stops them from even getting to your equipment. Shane ----- Original Message ----- From: "Lim, Arthus T." <alim@xxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, August 01, 2002 9:37 AM Subject: [isalist] Re: block port scan attackers > http://www.ISAserver.org > > > If I found out that it was a real attack, how can I be able to block > them? > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: Thursday, August 01, 2002 8:59 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Re: block port scan attackers > > http://www.ISAserver.org > > > If you've received an alert, they were blocked. > Also, not everything ISA alerts on is malicious behavior; sometimes it's > just "late" packets. > You can scan your IP...log for the same date/time as listed in the event > log to see what was > happening that ISA interpreted as a scan and decide from there whether > or not you want to actively > block them. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/authors/harrison/ > Read the books! > > ----- Original Message ----- > From: "Lim, Arthus T." <alim@xxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, July 31, 2002 11:17 PM > Subject: [isalist] block port scan attackers > > > http://www.ISAserver.org > > > > > I'm receiving reports like this in my logs: > > > ISA Server name: TEQUILA > > ISA Server detected an all port scan attack from Internet Protocol (IP) > address 65.121.237.200. > > For more information about this event, see ISA Server Help. > > How can I block certain external IP addresses in ISA? > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > alim@xxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: tsmullins@xxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: al.blake@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.380 / Virus Database: 213 - Release Date: 24/07/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.380 / Virus Database: 213 - Release Date: 24/07/2002