..after 23 years, understanding is irrelevant. :-) -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, July 25, 2006 5:55 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan *fwd's email conversation to wife* ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isapros@xxxxxxxxxxxxx> Sent: Wednesday, July 26, 2006 10:49 AM Subject: [isapros] Re: Port Scan >I want to be understood, too... > :-p > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Greg Mulholland > Sent: Tuesday, July 25, 2006 5:44 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Port Scan > > could it be because they understand him :) > > ----- Original Message ----- > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > To: <isapros@xxxxxxxxxxxxx> > Sent: Wednesday, July 26, 2006 10:39 AM > Subject: [isapros] Re: Port Scan > > >> Yeh - Tim is single because he understands women... >> ..scuze me while I ROTFLMFAO... >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thor (Hammer of God) >> Sent: Tuesday, July 25, 2006 2:47 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Port Scan >> >> You have to understand Amy, these guys are a bunch of geeks. They > don't >> understand what's important to a woman, or even how to treat a woman >> like a lady. This is what happens when they spend too much time with >> "email," and not enough time with "female." ;) That's also why they > are >> married, and I am single. :-p >> >> If it makes you feel good, then go for it. >> >> t >> >> >> On 7/25/06 2:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> >> spoketh to all: >> >>> http://www.toolzz.com/ISATools/2000tools.htm >>> >>> It may be a waste but you forgot that I feel better now. That's >>> something. Maybe it's a girl thing. >>> >>> I also have a habit of creating protocols for stuff that shows up as >>> unidentified traffic. I suppose that's a waste too because ISA > handles >> >>> it whether it has a name or not. But it makes it easier on me. >>> >>> Now I can look at the logs and when I see Denied and the rule is Drop > >>> This Connection, then I know what it is. Just like when I see HP >>> Printer Broadcast protocol in the logs, I know what that is. (and how > >>> to stop >>> it) >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Jim Harrison >>> Sent: Tuesday, July 25, 2006 5:17 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Port Scan >>> >>> ..where? >>> >>> >>> ------------------------------------------------------- >>> Jim Harrison >>> MCP(NT4, W2K), A+, Network+, PCG >>> http://isaserver.org/Jim_Harrison/ >>> http://isatools.org >>> Read the help / books / articles! >>> ------------------------------------------------------- >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Amy Babinchak >>> Sent: Tuesday, July 25, 2006 13:58 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Port Scan >>> >>> I found the script available on ISAtoolz. Never heard of that site >>> either. >>> >>> Amy >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>> On Behalf Of Thomas W Shinder >>> Sent: Tuesday, July 25, 2006 4:54 PM >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Port Scan >>> >>> I think Tsu added quite of bit of intelligence into the script :P >>> >>> Thomas W Shinder, M.D. >>> Site: www.isaserver.org >>> Blog: http://blogs.isaserver.org/shinder/ >>> Book: http://tinyurl.com/3xqb7 >>> MVP -- ISA Firewalls >>> >>> >>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of >>>> God) >>>> Sent: Tuesday, July 25, 2006 3:52 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: Port Scan >>>> >>>> Yep--- was there any "intelligence" in the blocking rule, or could >>>> someone do a simple port scan of the external interface from the >>>> NAT'd >>> >>>> internal LAN to automatically block all internal traffic? ;) >>>> >>>> t >>>> >>>> >>>> On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to > all: >>>> >>>>> Yep - total agreement and this was the core of the "fight" >>>> way back when. >>>>> Not only that, but any automated "rule builder" can be used >>>> a great DoS >>>>> mechanism. >>>>> >>>>> ------------------------------------------------------- >>>>> Jim Harrison >>>>> MCP(NT4, W2K), A+, Network+, PCG >>>>> http://isaserver.org/Jim_Harrison/ >>>>> http://isatools.org >>>>> Read the help / books / articles! >>>>> ------------------------------------------------------- >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>>>> Behalf Of Thor (Hammer of God) >>>>> Sent: Tuesday, July 25, 2006 12:52 >>>>> To: isapros@xxxxxxxxxxxxx >>>>> Subject: [isapros] Re: Port Scan >>>>> >>>>> .02: >>>>> >>>>> It seems like a total waste of time to respond to "scan >>>> attacks" with a block >>>>> script, as everything is being blocked anyway- just not >>>> with an explicit >>>>> "block" rule. The presence of the "scan" alert tells you >>>> that ISA is doing >>>>> its job - AFAIAC, no other action is even necessary. If >>>> there is some >>>>> incessant attack from a persistent IP hammering away at >>>> published services and >>>>> you just don't want to see it, then put in a deny rule. If >>>> it is a bandwidth >>>>> issue (like when I was getting Code Red attacks all day, >>>> every day) then block >>>>> it on the ISP side. But that costs money for that service, >>>> typically. >>>>> However, it does work. >>>>> >>>>> If it is in the realm of "identified" attacks ala my >>>> "strikeback" model, then >>>>> that is a different thing- and something that is deployed >>>> in a completely >>>>> different way to solve a different problem (lest someone >>>> tried to use that >>>>> against me ;). Port scans and "noise" traffic an safely be > ignored. >>>>> >>>>> t >>>>> >>>>> >>>>> On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> >>>> spoketh to all: >>>>> >>>>>> Think way back to your involvement with SBS in the Yahoo list. >>>>>> It was how I got invited to join that list; the >>>> BlockAttacker script >>>>>> was being touted as the be-all, end-all to ISA port scan response. >>>>>> I had to get really nasty (even for me) with the proponent of this > >>>>>> technique before he finally backed down. >>>>>> He still regurgitates this nonsense (among other senseless >>>>>> meanderings) from time to time, but it's an easy head-slap. >>>>>> >>>>>> For those not familiar, the BlockAttacker script was an >>>> expansion of >>>>>> the ISA 2000 alert action example that used the client IP >>>> to create a >>>>>> packet filter blocking the "offending host". While it provided an > >>>>>> excellent example of using ISA alert environment >>>> variables, it turned >>>>>> out to be a great DoS tool as well and we pulled it from >>>> isatools.org. >>>>>> >>>>>> Unfortunately, there is one (TSu) individual who shall >>>> remain nameless >>>>>> (Tony >>>>>> Su) who insists on singing the praises of this response >>>> technique to >>>>>> unsuspecting ISA admins. Luckily, he's not skilled enough >>>> to sort out >>>>>> how to port the script to ISA 2004 or we'd have more PSS >>>> calls than we do >>>>>> now. >>>>>> >>>>>> ------------------------------------------------------- >>>>>> Jim Harrison >>>>>> MCP(NT4, W2K), A+, Network+, PCG >>>>>> http://isaserver.org/Jim_Harrison/ >>>>>> http://isatools.org >>>>>> Read the help / books / articles! >>>>>> ------------------------------------------------------- >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak >>>>>> Sent: Tuesday, July 25, 2006 11:21 >>>>>> To: isapros@xxxxxxxxxxxxx >>>>>> Subject: [isapros] Re: Port Scan >>>>>> >>>>>> I don't know that joke. I think it was before my time on the list. >>>>>> What's the block attacker script? Never heard of it. >>>>>> >>>>>> Amy Babinchak >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>>>> On Behalf Of Jim Harrison >>>>>> Sent: Tuesday, July 25, 2006 2:19 PM >>>>>> To: isapros@xxxxxxxxxxxxx >>>>>> Subject: [isapros] Re: Port Scan >>>>>> >>>>>> Ask Tony for the BlockAttacker script. >>>>>> I'm sure he's still trying to support it. >>>>>> :-p >>>>>> >>>>>> Tom has it right; you can generally ignore them, since >>>> damn few ISPs >>>>>> even care. >>>>>> >>>>>> ------------------------------------------------------- >>>>>> Jim Harrison >>>>>> MCP(NT4, W2K), A+, Network+, PCG >>>>>> http://isaserver.org/Jim_Harrison/ >>>>>> http://isatools.org >>>>>> Read the help / books / articles! >>>>>> ------------------------------------------------------- >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: isapros-bounce@xxxxxxxxxxxxx >>>>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>>>> On Behalf Of Amy Babinchak >>>>>> Sent: Tuesday, July 25, 2006 10:21 >>>>>> To: isapros@xxxxxxxxxxxxx >>>>>> Subject: [isapros] Port Scan >>>>>> >>>>>> What should I do about a port scan that just won't go >>>> away? I've got >>>>>> two IP addresses port scanning my server around the clock. >>>> An email to >>>>>> the owner bounced back, unknown email address. >>>>>> >>>>>> Is there anything to be done? >>>>>> >>>>>> >>>>>> Amy >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> All mail to and from this domain is GFI-scanned. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> All mail to and from this domain is GFI-scanned. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> All mail to and from this domain is GFI-scanned. >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >>> >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> >> > > > All mail to and from this domain is GFI-scanned. > > > All mail to and from this domain is GFI-scanned.