During the past three years, I have contacted the sysadmins at five
sites and provided them with a brief log extract. Four sites provided
feedback that the offender had their account revoked. The 5th site was
untraceable to the source as it was a computer lab at a major university
and I was assured steps would be taken to prevent future occurances.
Lessons learned are to go the source with documentation as a first
step. Yes, there are IPs that I do filter without question.
"Parker, Gary W" wrote:
>
> Eric Johnson <[EMAIL PROTECTED]> said ...
>
> > "Parker, Gary W" wrote:
> > > Retaliation is not the proper response to attacks, real or perceived.
> > > Remember that you propose to spoof the attacker's address in your
> response.
> > > The attack itself could well have been made using a spoofed address, and
> you
> > > will in effect be further victimizing someone who is already themselves
> a
> > > victim.
> >
> > I'm not clear on what a port scan accomplishes with a spoofed address
> > unless it is just to make you think you're being scanned from elsewhere.
> > If you're being scanned from a spoofed address, then whoever is trying to
> > find a vulnerability will never know the result, right?
> >
>
> One attack like this was reported at
> http://www2.merton.ox.ac.uk/~security/archive-199806/0233.html
>
> Possible reasons someone might do this would be to hide the logging of a
> lower octane attack within reams of logging for the scan. Another reason is
> to cause a legitimate resource to be blocked. If a few major ISP's block an
> e-commerce site (see Apple.com article referenced above), it could result in
> significant lost revenue.
>
> -GWP
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
----
John Stewart
Pager: (619) 680-0384
SUPSHIP San Diego
Information Systems Security Mgr
--------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
