RE: Last Word On The BlackAttacker.vbs Question

• From: "josephk" <josephk@xxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 21 Sep 2004 22:36:01 -0700

Well, that is half of the 26 Alphabeta delta word count syndrome.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, September 21, 2004 10:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Last Word On The BlackAttacker.vbs Question


http://www.ISAserver.org

Would that make it "The 13th Wordier"?

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Tue, 21 Sep 2004 21:50:02 -0700
 "josephk" <josephk@xxxxxxxxx> wrote:
http://www.ISAserver.org

Well there were actually 12 words that have showed up thus far and Jim
is waiting on the 13th For the "Last Word"


-----Original Message-----
From: Thor [mailto:thor@xxxxxxxxxxxxxxx] 
Sent: Tuesday, September 21, 2004 9:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Last Word On The BlackAttacker.vbs Question


http://www.ISAserver.org

Can my reply to the "Last Word" really be the "Last Word" among the
other 
replies to the "Last Word?"

T

----- Original Message ----- 
From: "Mark Strangways" <Strangconst@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 21, 2004 9:21 PM
Subject: [isalist] RE: Last Word On The BlackAttacker.vbs Question


> http://www.ISAserver.org
>
> Very interesting Jim, albeit long....
> Sounds like it was a nice script, at least for teaching...
>
> Mark S
> ----- Original Message -----
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, September 21, 2004 8:21 PM
> Subject: [isalist] RE: Last Word On The BlackAttacker.vbs Question
>
>
>> http://www.ISAserver.org
>>
>> High praise from Tom (or praise from high Tom; I'm not sure which)
>> indeed
> !
>>
>> I cc'd the isalist on purpose.
>> I know we have folks in both camps, so I wanted to fire both
>> barrels...
>>
>>   Jim Harrison
>>   MCP(NT4, W2K), A+, Network+, PCG
>>   http://isaserver.org/Jim_Harrison/
>>   http://isatools.org
>>   Read the help / books / articles!
>>
>> ----- Original Message -----
>> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Tuesday, September 21, 2004 17:06
>> Subject: [isalist] RE: Last Word On The BlackAttacker.vbs Question
>>
>>
>> http://www.ISAserver.org
>>
>> Hey Jim,
>>
>> A classic! And I'll include it in this month's ISAserver.org
>> newsletter.
>>
>> BTW -- I think you cc:'d the isaserver.org list :-)
>>
>> Tom
>> www.isaserver.org/shinder
>> Get the book!
>> Tom and Deb Shinder's Configuring ISA Server 2004
>> http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
>>
>>
>>
>> -----Original Message-----
>> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
>> Sent: Tuesday, September 21, 2004 6:56 PM
>> To: [ISAserver.org Discussion List]
>> Cc: [ISAserver.org Discussion List]
>> Subject: [isalist] Last Word On The BlackAttacker.vbs Question
>>
>>
>> http://www.ISAserver.org
>>
>> (if you want me to see your reply from sbs2k@xxxxxxxxx, please 'r'
>> me)
>>
>> Hi all,
>>
>> It's come to my attention that the once-proud BlockAttacker script is

>> once again the subject of deep discussion. This script has been
>> pulled from isatools.org (it never was on
>> isaserver.org) and it will not reappear on that site so long as I own

>> / run it. It is no longer supported by me, Microsoft or anyone
>> cooperatively associated with either one of us.
>>
>> This subject (and related script) has been abused, misused and
>> misunderstood for far too long. It stops here and now.
>>
>> Contrary to what you might have heard, this script was never intended

>> for anything more than an example of how to use environment variables

>> in ISA 2000 alert actions.  As with any good deed, it has not gone
>> unpunished.
>>
>> If you are using it for automatic "deny" policy creation, consider
>> this: 1 - with the notable exception of SMTP Filter alerts (you're 
>> not using it there, are you?  That would be silly in the extreme...),

>> if ISA generated an alert based on the traffic from the remote host,
>> that traffic was also blocked.  Adding a rule to block traffic that 
>> is already silently dropped is a waste of processor time (redundantly

>> repetitive).
>>
>> 2 - Every time this script creates a new packet filter for a presumed

>> "attack on your property":
>>     a - it takes CPU time to create, update and save the changes; if
>> your script is creating rules as fast as someone can DoS your ISA 
>> with spoofed packets, then your firewall quickly becomes a network 
>> brick.
>>     b - you complicate the ISA policy set.  Every rule in the ISA 
>> engine takes processing time.  The fewer rules you have, the faster 
>> your ISA can process the traffic
>>     IOW, leave this monkey-script in place long enough and your ISA 
>> will crawl to a halt.
>>
>> 3 - ISA can generate "attack" alerts on any number of packets that
>> ISA deems to be "out of context".  Most notably, these include (but 
>> are not limited to):
>>     1 - "late" packets; these are response packets arriving from a 
>> server outside of the time ISA considers traffic from this host to be

>> "valid".
>>         You'll usually see these when internal clients drop their
>> session before the server finishes the response stream.
>>         99% of the time, ISA will report these as "scans" and drop
them
>>     2 - DHCP traffic from your ISP; even if you use static IPs, it's
>> very likely that someone in your broadcast subnet uses dynamic IPs.
>>         Will your ISA see these?  You betcha.
>>         Will it trigger on them?  Maybe; it depends on your
>> configuration and how many alerts you've enabled.
>>     3 - Real attacks using spoofed source IPs; here's the real
danger.
>>         All it takes is one script-kiddie to slam your ISA with
spoofed
>> packets from the entire IP v4 space and your ISA will no longer be 
>> functional in the Internet.  If you think this is hard to
do,
>> you're fooling yourself.
>>     4 - There has been some discussion regarding:
>>         a - the value of blocking traffic from 127.0.0.1 and how your

>> ISA will lie bleeding to death on the floor from the "circle of 
>> death" resulting from such an attack.  The fact is, while ISA is 
>> properly configured in Firewall or Integrated mode, this "attack" 
>> profile a non-issue.  ISA 2000 in Cache mode has no such 
>> self-protection, so you should use a properly-configured 
>> packet-filtering router.
>>         b - the potential for blocking traffic from your own ISA
server
>> is less than zero.  Any traffic seen at the external interface with a

>> source IP of 127.0.0.1 is a spoof packet, period.
End
>> of discussion.   You should get mad at your ISP for allowing
>> this to reach you, not some "think for me" script for not having a 
>> "whitelist".
>>
>> As always, I'm interested in feedback, but here is the final word:
>> "BlockAttacker.vbs is not a supported tool for any Microsoft product 
>> in this, or any other lifetime in which I may be a member."
>>
>> Anyone who wants to offer intelligent discussion on the subject will
>> be heard, and maybe even responded to in kind (of). Anyone who wants 
>> to cry "foul" (no; wait, that's "spooooon!") will be courteously (or 
>> not) ignored.
>>
>>   Jim Harrison
>>   MCP(NT4, W2K), A+, Network+, PCG
>>   http://isaserver.org/Jim_Harrison/
>>   http://isatools.org
>>   Read the help / books / articles!
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com Leading

>> Network Software Directory: http://www.serverfiles.com No.1 Exchange
>> Server Resource Site: http://www.msexchange.org Windows Security 
>> Resource Site: http://www.windowsecurity.com/ Network Security 
>> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
>> http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List 
>> as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit 
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com Leading

>> Network Software Directory: http://www.serverfiles.com No.1 Exchange
>> Server Resource Site: http://www.msexchange.org Windows Security 
>> Resource Site: http://www.windowsecurity.com/ Network Security 
>> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
>> http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List 
>> as:
> jim@xxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Other Internet Software Marketing Sites:
>> World of Windows Networking: http://www.windowsnetworking.com Leading

>> Network Software Directory: http://www.serverfiles.com No.1 Exchange
>> Server Resource Site: http://www.msexchange.org Windows Security 
>> Resource Site: http://www.windowsecurity.com/ Network Security 
>> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
>> http://www.ntfaxfaq.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion List 
>> as:
> strangconst@xxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com No.1 Exchange 
> Server Resource Site: http://www.msexchange.org Windows Security 
> Resource Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: 
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security
Resource Site: http://www.windowsecurity.com/ Network Security Library:
http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
josephk@xxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question
• » RE: Last Word On The BlackAttacker.vbs Question

1. Home
2. isalist
3. Archive
4. 09-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---