[Dshield] Tracking and Reporting Probes
Johannes B. Ullrich
jullrich at sans.org
Tue Mar 26 12:53:56 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
> There are still 17 IP that are just hanging in limbo. Maybe in some
> database or spreadsheet as they are open for future use of some sort.
> *) Should the Extra IP's be lift in limbo? Will never know what kind of
> attacks/probes that are happening on the 17 IP's.
> *) Should a PC with Labrea be placed in the DMZ to act Network connection
> for the 17 IP's? Can Now Track , Slowdown and monitor now.
yes. If you have the time to do this. (thinking about limited company
> *) Or on the Firewall Setup OneToOne NAT to a fake private IP Block? This
> will allow the same monitoring tools to be used on the other IP's. Draw
> back is the impact that it will have on the firewall itself.
yes. probably less work then Labrea, but also less fun...
Another option is to rehect the extra IPs at whatever router is connecting
the network upstream. Not all ISPs allow you to mess with that. But this
is probably the most efficient way to deal with these (but you don't get
that much information out of router acl logs).
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list