seems much work...
I'd better give the attacker an account so that he is happy doing something
else:)
cheers,
mouss
At 08:14 17/01/01 -0500, McEwen, Don \(NCI\) wrote:
>William,
> I'd echo most of the advice from Ben, however I'd watch the logs every
>morning
>or more often if you have the time. I'd write filter scripts that summarize
>the
>rejected packets. This lets you keep in touch with what type of traffic you
>get, and if someone is continually scanning and probing, then you may want
>to look
>at another level of defense against them. Security is not absolute, but
>keeping
>(at least one step) ahead of the enemy. They will continue to find new
>problems
>and ways to exploit them, so you gotta continue to get better at stopping
>them
>also. The only way to do this is to keep at it and watch what they do (even
>when
>it fails).
>
>My two cents worth...Don McEwen
>
>-----Original Message-----
>From: Ben Nagy [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, January 17, 2001 12:19 AM
>To: 'William Bartholomew'; [EMAIL PROTECTED]
>Subject: RE: Attack Quantity/Regularity
>
>
> > -----Original Message-----
> > From: William Bartholomew [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, 17 January 2001 3:40
> > To: [EMAIL PROTECTED]
> > Subject: Attack Quantity/Regularity
> >
> >
> > Just a couple of general questions:
> >
> > a) How often can a SMALL company expect to be attacked (ie
> > DENIED packets etc?
>
>Denied packets? Several times a day. Port scans will vary, mainly in
>proportion to your profile as a company, or your ISP's profile (since they
>own the netblocks that people are scanning). Almost all of these "attacks"
>will be false positives or untargeted scans - ie _not_ someone trying to
>attack your network in particular.
>
> > b) If attacks are regular, and often from the same people, what
> > action should you take?
>
>Notify the abuse contact for the ISP or other netblock owner. Some of them
>are fairly co-operative. In almost all cases it's a waste of time, but it
>makes you look busy. ;)
>
> > What if it is a variety of people, apart from
> > your firewall how else can you protect yourself?
>
>Some people believe in reactive rulesets that blackhole IP ranges if there
>are too many attacks detected from them - this is probably a bad plan for a
>number of reasons.
>
>The short answer is, in my opinion, ignore logs from your external filtering
>device. The packets are getting dropped anyway, and 99%+ will be false
>positives or script kiddiez. Keep logging though - if something bad does
>happen you (or someone) might want the verbose logs for forensics.
>
>If you have a Network IDS in your tender underbelly, pay much more attention
>to that. One useful trick if you don't have the time / cash for a NIDS but
>do have a DMZ is to log packets _leaving_ the DMZ that look suspicious.
>
> > Regards,
> >
> > William Bartholomew MCP MCSE CNA CCNA
> > Assistant Network Administrator
> > Brisbane Boys' College
>
>Cheers,
>
>--
>Ben Nagy
>Marconi Services
>Network Integration Specialist
>Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
