[Dshield] Tracking and Reporting Probes

Johannes B. Ullrich jullrich at sans.org
Tue Mar 26 12:53:56 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> There are still 17 IP that are just hanging in limbo.  Maybe in some 
> database or spreadsheet as they are open for future use of some sort.
> 
> Questions,
> *)  Should the Extra IP's be lift in limbo?  Will never know what kind of 
> attacks/probes that are happening on the 17 IP's.

no ;-)

> 
> *)  Should a PC with Labrea be placed in the DMZ to act Network connection 
> for the 17 IP's?   Can Now Track , Slowdown and monitor now.

yes. If you have the time to do this. (thinking about limited company 
resources)

> *)  Or on the Firewall Setup OneToOne NAT to a fake private IP Block? This 
> will allow the same monitoring tools to be used on the other IP's. Draw 
> back is the impact that it will have on the firewall itself.

yes. probably less work then Labrea, but also less fun... 

Another option is to rehect the extra IPs at whatever router is connecting 
the network upstream. Not all ISPs allow you to mess with that. But this 
is probably the most efficient way to deal with these (but you don't get
that much information out of router acl logs).

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8oG9mwWQP+4im9DYRAgfoAKCgdLfXIDUZzcrI749U6rMoUBaRiwCfdVgF
kBxWOX8el2Z779onsAk872o=
=aEM7
-----END PGP SIGNATURE-----




More information about the list mailing list