Re: Intrusion attempts

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 04 Dec 2003 17:22:15 -0800

I'm not making fun; really I'm not...

How do you expect to stop the script kiddies and the truly malicious folks out 
there from scanning / spoofing / attacking you?
You could whois the IP to the net owner and let them know that although your 
firewall stoped their SK traffic, you don't like that they're out there and 
would they please stop it?

You could do that, or you could do what some find amusing; respond to the 
"attack" traffic with a scan or attack of your own.  Only trouble is, if the 
source IP was spoofed, you've just joined the ranks of the "malicious", since 
you'll now be targeting the wrong person.

What you have to do is learn to scan your IP logs to determine what's worth 
worrying about.  The assholes outnumber you, so the quantity of mailcious 
traffic seems out of proportion to what "decent folks" would expect to see.

As far as the spoofs from "127.0.0.1" that have plagued many an ISA admin, talk 
to your provider.  If they can't manage to keep the most basic router ACLs in 
place, you might consider moving to another ISP.  That's just sloppy.

On a side note, say bye-bye to the BlockAttacker script.  Vic wrote it as a 
tutorial of how you could determine traffic data from environment variables 
that exist during an ISA event.  Unfortunately, too many folks have taken it to 
be their "automatic defense against the bad boys on the Internet".  They exceed 
the directions and attach it to every network alert known to ISA and wonder why 
their traffic dies after a week.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Fri, 5 Dec 2003 09:04:25 +0800
 "Marc Reyes" <marcreyes@xxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org


Hi everyone,

I'm sure almost all of you had encountered an ISA Alert like this:

ISA Server detected a well-known port scan attack from Internet Protocol
(IP) address xxx.xxx.xxx.xxx. 
A well-known port is any port in the range of 1-2048. 

.... and many other types of intrusion attempts. Its good that ISA is
doing its job pretty well.(or is he?)
But what else can be done to prevent future and repeated attempts from
attacking your network?
Is there a "proactive" way of doing this? I have been getting ISA Port
Scan Alerts that comes from
the same IP consistently for the past 3 days.

Any help or insight is appreciated.

Thanks in advance.

Marc 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Intrusion attempts
• » RE: Intrusion attempts
• » RE: Intrusion attempts
• » RE: Intrusion attempts
• » Re: Intrusion attempts
• » Re: Intrusion attempts
• » RE: Intrusion attempts

1. Home
2. isalist
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---