RE: port scan detected

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 19 Aug 2003 16:02:09 -0500

Hi Mark,
 
Sure. Human eyes must evaluate the nature of the attack, and human eyes
must evaluate the source location.
 
For example, if the "attack" if some a DNS timeout issue with your DNS
server, do you want to block that?
 
Another example, if the "attack" is from another admin testing his
"skills" from home, do you want to block that?
 
Another example, the IDS is misconfigured, do you want to block what it
says?
 
Another example, a legit host is infected and cleaned. Now that host is
blocked. Do you want to block that and then deal with connectivity
issues when you forgot about your blocking filters or try to fish out
the blocked host address from the thousands you your list?
 
Harden your hosts, use Application and Web filters, never publish a Web
site using an IP address, all the basic stuff. That's a lot more
effective than blocking addresses willy nilly. 
 
YMMV,
Tom
 
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>  
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp> 

 

        -----Original Message-----
        From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] 
        Sent: Tuesday, August 19, 2003 2:13 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: port scan detected
        
        
        http://www.ISAserver.org
        
        

        Tom,

         

        Could you elaborate on this "intelligent address blocking"?
Thanks.

         

        Mark

         

        
  _____  


        From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
        Sent: Tuesday, August 19, 2003 1:59 PM
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: port scan detected

         

        http://www.ISAserver.org

        Ni Brian,

         

        Nor should you. Blocking addresses that scan you is like
shooting at cars that drive past your home and look at your windows and
front door. :-) Be aware of the attempt, but you'll end up making a
critical error sooner or later if you block addresses without putting
some intelligence behind the block.

         

        HTH,

        Tom

         

        Thomas W Shinder

        www.isaserver.org/shinder <http://www.isaserver.org/shinder>  

Other related posts:

• » port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected
• » RE: port scan detected

1. Home
2. isalist
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---