RE: Port Scans

• From: "Ball, Dan" <DBall@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 17 Mar 2005 08:31:30 -0500

Interesting idea, I turned it off on my system, as it doesn't seem like
it would cause harm to have it disabled, and might result in a few less
alerts (Will be waiting for Tom's analysis on it to see what he finds
out.).  Thanks for the suggestion!

 

As a bit of clarification, if you look back through the thread, I never
said I was concerned about external IPs doing port scans, I'm just happy
they're being blocked.  In fact, my DNS comment was in response to
someone asking if they should block ALL IPs that generate those alerts.
My doors are locked (Heck, that's why I'm running ISA server), and I
realize that you can't block everyone that might scan you once or twice,
as it would fast become a full-time effort, only to cut down on your
functionality in the long fun (i.e. if you end up blocking DNS servers).

 

In my original post, I was worried about the ones that were listed as
coming from internal IPs, and wondering if those attacks could be
spoofed.  I have found a couple of workstations infected with spyware
that might have been the culprit of some of those alerts, but there were
several instances where I could find no reason for the alert, or
additional proof that it even happened.

 

 

________________________________

From: Steve Lunn [mailto:Steve.Lunn@xxxxxxxxxxxxxxxx] 
Sent: Thursday, March 17, 2005 04:35
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Port Scans

 

http://www.ISAserver.org

Aha, I think I know what this is, as I encountered something similar 
using ISA2k. 

If you go to the properties of your Internet NIC, into TCP/IP Properties

and click the Advanced button. On the DNS tab at the bottom, there's 
an option "Register this connection's address in DNS". IIRC this is 
enabled by default, and the result is your external NIC trying to
register 
with the External DNS server. This in return initiates a barrage on 
incoming packets from the DNS server. 

By unchecking the box your server stops trying to register with the 
external DNS. While this might only stop the packet scans from the 
DNS Servers, it's one less alert to worry about. As Ara rightly says, 
lock your door, it's the world we live in. 

I get loads of users who have installed personal firewalls coming to 
me panicking about all the external attacks that their firewall has 
warned them of, so my usual reply is to be worried of the ones it 
doesn't warn you of... *evil* 

HTH 

Regards, 
  
Steve 
  
Steve Lunn - PC & Network Support 
Microsoft MCP 
DDI: 01423 855101 
Fax: 01423 855181 

 

-----Original Message----- 
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: 16 March 2005 18:59 
To: [ISAserver.org Discussion List] 
Subject: [isalist] RE: Port Scans 

http://www.ISAserver.org 

Depends on what IP the scanning is coming from.  For example, I just 
noticed a scanning alert today that said it was coming from the IP 
address of our ISP's DNS server.  If I block that, I will no longer be 
able to do DNS lookups. 

-----Original Message----- 
From: Paul Laudenslager [mailto:paul@xxxxxxxxxxxx] 
Sent: Wednesday, March 16, 2005 12:54 
To: [ISAserver.org Discussion List] 
Subject: [isalist] RE: Port Scans 

http://www.ISAserver.org 

I see continual port scans from my ISP where I host my servers. 

Is it possible to block these IP's altogether? 

Thanks! 
Paul 

------------------------------------------------------ 
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------ 
Other Internet Software Marketing Sites: 
World of Windows Networking: http://www.windowsnetworking.com 
Leading Network Software Directory: http://www.serverfiles.com 
No.1 Exchange Server Resource Site: http://www.msexchange.org 
Windows Security Resource Site: http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------ 
You are currently subscribed to this ISAserver.org Discussion List as:
steve.lunn@xxxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

Report abuse to listadmin@xxxxxxxxxxxxx 

 

Homeowners Group consists of Homeowners Friendly Society Limited (HFSL),
Registered and Incorporated under the Friendly Societies Act 1992, Reg.
No. 964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No.
3224780, Homeowners Financial Administration Limited (HFAL), Reg. No.
4301736, Homeowners Membership Services Limited (HMSL), Reg. No. 3091667
and UK Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162,
all registered at Hornbeam Park Avenue, Harrogate. HG2  8XE. Tel: 01423
855000    Web: http://www.homeowners.co.uk 

HFSL and HIFML are both authorised and regulated by the Financial
Services Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA
Register no. is 181487. You can check this on the FSA's Register by
visiting the FSA's website http://www.fsa.gov.uk/register or by
contacting the FSA on 0845 606 1234 

HFAL, HMSL and UKFISL are non-regulated limited companies. 

United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom
Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners
Friendly Society Limited 

This e-mail is intended only for the person named as recipient. The
contents are confidential. If you are not the intended recipient of this
e-mail, please notify us as soon as possible and delete it. If you are
not the intended recipient of the e-mail, any use by you is prohibited.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » Port Scans
• » Re: Port Scans
• » Re: Port Scans
• » Re: Port Scans
• » Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans

1. Home
2. isalist
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---