[isapros] Re: Port Scan
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 25 Jul 2006 19:00:05 -0700
..after 23 years, understanding is irrelevant.
:-)
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Tuesday, July 25, 2006 5:55 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Port Scan
*fwd's email conversation to wife*
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, July 26, 2006 10:49 AM
Subject: [isapros] Re: Port Scan
>I want to be understood, too...
> :-p
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Greg Mulholland
> Sent: Tuesday, July 25, 2006 5:44 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Port Scan
>
> could it be because they understand him :)
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, July 26, 2006 10:39 AM
> Subject: [isapros] Re: Port Scan
>
>
>> Yeh - Tim is single because he understands women...
>> ..scuze me while I ROTFLMFAO...
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thor (Hammer of God)
>> Sent: Tuesday, July 25, 2006 2:47 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Port Scan
>>
>> You have to understand Amy, these guys are a bunch of geeks. They
> don't
>> understand what's important to a woman, or even how to treat a woman
>> like a lady. This is what happens when they spend too much time with
>> "email," and not enough time with "female." ;) That's also why they
> are
>> married, and I am single. :-p
>>
>> If it makes you feel good, then go for it.
>>
>> t
>>
>>
>> On 7/25/06 2:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
>> spoketh to all:
>>
>>> http://www.toolzz.com/ISATools/2000tools.htm
>>>
>>> It may be a waste but you forgot that I feel better now. That's
>>> something. Maybe it's a girl thing.
>>>
>>> I also have a habit of creating protocols for stuff that shows up as
>>> unidentified traffic. I suppose that's a waste too because ISA
> handles
>>
>>> it whether it has a name or not. But it makes it easier on me.
>>>
>>> Now I can look at the logs and when I see Denied and the rule is
Drop
>
>>> This Connection, then I know what it is. Just like when I see HP
>>> Printer Broadcast protocol in the logs, I know what that is. (and
how
>
>>> to stop
>>> it)
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Jim Harrison
>>> Sent: Tuesday, July 25, 2006 5:17 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Port Scan
>>>
>>> ..where?
>>>
>>>
>>> -------------------------------------------------------
>>> Jim Harrison
>>> MCP(NT4, W2K), A+, Network+, PCG
>>> http://isaserver.org/Jim_Harrison/
>>> http://isatools.org
>>> Read the help / books / articles!
>>> -------------------------------------------------------
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Amy Babinchak
>>> Sent: Tuesday, July 25, 2006 13:58
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Port Scan
>>>
>>> I found the script available on ISAtoolz. Never heard of that site
>>> either.
>>>
>>> Amy
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thomas W Shinder
>>> Sent: Tuesday, July 25, 2006 4:54 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Port Scan
>>>
>>> I think Tsu added quite of bit of intelligence into the script :P
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of
>>>> God)
>>>> Sent: Tuesday, July 25, 2006 3:52 PM
>>>> To: isapros@xxxxxxxxxxxxx
>>>> Subject: [isapros] Re: Port Scan
>>>>
>>>> Yep--- was there any "intelligence" in the blocking rule, or could
>>>> someone do a simple port scan of the external interface from the
>>>> NAT'd
>>>
>>>> internal LAN to automatically block all internal traffic? ;)
>>>>
>>>> t
>>>>
>>>>
>>>> On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to
> all:
>>>>
>>>>> Yep - total agreement and this was the core of the "fight"
>>>> way back when.
>>>>> Not only that, but any automated "rule builder" can be used
>>>> a great DoS
>>>>> mechanism.
>>>>>
>>>>> -------------------------------------------------------
>>>>> Jim Harrison
>>>>> MCP(NT4, W2K), A+, Network+, PCG
>>>>> http://isaserver.org/Jim_Harrison/
>>>>> http://isatools.org
>>>>> Read the help / books / articles!
>>>>> -------------------------------------------------------
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On
>>>>> Behalf Of Thor (Hammer of God)
>>>>> Sent: Tuesday, July 25, 2006 12:52
>>>>> To: isapros@xxxxxxxxxxxxx
>>>>> Subject: [isapros] Re: Port Scan
>>>>>
>>>>> .02:
>>>>>
>>>>> It seems like a total waste of time to respond to "scan
>>>> attacks" with a block
>>>>> script, as everything is being blocked anyway- just not
>>>> with an explicit
>>>>> "block" rule. The presence of the "scan" alert tells you
>>>> that ISA is doing
>>>>> its job - AFAIAC, no other action is even necessary. If
>>>> there is some
>>>>> incessant attack from a persistent IP hammering away at
>>>> published services and
>>>>> you just don't want to see it, then put in a deny rule. If
>>>> it is a bandwidth
>>>>> issue (like when I was getting Code Red attacks all day,
>>>> every day) then block
>>>>> it on the ISP side. But that costs money for that service,
>>>> typically.
>>>>> However, it does work.
>>>>>
>>>>> If it is in the realm of "identified" attacks ala my
>>>> "strikeback" model, then
>>>>> that is a different thing- and something that is deployed
>>>> in a completely
>>>>> different way to solve a different problem (lest someone
>>>> tried to use that
>>>>> against me ;). Port scans and "noise" traffic an safely be
> ignored.
>>>>>
>>>>> t
>>>>>
>>>>>
>>>>> On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx>
>>>> spoketh to all:
>>>>>
>>>>>> Think way back to your involvement with SBS in the Yahoo list.
>>>>>> It was how I got invited to join that list; the
>>>> BlockAttacker script
>>>>>> was being touted as the be-all, end-all to ISA port scan
response.
>>>>>> I had to get really nasty (even for me) with the proponent of
this
>
>>>>>> technique before he finally backed down.
>>>>>> He still regurgitates this nonsense (among other senseless
>>>>>> meanderings) from time to time, but it's an easy head-slap.
>>>>>>
>>>>>> For those not familiar, the BlockAttacker script was an
>>>> expansion of
>>>>>> the ISA 2000 alert action example that used the client IP
>>>> to create a
>>>>>> packet filter blocking the "offending host". While it provided
an
>
>>>>>> excellent example of using ISA alert environment
>>>> variables, it turned
>>>>>> out to be a great DoS tool as well and we pulled it from
>>>> isatools.org.
>>>>>>
>>>>>> Unfortunately, there is one (TSu) individual who shall
>>>> remain nameless
>>>>>> (Tony
>>>>>> Su) who insists on singing the praises of this response
>>>> technique to
>>>>>> unsuspecting ISA admins. Luckily, he's not skilled enough
>>>> to sort out
>>>>>> how to port the script to ISA 2004 or we'd have more PSS
>>>> calls than we do
>>>>>> now.
>>>>>>
>>>>>> -------------------------------------------------------
>>>>>> Jim Harrison
>>>>>> MCP(NT4, W2K), A+, Network+, PCG
>>>>>> http://isaserver.org/Jim_Harrison/
>>>>>> http://isatools.org
>>>>>> Read the help / books / articles!
>>>>>> -------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>>>>>> Sent: Tuesday, July 25, 2006 11:21
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Re: Port Scan
>>>>>>
>>>>>> I don't know that joke. I think it was before my time on the
list.
>>>>>> What's the block attacker script? Never heard of it.
>>>>>>
>>>>>> Amy Babinchak
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>>>> On Behalf Of Jim Harrison
>>>>>> Sent: Tuesday, July 25, 2006 2:19 PM
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Re: Port Scan
>>>>>>
>>>>>> Ask Tony for the BlockAttacker script.
>>>>>> I'm sure he's still trying to support it.
>>>>>> :-p
>>>>>>
>>>>>> Tom has it right; you can generally ignore them, since
>>>> damn few ISPs
>>>>>> even care.
>>>>>>
>>>>>> -------------------------------------------------------
>>>>>> Jim Harrison
>>>>>> MCP(NT4, W2K), A+, Network+, PCG
>>>>>> http://isaserver.org/Jim_Harrison/
>>>>>> http://isatools.org
>>>>>> Read the help / books / articles!
>>>>>> -------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: isapros-bounce@xxxxxxxxxxxxx
>>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>>>>> On Behalf Of Amy Babinchak
>>>>>> Sent: Tuesday, July 25, 2006 10:21
>>>>>> To: isapros@xxxxxxxxxxxxx
>>>>>> Subject: [isapros] Port Scan
>>>>>>
>>>>>> What should I do about a port scan that just won't go
>>>> away? I've got
>>>>>> two IP addresses port scanning my server around the clock.
>>>> An email to
>>>>>> the owner bounced back, unknown email address.
>>>>>>
>>>>>> Is there anything to be done?
>>>>>>
>>>>>>
>>>>>> Amy
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> All mail to and from this domain is GFI-scanned.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> All mail to and from this domain is GFI-scanned.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> All mail to and from this domain is GFI-scanned.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>> All mail to and from this domain is GFI-scanned.
>>
>>
>>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
All mail to and from this domain is GFI-scanned.
Other related posts:
