> -----Original Message-----
> From: William Bartholomew [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 17 January 2001 3:40
> To: [EMAIL PROTECTED]
> Subject: Attack Quantity/Regularity
>
>
> Just a couple of general questions:
>
> a) How often can a SMALL company expect to be attacked (ie
> DENIED packets etc?
Denied packets? Several times a day. Port scans will vary, mainly in
proportion to your profile as a company, or your ISP's profile (since they
own the netblocks that people are scanning). Almost all of these "attacks"
will be false positives or untargeted scans - ie _not_ someone trying to
attack your network in particular.
> b) If attacks are regular, and often from the same people, what
> action should you take?
Notify the abuse contact for the ISP or other netblock owner. Some of them
are fairly co-operative. In almost all cases it's a waste of time, but it
makes you look busy. ;)
> What if it is a variety of people, apart from
> your firewall how else can you protect yourself?
Some people believe in reactive rulesets that blackhole IP ranges if there
are too many attacks detected from them - this is probably a bad plan for a
number of reasons.
The short answer is, in my opinion, ignore logs from your external filtering
device. The packets are getting dropped anyway, and 99%+ will be false
positives or script kiddiez. Keep logging though - if something bad does
happen you (or someone) might want the verbose logs for forensics.
If you have a Network IDS in your tender underbelly, pay much more attention
to that. One useful trick if you don't have the time / cash for a NIDS but
do have a DMZ is to log packets _leaving_ the DMZ that look suspicious.
> Regards,
>
> William Bartholomew MCP MCSE CNA CCNA
> Assistant Network Administrator
> Brisbane Boys' College
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
