[Dshield] Firewall that bites back??? Addendum

Alberto Gonzalez ag-dshield at cerebro.violating.us
Mon Nov 18 20:47:12 GMT 2002


well, by "fighting" back, do you mean to attempt the same attack on the 
src ip thats attacking you?
A method of fighting back would be to use something in the form of 
SnortSam w/ Snort (support for
pf, ipchains, and iptables(coming soon)) to block packets based on 
alerts and or hogwash.

Those above examples use Snort IDS to identify alerts and block them via 
drop(hogwash) or SnortSam
adding rules into your firewall. Some folks dont like running Intrusion 
Detection Systems based on the false
positive rates. And i believe you mentioned your on winXP.. just trying 
to give you some ideas. Hope it Helps

    - Albert

rilya byor wrote:

>As I was sending the above-mentioned email, my
>connected locked up for the 6th time this morning, and
>now the probes are coming in on other ports too. 
>Here's the Outpost attack log for the last 15 minutes:
>
>11/18/2002 9:46:04 AM	Connection request
>200.165.212.179	UDP(137) 
>11/18/2002 9:41:51 AM	Connection request	80.24.91.15
>UDP(137) 
>11/18/2002 9:33:59 AM	Connection request	209.73.225.95
>TCP(24541) 
>11/18/2002 9:33:31 AM	Connection request
>209.73.225.108	TCP(20239) 
>11/18/2002 9:33:14 AM	Connection request	209.73.225.94
>TCP(32105) 
>11/18/2002 9:33:03 AM	Connection request
>216.136.224.76	TCP(1357) 
>11/18/2002 9:32:23 AM	Connection request	209.73.225.94
>TCP(12064) 
>11/18/2002 9:32:02 AM	Connection request	209.73.225.95
>TCP(24541) 
>11/18/2002 9:31:57 AM	Connection request
>216.136.224.76	TCP(1357) 
>11/18/2002 9:31:42 AM	Connection request	61.188.126.1
>UDP(137) 
>11/18/2002 9:31:33 AM	Connection request
>209.73.225.108	TCP(20239) 
>11/18/2002 9:31:17 AM	Connection request	209.73.225.94
>TCP(32105) 
>11/18/2002 9:30:42 AM	Connection request
>216.136.224.76	TCP(1357) 
>11/18/2002 9:30:25 AM	Connection request	209.73.225.94
>TCP(12064) 
>11/18/2002 9:30:04 AM	Connection request	209.73.225.95
>TCP(24541) 
>11/18/2002 9:29:36 AM	Connection request
>209.73.225.108	TCP(20239) 
>11/18/2002 9:29:19 AM	Connection request	209.73.225.94
>TCP(32105) 
>11/18/2002 9:28:47 AM	Connection request
>216.136.224.76	TCP(1357) 
>11/18/2002 9:28:27 AM	Connection request	209.73.225.94
>TCP(12064) 
>11/18/2002 9:28:07 AM	Connection request	209.73.225.95
>TCP(24541) 
>11/18/2002 9:27:38 AM	Connection request
>209.73.225.108	TCP(20239) 
>11/18/2002 9:27:20 AM	Connection request	209.73.225.94
>TCP(32105) 
>11/18/2002 9:26:39 AM	Connection request
>216.136.224.76	TCP(1357) 
>11/18/2002 9:26:29 AM	Connection request	209.73.225.94
>TCP(12064) 
>11/18/2002 9:21:19 AM	Connection request	209.73.225.95
>TCP(24541) 
>11/18/2002 9:21:19 AM	Connection request
>209.73.225.108	TCP(20239) 
>11/18/2002 9:21:13 AM	Connection request	209.73.225.94
>TCP(32105) 
>11/18/2002 9:21:04 AM	Connection request	209.73.225.94
>TCP(12064) 
>11/18/2002 9:19:01 AM	Connection request	209.6.250.129
>UDP(137) 
>
>
>  
>

-- 
The secret to success is to start from scratch and keep on scratching.





More information about the list mailing list