Re: block port scan attackers
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 3 Aug 2002 06:39:57 -0700
Re: block port scan attackersI don't mean to be insulting, but that's the least
useful suggestion yet.
Other than a childish "now it's my turn" response, this kind of behavior gains
you nothing, eats up your own bandwidth and potentially your ISPs "fair use"
policies, getting you disconnected.
If you need to react to a real port scan, you can:
1. create a packet filter that blocks all traffic from them
2. notify their ISP; most ISPs hate this kind of client and will react quickly
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: Craft, Steve
To: [ISAserver.org Discussion List]
Sent: Friday, August 02, 2002 9:42 AM
Subject: [isalist] Re: block port scan attackers
http://www.ISAserver.org
With the rise of distributed attack tools, that attack/scan might be coming
from a "legit" user who doesn't know any better. Blocking an IP or even a
subnet based on the alert might hurt more than it helps.
If you work from the assumption that any scanner is a legitimate attacker,
maybe you can turn the tables on them. In the ISA Alert, have it launch a
script that sends the same kind of port-scan attack back at the same IP number
that just attacked you.
--orig--
F: "Lim, Arthus T." <alim@xxxxxxxxx>
> If I found out that it was a real attack, how can I be able to block
> them?
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
