[isapros] Re: Port Scan

yeah thor gets that feeling too p

----- Original Message ----- From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, July 26, 2006 7:26 AM
Subject: [isapros] Re: Port Scan



http://www.toolzz.com/ISATools/2000tools.htm

It may be a waste but you forgot that I feel better now. That's
something. Maybe it's a girl thing.

I also have a habit of creating protocols for stuff that shows up as
unidentified traffic. I suppose that's a waste too because ISA handles
it whether it has a name or not. But it makes it easier on me.

Now I can look at the logs and when I see Denied and the rule is Drop
This Connection, then I know what it is. Just like when I see HP Printer
Broadcast protocol in the logs, I know what that is. (and how to stop
it)


-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, July 25, 2006 5:17 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan

..where?


------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -------------------------------------------------------


-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Tuesday, July 25, 2006 13:58 To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan

I found the script available on ISAtoolz. Never heard of that site
either.


Amy


-----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Tuesday, July 25, 2006 4:54 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan

I think Tsu added quite of bit of intelligence into the script :P

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Tuesday, July 25, 2006 3:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan


Yep--- was there any "intelligence" in the blocking rule, or could someone do a simple port scan of the external interface from the NAT'd

internal LAN to automatically block all internal traffic? ;)

t


On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

> Yep - total agreement and this was the core of the "fight" way back when.
> Not only that, but any automated "rule builder" can be used a great DoS
> mechanism.
> > -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
> > > -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thor (Hammer of God)
> Sent: Tuesday, July 25, 2006 12:52
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
> > .02:
> > It seems like a total waste of time to respond to "scan attacks" with a block
> script, as everything is being blocked anyway- just not with an explicit
> "block" rule. The presence of the "scan" alert tells you that ISA is doing
> its job - AFAIAC, no other action is even necessary. If there is some
> incessant attack from a persistent IP hammering away at published services and
> you just don't want to see it, then put in a deny rule. If it is a bandwidth
> issue (like when I was getting Code Red attacks all day, every day) then block
> it on the ISP side. But that costs money for that service, typically.
> However, it does work.
> > If it is in the realm of "identified" attacks ala my "strikeback" model, then
> that is a different thing- and something that is deployed in a completely
> different way to solve a different problem (lest someone tried to use that
> against me ;). Port scans and "noise" traffic an safely be ignored.
> > t
> > > On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> >> Think way back to your involvement with SBS in the Yahoo list.
>> It was how I got invited to join that list; the BlockAttacker script
>> was being touted as the be-all, end-all to ISA port scan response.
>> I had to get really nasty (even for me) with the proponent of this
>> technique before he finally backed down.
>> He still regurgitates this nonsense (among other senseless
>> meanderings) from time to time, but it's an easy head-slap.
>> >> For those not familiar, the BlockAttacker script was an expansion of
>> the ISA 2000 alert action example that used the client IP to create a
>> packet filter blocking the "offending host". While it provided an
>> excellent example of using ISA alert environment variables, it turned
>> out to be a great DoS tool as well and we pulled it from isatools.org.
>> >> Unfortunately, there is one (TSu) individual who shall remain nameless
>> (Tony
>> Su) who insists on singing the praises of this response technique to
>> unsuspecting ISA admins. Luckily, he's not skilled enough to sort out
>> how to port the script to ISA 2004 or we'd have more PSS calls than we do
>> now.
>> >> -------------------------------------------------------
>> Jim Harrison
>> MCP(NT4, W2K), A+, Network+, PCG
>> http://isaserver.org/Jim_Harrison/
>> http://isatools.org
>> Read the help / books / articles!
>> -------------------------------------------------------
>> >> >> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>> Sent: Tuesday, July 25, 2006 11:21
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Port Scan
>> >> I don't know that joke. I think it was before my time on the list.
>> What's the block attacker script? Never heard of it.
>> >> Amy Babinchak
>> >> >> >> >> >> >> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Jim Harrison
>> Sent: Tuesday, July 25, 2006 2:19 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Port Scan
>> >> Ask Tony for the BlockAttacker script.
>> I'm sure he's still trying to support it.
>> :-p
>> >> Tom has it right; you can generally ignore them, since damn few ISPs
>> even care.
>> >> -------------------------------------------------------
>> Jim Harrison
>> MCP(NT4, W2K), A+, Network+, PCG
>> http://isaserver.org/Jim_Harrison/
>> http://isatools.org
>> Read the help / books / articles!
>> -------------------------------------------------------
>> >> >> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Amy Babinchak
>> Sent: Tuesday, July 25, 2006 10:21
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Port Scan
>> >> What should I do about a port scan that just won't go away? I've got
>> two IP addresses port scanning my server around the clock. An email to
>> the owner bounced back, unknown email address.
>> >> Is there anything to be done?
>> >> >> Amy
>> >> >> >> >> All mail to and from this domain is GFI-scanned.
>> >> >> >> >> All mail to and from this domain is GFI-scanned.
>> >> >> >> > > > > > All mail to and from this domain is GFI-scanned.
> > > >









All mail to and from this domain is GFI-scanned.





Other related posts: