[Dshield] Firewall that bites back??? Addendum

Conner, Jim jconner at uslec.com
Tue Nov 19 19:46:07 GMT 2002


in addendum to Jason's statements:

... not to mention that some acts could be construed as illegal or at best
questionably legal.  I would take the advice of Jason and do your best to,
if need be, log and block.  Logging is good so that if things really get bad
then you have something to give authorities.  If the traffic you are seeing
is really maliscious masked behind netbios packets then you want to show
that as evidence.  Something like that would be good evidence as well.  On
the other hand, choose wisely what you decide to do because the FBI doesn't
want frivolous accusations.

In the meantime it is best to take a passive stance at such things and keep
your eyes and er, well, keep your eyes open.

If everybody "fought back" when something happened to them this world would
be in utter chaos knowing no peace.  Snort is the best tool, imo, to do
exactly what has been suggested.  The pluggins that are available to add
firewall rules blocking "attacks" from those on certain IP's on certain
ports are said to be pretty decent.  Of course, if you are using windows as
a firewall, you may have problems with this and frankly, I would not use
windows for such a task anyway (my humble opinion...I have no desires to
start a flame).

good luck.

- Jim


|-----Original Message-----
|From: Jason Allen [mailto:jallen at garden-city.org]
|Sent: Tuesday, November 19, 2002 1:28 PM
|To: list at dshield.org
|Subject: RE: [Dshield] Firewall that bites back??? Addendum
|
|
|I'm sorry, but once you start 'fighting back' you have done 
|exactly what we
|are here to prevent. You will drive yourself absolutely nuts 
|trying to pay
|back everyone in the world that is using a system maliciously. 
|Lock your
|doors. That doesn't mean that you have to stand around all day 
|looking out
|the peep hole either. Get a couple of good deadbolts and get some rest
|knowing that you have done everything you can to make YOUR 
|part of the world
|a safer place. Don't fight back, just make it so their efforts are
|fruitless. Keep your Karma in the green. 
|
|-----Original Message-----
|From: rilya byor [mailto:rilya1 at yahoo.com]
|Sent: Monday, November 18, 2002 4:12 PM
|To: list at dshield.org
|Subject: Re: [Dshield] Firewall that bites back??? Addendum
|
|
|
|--- Alberto Gonzalez <ag-dshield at cerebro.violating.us>
|wrote:
|> well, by "fighting" back, do you mean to attempt the
|> same attack on the 
|> src ip thats attacking you?
|
|That's exactly what I meant...
|
|> A method of fighting back would be to use something
|> in the form of SnortSam w/ Snort (support for
|> pf, ipchains, and iptables(coming soon)) to block
|> packets based on alerts and or hogwash.
|
|Which is exactly what I'll do when I get my new modem
|to work with RedHat 7.2 ...
| 
|>i believe you mentioned your on winXP.. 
|
|Wouldn't be if I could find some good ebay software
|for Linux ...
|
|>just trying to give you some ideas. Hope it Helps
|
|It does. Tnx!
|(BTW, the connection lockups were apparently being
|caused by my now-former ISP, tho they went to their
|death denying it!)
|Rilya
|
|> rilya byor wrote:
|> 
|> >As I was sending the above-mentioned email, my
|> >connected locked up for the 6th time this morning,
|> and
|> >now the probes are coming in on other ports too. 
|> >Here's the Outpost attack log for the last 15
|> minutes:
|> >
|> >11/18/2002 9:46:04 AM	Connection request
|> >200.165.212.179	UDP(137) 
|> >11/18/2002 9:41:51 AM	Connection request
|> 80.24.91.15
|> >UDP(137) 
|> >11/18/2002 9:33:59 AM	Connection request
|> 209.73.225.95
|> >TCP(24541) 
|> >11/18/2002 9:33:31 AM	Connection request
|> >209.73.225.108	TCP(20239) 
|> >11/18/2002 9:33:14 AM	Connection request
|> 209.73.225.94
|> >TCP(32105) 
|> >11/18/2002 9:33:03 AM	Connection request
|> >216.136.224.76	TCP(1357) 
|> >11/18/2002 9:32:23 AM	Connection request
|> 209.73.225.94
|> >TCP(12064) 
|> >11/18/2002 9:32:02 AM	Connection request
|> 209.73.225.95
|> >TCP(24541) 
|> >11/18/2002 9:31:57 AM	Connection request
|> >216.136.224.76	TCP(1357) 
|> >11/18/2002 9:31:42 AM	Connection request
|> 61.188.126.1
|> >UDP(137) 
|> >11/18/2002 9:31:33 AM	Connection request
|> >209.73.225.108	TCP(20239) 
|> >11/18/2002 9:31:17 AM	Connection request
|> 209.73.225.94
|> >TCP(32105) 
|> >11/18/2002 9:30:42 AM	Connection request
|> >216.136.224.76	TCP(1357) 
|> >11/18/2002 9:30:25 AM	Connection request
|> 209.73.225.94
|> >TCP(12064) 
|> >11/18/2002 9:30:04 AM	Connection request
|> 209.73.225.95
|> >TCP(24541) 
|> >11/18/2002 9:29:36 AM	Connection request
|> >209.73.225.108	TCP(20239) 
|> >11/18/2002 9:29:19 AM	Connection request
|> 209.73.225.94
|> >TCP(32105) 
|> >11/18/2002 9:28:47 AM	Connection request
|> >216.136.224.76	TCP(1357) 
|> >11/18/2002 9:28:27 AM	Connection request
|> 209.73.225.94
|> >TCP(12064) 
|> >11/18/2002 9:28:07 AM	Connection request
|> 209.73.225.95
|> >TCP(24541) 
|> >11/18/2002 9:27:38 AM	Connection request
|> >209.73.225.108	TCP(20239) 
|> >11/18/2002 9:27:20 AM	Connection request
|> 209.73.225.94
|> >TCP(32105) 
|> >11/18/2002 9:26:39 AM	Connection request
|> >216.136.224.76	TCP(1357) 
|> >11/18/2002 9:26:29 AM	Connection request
|> 209.73.225.94
|> >TCP(12064) 
|> >11/18/2002 9:21:19 AM	Connection request
|> 209.73.225.95
|> >TCP(24541) 
|> >11/18/2002 9:21:19 AM	Connection request
|> >209.73.225.108	TCP(20239) 
|> >11/18/2002 9:21:13 AM	Connection request
|> 209.73.225.94
|> >TCP(32105) 
|> >11/18/2002 9:21:04 AM	Connection request
|> 209.73.225.94
|> >TCP(12064) 
|> >11/18/2002 9:19:01 AM	Connection request
|> 209.6.250.129
|> >UDP(137) 
|> >
|> >
|> >  
|> >
|> 
|> -- 
|> The secret to success is to start from scratch and
|> keep on scratching.
|> 
|> 
|> _______________________________________________
|> Dshield mailing list
|> Dshield at dshield.org
|> To change your subscription options (or
|> unsubscribe), see:
|http://www.dshield.org/mailman/listinfo/list
|
|
|__________________________________________________
|Do you Yahoo!?
|Yahoo! Web Hosting - Let the expert host your site
|http://webhosting.yahoo.com
|
|_______________________________________________
|Dshield mailing list
|Dshield at dshield.org
|To change your subscription options (or unsubscribe), see:
|http://www.dshield.org/mailman/listinfo/list
|
|###############################################################
|######################
|This e-mail message has been scanned for Viruses and Content 
|and cleared by MailMarshal 
|- For more information please visit www.nwtechusa.com
|###############################################################
|######################
|
|_______________________________________________
|Dshield mailing list
|Dshield at dshield.org
|To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list

---------------------------------------------------------------
Jim Conner           | AMA & Traffic Systems Analyst
USLEC of NC          | Security Steering Committee
6801 Morrison Blvd   | Unix Systems Development - Perl
Charlotte, NC 28211  | wk: 704.319.1222 pgr: 877.317.2448
jconner at uslec.com    | txt: 8773172448 at archwireless.net 




More information about the list mailing list