[isapros] Re: Port Scan

  • From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 26 Jul 2006 10:44:23 +1000

could it be because they understand him :)

----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, July 26, 2006 10:39 AM
Subject: [isapros] Re: Port Scan



Yeh - Tim is single because he understands women...
..scuze me while I ROTFLMFAO...

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Tuesday, July 25, 2006 2:47 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan

You have to understand Amy, these guys are a bunch of geeks.  They don't
understand what's important to a woman, or even how to treat a woman
like a lady.  This is what happens when they spend too much time with
"email," and not enough time with "female." ;)  That's also why they are
married, and I am single. :-p

If it makes you feel good, then go for it.

t


On 7/25/06 2:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh to all:

http://www.toolzz.com/ISATools/2000tools.htm

It may be a waste but you forgot that I feel better now. That's something. Maybe it's a girl thing.

I also have a habit of creating protocols for stuff that shows up as unidentified traffic. I suppose that's a waste too because ISA handles

it whether it has a name or not. But it makes it easier on me.

Now I can look at the logs and when I see Denied and the rule is Drop This Connection, then I know what it is. Just like when I see HP Printer Broadcast protocol in the logs, I know what that is. (and how to stop
it)


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, July 25, 2006 5:17 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan


..where?


-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, July 25, 2006 13:58
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan


I found the script available on ISAtoolz. Never heard of that site either.

Amy


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, July 25, 2006 4:54 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan


I think Tsu added quite of bit of intelligence into the script :P

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
God)
Sent: Tuesday, July 25, 2006 3:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan

Yep--- was there any "intelligence" in the blocking rule, or could someone do a simple port scan of the external interface from the NAT'd

internal LAN to automatically block all internal traffic? ;)

t


On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:

Yep - total agreement and this was the core of the "fight"
way back when.
Not only that, but any automated "rule builder" can be used
a great DoS
mechanism.

-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Tuesday, July 25, 2006 12:52
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan

.02:

It seems like a total waste of time to respond to "scan
attacks" with a block
script, as everything is being blocked anyway- just not
with an explicit
"block" rule. The presence of the "scan" alert tells you
that ISA is doing
its job - AFAIAC, no other action is even necessary. If
there is some
incessant attack from a persistent IP hammering away at
published services and
you just don't want to see it, then put in a deny rule. If
it is a bandwidth
issue (like when I was getting Code Red attacks all day,
every day) then block
it on the ISP side. But that costs money for that service,
typically.
However, it does work.

If it is in the realm of "identified" attacks ala my
"strikeback" model, then
that is a different thing- and something that is deployed
in a completely
different way to solve a different problem (lest someone
tried to use that
against me ;).  Port scans and "noise" traffic an safely be ignored.

t


On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
spoketh to all:

Think way back to your involvement with SBS in the Yahoo list.
It was how I got invited to join that list; the
BlockAttacker script
was being touted as the be-all, end-all to ISA port scan response.
I had to get really nasty (even for me) with the proponent of this technique before he finally backed down.
He still regurgitates this nonsense (among other senseless
meanderings) from time to time, but it's an easy head-slap.


For those not familiar, the BlockAttacker script was an
expansion of
the ISA 2000 alert action example that used the client IP
to create a
packet filter blocking the "offending host". While it provided an excellent example of using ISA alert environment
variables, it turned
out to be a great DoS tool as well and we pulled it from
isatools.org.

Unfortunately, there is one (TSu) individual who shall
remain nameless
(Tony
Su) who insists on singing the praises of this response
technique to
unsuspecting ISA admins. Luckily, he's not skilled enough
to sort out
how to port the script to ISA 2004 or we'd have more PSS
calls than we do
now.

-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Tuesday, July 25, 2006 11:21
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan

I don't know that joke. I think it was before my time on the list.
What's the block attacker script? Never heard of it.

Amy Babinchak




-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, July 25, 2006 2:19 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan

Ask Tony for the BlockAttacker script.
I'm sure he's still trying to support it.
:-p

Tom has it right; you can generally ignore them, since
damn few ISPs
even care.

-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Tuesday, July 25, 2006 10:21
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Port Scan

What should I do about a port scan that just won't go
away? I've got
two IP addresses port scanning my server around the clock.
An email to
the owner bounced back, unknown email address.

Is there anything to be done?


Amy



All mail to and from this domain is GFI-scanned.




All mail to and from this domain is GFI-scanned.








All mail to and from this domain is GFI-scanned.












All mail to and from this domain is GFI-scanned.









All mail to and from this domain is GFI-scanned.




Other related posts: