[isapros] Re: Port Scan

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Tue, 25 Jul 2006 14:47:14 -0700

You have to understand Amy, these guys are a bunch of geeks.  They don't
understand what's important to a woman, or even how to treat a woman like a
lady.  This is what happens when they spend too much time with "email," and
not enough time with "female." ;)  That's also why they are married, and I
am single. :-p

If it makes you feel good, then go for it.

t


On 7/25/06 2:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh
to all:

> http://www.toolzz.com/ISATools/2000tools.htm
> 
> It may be a waste but you forgot that I feel better now. That's
> something. Maybe it's a girl thing.
> 
> I also have a habit of creating protocols for stuff that shows up as
> unidentified traffic. I suppose that's a waste too because ISA handles
> it whether it has a name or not. But it makes it easier on me.
> 
> Now I can look at the logs and when I see Denied and the rule is Drop
> This Connection, then I know what it is. Just like when I see HP Printer
> Broadcast protocol in the logs, I know what that is. (and how to stop
> it)
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, July 25, 2006 5:17 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
> 
> ..where? 
> 
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Amy Babinchak
> Sent: Tuesday, July 25, 2006 13:58
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
> 
> I found the script available on ISAtoolz. Never heard of that site
> either. 
> 
> Amy  
>  
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Tuesday, July 25, 2006 4:54 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
> 
> I think Tsu added quite of bit of intelligence into the script :P
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
>> God)
>> Sent: Tuesday, July 25, 2006 3:52 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Port Scan
>> 
>> Yep--- was there any "intelligence" in the blocking rule, or could
>> someone do a simple port scan of the external interface from the NAT'd
> 
>> internal LAN to automatically block all internal traffic? ;)
>> 
>> t
>> 
>> 
>> On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
>> 
>>> Yep - total agreement and this was the core of the "fight"
>> way back when.
>>> Not only that, but any automated "rule builder" can be used
>> a great DoS
>>> mechanism.
>>> 
>>> -------------------------------------------------------
>>>    Jim Harrison
>>>    MCP(NT4, W2K), A+, Network+, PCG
>>>    http://isaserver.org/Jim_Harrison/
>>>    http://isatools.org
>>>    Read the help / books / articles!
>>> -------------------------------------------------------
>>>  
>>> 
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Thor (Hammer of God)
>>> Sent: Tuesday, July 25, 2006 12:52
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Port Scan
>>> 
>>> .02:
>>> 
>>> It seems like a total waste of time to respond to "scan
>> attacks" with a block
>>> script, as everything is being blocked anyway- just not
>> with an explicit
>>> "block" rule.  The presence of the "scan" alert tells you
>> that ISA is doing
>>> its job - AFAIAC, no other action is even necessary.  If
>> there is some
>>> incessant attack from a persistent IP hammering away at
>> published services and
>>> you just don't want to see it, then put in a deny rule.  If
>> it is a bandwidth
>>> issue (like when I was getting Code Red attacks all day,
>> every day) then block
>>> it on the ISP side.  But that costs money for that service,
>> typically.
>>> However, it does work.
>>> 
>>> If it is in the realm of "identified" attacks ala my
>> "strikeback" model, then
>>> that is a different thing- and something that is deployed
>> in a completely
>>> different way to solve a different problem (lest someone
>> tried to use that
>>> against me ;).  Port scans and "noise" traffic an safely be ignored.
>>> 
>>> t
>>> 
>>> 
>>> On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
>> spoketh to all:
>>> 
>>>> Think way back to your involvement with SBS in the Yahoo list.
>>>> It was how I got invited to join that list; the
>> BlockAttacker script
>>>> was being touted as the be-all, end-all to ISA port scan response.
>>>> I had to get really nasty (even for me) with the proponent of this
>>>> technique before he finally backed down.
>>>> He still regurgitates this nonsense (among other senseless
>>>> meanderings) from time to time, but it's an easy head-slap.
>>>> 
>>>> For those not familiar, the BlockAttacker script was an
>> expansion of
>>>> the ISA 2000 alert action example that used the client IP
>> to create a
>>>> packet filter blocking the "offending host".  While it provided an
>>>> excellent example of using ISA alert environment
>> variables, it turned
>>>> out to be a great DoS tool as well and we pulled it from
>> isatools.org.
>>>> 
>>>> Unfortunately, there is one (TSu) individual who shall
>> remain nameless
>>>> (Tony
>>>> Su) who insists on singing the praises of this response
>> technique to
>>>> unsuspecting ISA admins.  Luckily, he's not skilled enough
>> to sort out
>>>> how to port the script to ISA 2004 or we'd have more PSS
>> calls than we do
>>>> now.
>>>> 
>>>> -------------------------------------------------------
>>>>    Jim Harrison
>>>>    MCP(NT4, W2K), A+, Network+, PCG
>>>>    http://isaserver.org/Jim_Harrison/
>>>>    http://isatools.org
>>>>    Read the help / books / articles!
>>>> -------------------------------------------------------
>>>>  
>>>> 
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>>>> Sent: Tuesday, July 25, 2006 11:21
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Port Scan
>>>> 
>>>> I don't know that joke. I think it was before my time on the list.
>>>> What's the block attacker script? Never heard of it.
>>>> 
>>>> Amy Babinchak
>>>>  
>>>> 
>>>>    
>>>>  
>>>>  
>>>> 
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Jim Harrison
>>>> Sent: Tuesday, July 25, 2006 2:19 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Port Scan
>>>> 
>>>> Ask Tony for the BlockAttacker script.
>>>> I'm sure he's still trying to support it.
>>>> :-p
>>>> 
>>>> Tom has it right; you can generally ignore them, since
>> damn few ISPs
>>>> even care.
>>>> 
>>>> -------------------------------------------------------
>>>>    Jim Harrison
>>>>    MCP(NT4, W2K), A+, Network+, PCG
>>>>    http://isaserver.org/Jim_Harrison/
>>>>    http://isatools.org
>>>>    Read the help / books / articles!
>>>> -------------------------------------------------------
>>>>  
>>>> 
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Amy Babinchak
>>>> Sent: Tuesday, July 25, 2006 10:21
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Port Scan
>>>> 
>>>> What should I do about a port scan that just won't go
>> away? I've got
>>>> two IP addresses port scanning my server around the clock.
>> An email to
>>>> the owner bounced back, unknown email address.
>>>> 
>>>> Is there anything to be done?
>>>> 
>>>> 
>>>> Amy
>>>>  
>>>>    
>>>> 
>>>> 
>>>> All mail to and from this domain is GFI-scanned.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> All mail to and from this domain is GFI-scanned.
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> All mail to and from this domain is GFI-scanned.
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> 
> 



Other related posts: