Grrrr I've asked him to stop hosting this content. I guess I'll have to sic LCA on him now. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, July 25, 2006 14:26 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan http://www.toolzz.com/ISATools/2000tools.htm It may be a waste but you forgot that I feel better now. That's something. Maybe it's a girl thing. I also have a habit of creating protocols for stuff that shows up as unidentified traffic. I suppose that's a waste too because ISA handles it whether it has a name or not. But it makes it easier on me. Now I can look at the logs and when I see Denied and the rule is Drop This Connection, then I know what it is. Just like when I see HP Printer Broadcast protocol in the logs, I know what that is. (and how to stop it) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, July 25, 2006 5:17 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan ..where? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, July 25, 2006 13:58 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan I found the script available on ISAtoolz. Never heard of that site either. Amy -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, July 25, 2006 4:54 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan I think Tsu added quite of bit of intelligence into the script :P Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of > God) > Sent: Tuesday, July 25, 2006 3:52 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Port Scan > > Yep--- was there any "intelligence" in the blocking rule, or could > someone do a simple port scan of the external interface from the NAT'd > internal LAN to automatically block all internal traffic? ;) > > t > > > On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: > > > Yep - total agreement and this was the core of the "fight" > way back when. > > Not only that, but any automated "rule builder" can be used > a great DoS > > mechanism. > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On > > Behalf Of Thor (Hammer of God) > > Sent: Tuesday, July 25, 2006 12:52 > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: Port Scan > > > > .02: > > > > It seems like a total waste of time to respond to "scan > attacks" with a block > > script, as everything is being blocked anyway- just not > with an explicit > > "block" rule. The presence of the "scan" alert tells you > that ISA is doing > > its job - AFAIAC, no other action is even necessary. If > there is some > > incessant attack from a persistent IP hammering away at > published services and > > you just don't want to see it, then put in a deny rule. If > it is a bandwidth > > issue (like when I was getting Code Red attacks all day, > every day) then block > > it on the ISP side. But that costs money for that service, > typically. > > However, it does work. > > > > If it is in the realm of "identified" attacks ala my > "strikeback" model, then > > that is a different thing- and something that is deployed > in a completely > > different way to solve a different problem (lest someone > tried to use that > > against me ;). Port scans and "noise" traffic an safely be ignored. > > > > t > > > > > > On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> > spoketh to all: > > > >> Think way back to your involvement with SBS in the Yahoo list. > >> It was how I got invited to join that list; the > BlockAttacker script > >> was being touted as the be-all, end-all to ISA port scan response. > >> I had to get really nasty (even for me) with the proponent of this > >> technique before he finally backed down. > >> He still regurgitates this nonsense (among other senseless > >> meanderings) from time to time, but it's an easy head-slap. > >> > >> For those not familiar, the BlockAttacker script was an > expansion of > >> the ISA 2000 alert action example that used the client IP > to create a > >> packet filter blocking the "offending host". While it provided an > >> excellent example of using ISA alert environment > variables, it turned > >> out to be a great DoS tool as well and we pulled it from > isatools.org. > >> > >> Unfortunately, there is one (TSu) individual who shall > remain nameless > >> (Tony > >> Su) who insists on singing the praises of this response > technique to > >> unsuspecting ISA admins. Luckily, he's not skilled enough > to sort out > >> how to port the script to ISA 2004 or we'd have more PSS > calls than we do > >> now. > >> > >> ------------------------------------------------------- > >> Jim Harrison > >> MCP(NT4, W2K), A+, Network+, PCG > >> http://isaserver.org/Jim_Harrison/ > >> http://isatools.org > >> Read the help / books / articles! > >> ------------------------------------------------------- > >> > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > >> Sent: Tuesday, July 25, 2006 11:21 > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Port Scan > >> > >> I don't know that joke. I think it was before my time on the list. > >> What's the block attacker script? Never heard of it. > >> > >> Amy Babinchak > >> > >> > >> > >> > >> > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> On Behalf Of Jim Harrison > >> Sent: Tuesday, July 25, 2006 2:19 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Port Scan > >> > >> Ask Tony for the BlockAttacker script. > >> I'm sure he's still trying to support it. > >> :-p > >> > >> Tom has it right; you can generally ignore them, since > damn few ISPs > >> even care. > >> > >> ------------------------------------------------------- > >> Jim Harrison > >> MCP(NT4, W2K), A+, Network+, PCG > >> http://isaserver.org/Jim_Harrison/ > >> http://isatools.org > >> Read the help / books / articles! > >> ------------------------------------------------------- > >> > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> On Behalf Of Amy Babinchak > >> Sent: Tuesday, July 25, 2006 10:21 > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Port Scan > >> > >> What should I do about a port scan that just won't go > away? I've got > >> two IP addresses port scanning my server around the clock. > An email to > >> the owner bounced back, unknown email address. > >> > >> Is there anything to be done? > >> > >> > >> Amy > >> > >> > >> > >> > >> All mail to and from this domain is GFI-scanned. > >> > >> > >> > >> > >> All mail to and from this domain is GFI-scanned. > >> > >> > >> > >> > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.