Re: block port scan attackersI don't mean to be insulting, but that's the least useful suggestion yet. Other than a childish "now it's my turn" response, this kind of behavior gains you nothing, eats up your own bandwidth and potentially your ISPs "fair use" policies, getting you disconnected. If you need to react to a real port scan, you can: 1. create a packet filter that blocks all traffic from them 2. notify their ISP; most ISPs hate this kind of client and will react quickly Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: Craft, Steve To: [ISAserver.org Discussion List] Sent: Friday, August 02, 2002 9:42 AM Subject: [isalist] Re: block port scan attackers http://www.ISAserver.org With the rise of distributed attack tools, that attack/scan might be coming from a "legit" user who doesn't know any better. Blocking an IP or even a subnet based on the alert might hurt more than it helps. If you work from the assumption that any scanner is a legitimate attacker, maybe you can turn the tables on them. In the ISA Alert, have it launch a script that sends the same kind of port-scan attack back at the same IP number that just attacked you. --orig-- F: "Lim, Arthus T." <alim@xxxxxxxxx> > If I found out that it was a real attack, how can I be able to block > them? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')