[isapros] Re: Port Scan
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 25 Jul 2006 14:44:42 -0700
Grrrr
I've asked him to stop hosting this content.
I guess I'll have to sic LCA on him now.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Tuesday, July 25, 2006 14:26
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan
http://www.toolzz.com/ISATools/2000tools.htm
It may be a waste but you forgot that I feel better now. That's something.
Maybe it's a girl thing.
I also have a habit of creating protocols for stuff that shows up as
unidentified traffic. I suppose that's a waste too because ISA handles it
whether it has a name or not. But it makes it easier on me.
Now I can look at the logs and when I see Denied and the rule is Drop This
Connection, then I know what it is. Just like when I see HP Printer Broadcast
protocol in the logs, I know what that is. (and how to stop
it)
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, July 25, 2006 5:17 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan
..where?
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, July 25, 2006 13:58
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan
I found the script available on ISAtoolz. Never heard of that site either.
Amy
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, July 25, 2006 4:54 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan
I think Tsu added quite of bit of intelligence into the script :P
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
> God)
> Sent: Tuesday, July 25, 2006 3:52 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
>
> Yep--- was there any "intelligence" in the blocking rule, or could
> someone do a simple port scan of the external interface from the NAT'd
> internal LAN to automatically block all internal traffic? ;)
>
> t
>
>
> On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>
> > Yep - total agreement and this was the core of the "fight"
> way back when.
> > Not only that, but any automated "rule builder" can be used
> a great DoS
> > mechanism.
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> > Behalf Of Thor (Hammer of God)
> > Sent: Tuesday, July 25, 2006 12:52
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Port Scan
> >
> > .02:
> >
> > It seems like a total waste of time to respond to "scan
> attacks" with a block
> > script, as everything is being blocked anyway- just not
> with an explicit
> > "block" rule. The presence of the "scan" alert tells you
> that ISA is doing
> > its job - AFAIAC, no other action is even necessary. If
> there is some
> > incessant attack from a persistent IP hammering away at
> published services and
> > you just don't want to see it, then put in a deny rule. If
> it is a bandwidth
> > issue (like when I was getting Code Red attacks all day,
> every day) then block
> > it on the ISP side. But that costs money for that service,
> typically.
> > However, it does work.
> >
> > If it is in the realm of "identified" attacks ala my
> "strikeback" model, then
> > that is a different thing- and something that is deployed
> in a completely
> > different way to solve a different problem (lest someone
> tried to use that
> > against me ;). Port scans and "noise" traffic an safely be ignored.
> >
> > t
> >
> >
> > On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
> spoketh to all:
> >
> >> Think way back to your involvement with SBS in the Yahoo list.
> >> It was how I got invited to join that list; the
> BlockAttacker script
> >> was being touted as the be-all, end-all to ISA port scan response.
> >> I had to get really nasty (even for me) with the proponent of this
> >> technique before he finally backed down.
> >> He still regurgitates this nonsense (among other senseless
> >> meanderings) from time to time, but it's an easy head-slap.
> >>
> >> For those not familiar, the BlockAttacker script was an
> expansion of
> >> the ISA 2000 alert action example that used the client IP
> to create a
> >> packet filter blocking the "offending host". While it provided an
> >> excellent example of using ISA alert environment
> variables, it turned
> >> out to be a great DoS tool as well and we pulled it from
> isatools.org.
> >>
> >> Unfortunately, there is one (TSu) individual who shall
> remain nameless
> >> (Tony
> >> Su) who insists on singing the praises of this response
> technique to
> >> unsuspecting ISA admins. Luckily, he's not skilled enough
> to sort out
> >> how to port the script to ISA 2004 or we'd have more PSS
> calls than we do
> >> now.
> >>
> >> -------------------------------------------------------
> >> Jim Harrison
> >> MCP(NT4, W2K), A+, Network+, PCG
> >> http://isaserver.org/Jim_Harrison/
> >> http://isatools.org
> >> Read the help / books / articles!
> >> -------------------------------------------------------
> >>
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> >> Sent: Tuesday, July 25, 2006 11:21
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Port Scan
> >>
> >> I don't know that joke. I think it was before my time on the list.
> >> What's the block attacker script? Never heard of it.
> >>
> >> Amy Babinchak
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Jim Harrison
> >> Sent: Tuesday, July 25, 2006 2:19 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Port Scan
> >>
> >> Ask Tony for the BlockAttacker script.
> >> I'm sure he's still trying to support it.
> >> :-p
> >>
> >> Tom has it right; you can generally ignore them, since
> damn few ISPs
> >> even care.
> >>
> >> -------------------------------------------------------
> >> Jim Harrison
> >> MCP(NT4, W2K), A+, Network+, PCG
> >> http://isaserver.org/Jim_Harrison/
> >> http://isatools.org
> >> Read the help / books / articles!
> >> -------------------------------------------------------
> >>
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Amy Babinchak
> >> Sent: Tuesday, July 25, 2006 10:21
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Port Scan
> >>
> >> What should I do about a port scan that just won't go
> away? I've got
> >> two IP addresses port scanning my server around the clock.
> An email to
> >> the owner bounced back, unknown email address.
> >>
> >> Is there anything to be done?
> >>
> >>
> >> Amy
> >>
> >>
> >>
> >>
> >> All mail to and from this domain is GFI-scanned.
> >>
> >>
> >>
> >>
> >> All mail to and from this domain is GFI-scanned.
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
>
>
>
>
>
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
