In my experience sending immediate notifications to ISP's has been very
fruitful. Many ISP's (worth anything) make it a fact of their AUP
(Acceptable Usage Policy) that any attempts to gain improper access to
others systems is grounds for immediate account termination. Because of
this, you (the target) hold a legal precedent to ensure action is taken.
I have found that dealing with ISP's, although not always perfect, has had a
far greater result than dealing with the individuals company or downline
provider.
Strikebacks, on the other hand, are tricky. Is it okay to break your
neighbors window just because he broke yours. I have found that in most
cases this effectively terminates the activity from that source to yours,
but does not terminate the activity for other targets. Agreed PORT SCANS
are generally accepted as a precursor to some event NOT of good nature, but
how illeagal are they. From the ISP's standpoint, a clear violation of AUP.
From the law, still too many unknowns.
Stick with the notifications and blackhole, I think its your best bet.
MD
Network Security Consultant
-----Original Message-----
From: Eric [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 20, 1999 11:47 PM
To: [EMAIL PROTECTED]
Subject: Dealing with port scanners / attackers
I'm getting kind of tired of sending reports of
port scans and attempted break-ins to people who
don't really seem interested in doing something
about the problem. I always ask them to keep me
informed about how they deal with those
responsible, but very few have the courtesy to
actually do so. It leaves me wondering if they
did anything at all or if they just ignored the
problem.
So something else is needed.
Suppose we set up a firewall that, when it detects
a port scan, would spoof the source address and
perform a port scan against the port scanner's ISP?
That way, the ISP would see a port scan coming
from one of his own customers and would be more
likely to take an active interest in putting a
stop to it.
Eric Johnson
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
