HI jagdish, Create a new packet filter to block all the traffic from that IP address. Vinay. -----Original Message----- From: jagadish.pai@xxxxxxxxxxxxxxxxxxx [mailto:jagadish.pai@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, March 05, 2003 11:10 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: All Port Scan Attack Detection http://www.ISAserver.org How to Block that ip and where ? Regards Pai "Tom Mendelboim" To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> <tomerm1@xxxxx cc: et> Subject: [isalist] RE: All Port Scan Attack Detection 03/05/2003 11:04 AM Please respond to "[ISAserver.or g Discussion List]" http://www.ISAserver.org You can't do a whole lot about it... This happens on almost every IP on the Internet. The IP address scanning you probably belongs to some home user that his/her computer is being used to relay the attack. You can always block traffic from that IP but chances are you will see that event log entry again from another IP. If it happens only once or twice, I would not be too paranoid. If this keeps happening over and over again, block it. Tom -----Original Message----- >From: jagadish.pai@xxxxxxxxxxxxxxxxxxx [mailto:jagadish.pai@xxxxxxxxxxxxxxxxxxx] Sent: Tuesday, March 04, 2003 9:41 PM To: [ISAserver.org Discussion List] Subject: [isalist] All Port Scan Attack Detection http://www.ISAserver.org Hi What should be done if the following notification by isa server. ISA Server detected an all port scan attack from Internet Protocol (IP) address 61.241.82.53. For more information about this event, see ISA Server Help. Regards Pai ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tomerm1@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jagadish.pai@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: g.vinay@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')