[isapros] Re: Port Scan

• From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Tue, 25 Jul 2006 16:08:06 -0400

Considering it's been going on for a couple of days from a small range
of IP addresses it surely seems targeted. Don't know what I did to piss
off someone in Virginia. 

Source port is 53. Destination ports are a range of about 6500 ports.
First IP targets the first chunk, then the next IP targets the next
chunk, etc. When they get to the end, they start up again at the
beginning. 

Amy Babinchak
 

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Tuesday, July 25, 2006 3:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan

.02:

It seems like a total waste of time to respond to "scan  attacks" with a
block script, as everything is being blocked anyway- just not with an
explicit "block" rule.  The presence of the "scan" alert tells you that
ISA
is doing its job - AFAIAC, no other action is even necessary.  If there
is
some incessant attack from a persistent IP hammering away at published
services and you just don't want to see it, then put in a deny rule.  If
it
is a bandwidth issue (like when I was getting Code Red attacks all day,
every day) then block it on the ISP side.  But that costs money for that
service, typically.  However, it does work.

If it is in the realm of "identified" attacks ala my "strikeback" model,
then that is a different thing- and something that is deployed in a
completely different way to solve a different problem (lest someone
tried to
use that against me ;).  Port scans and "noise" traffic an safely be
ignored. 

t


On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> Think way back to your involvement with SBS in the Yahoo list.
> It was how I got invited to join that list; the BlockAttacker script
was being
> touted as the be-all, end-all to ISA port scan response.
> I had to get really nasty (even for me) with the proponent of this
technique
> before he finally backed down.
> He still regurgitates this nonsense (among other senseless
meanderings) from
> time to time, but it's an easy head-slap.
> 
> For those not familiar, the BlockAttacker script was an expansion of
the ISA
> 2000 alert action example that used the client IP to create a packet
filter
> blocking the "offending host".  While it provided an excellent example
of
> using ISA alert environment variables, it turned out to be a great DoS
tool as
> well and we pulled it from isatools.org.
> 
> Unfortunately, there is one (TSu) individual who shall remain nameless
(Tony
> Su) who insists on singing the praises of this response technique to
> unsuspecting ISA admins.  Luckily, he's not skilled enough to sort out
how to
> port the script to ISA 2004 or we'd have more PSS calls than we do
now.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Amy Babinchak
> Sent: Tuesday, July 25, 2006 11:21
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
> 
> I don't know that joke. I think it was before my time on the list.
> What's the block attacker script? Never heard of it.
> 
> Amy Babinchak
>  
> 
>    
>  
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, July 25, 2006 2:19 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
> 
> Ask Tony for the BlockAttacker script.
> I'm sure he's still trying to support it.
> :-p
> 
> Tom has it right; you can generally ignore them, since damn few ISPs
even
> care.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Amy Babinchak
> Sent: Tuesday, July 25, 2006 10:21
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Port Scan
> 
> What should I do about a port scan that just won't go away? I've got
two IP
> addresses port scanning my server around the clock. An email to the
owner
> bounced back, unknown email address.
> 
> Is there anything to be done?
> 
> 
> Amy 
>  
>    
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 

• Follow-Ups:
  • [isapros] Re: Port Scan
    • From: Jim Harrison
  • [isapros] Re: Port Scan
    • From: Thor (Hammer of God)

Other related posts:

• » [isapros] Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan
• » [isapros] Re: Port Scan

1. Home
2. isapros
3. Archive
4. 07-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---