[Dshield] Firewall that bites back??? Addendum

Richard Porter rwporter at kragoriantowers.com
Wed Nov 20 07:11:41 GMT 2002


All,

But where do you draw the line at active defense and deception? I would
prefer to make the enemy think that my webserver is an IIS 5.0 when it
is actually apache or vice versa. This drives them crazy and allows you
to have a little fun in the defense process!


Richard
-----Original Message-----
From: Jason Allen [mailto:jallen at garden-city.org] 
Sent: Tuesday, November 19, 2002 10:28 AM
To: list at dshield.org
Subject: RE: [Dshield] Firewall that bites back??? Addendum

I'm sorry, but once you start 'fighting back' you have done exactly what
we
are here to prevent. You will drive yourself absolutely nuts trying to
pay
back everyone in the world that is using a system maliciously. Lock your
doors. That doesn't mean that you have to stand around all day looking
out
the peep hole either. Get a couple of good deadbolts and get some rest
knowing that you have done everything you can to make YOUR part of the
world
a safer place. Don't fight back, just make it so their efforts are
fruitless. Keep your Karma in the green. 

-----Original Message-----
From: rilya byor [mailto:rilya1 at yahoo.com]
Sent: Monday, November 18, 2002 4:12 PM
To: list at dshield.org
Subject: Re: [Dshield] Firewall that bites back??? Addendum



--- Alberto Gonzalez <ag-dshield at cerebro.violating.us>
wrote:
> well, by "fighting" back, do you mean to attempt the
> same attack on the 
> src ip thats attacking you?

That's exactly what I meant...

> A method of fighting back would be to use something
> in the form of SnortSam w/ Snort (support for
> pf, ipchains, and iptables(coming soon)) to block
> packets based on alerts and or hogwash.

Which is exactly what I'll do when I get my new modem
to work with RedHat 7.2 ...
 
>i believe you mentioned your on winXP.. 

Wouldn't be if I could find some good ebay software
for Linux ...

>just trying to give you some ideas. Hope it Helps

It does. Tnx!
(BTW, the connection lockups were apparently being
caused by my now-former ISP, tho they went to their
death denying it!)
Rilya

> rilya byor wrote:
> 
> >As I was sending the above-mentioned email, my
> >connected locked up for the 6th time this morning,
> and
> >now the probes are coming in on other ports too. 
> >Here's the Outpost attack log for the last 15
> minutes:
> >
> >11/18/2002 9:46:04 AM	Connection request
> >200.165.212.179	UDP(137) 
> >11/18/2002 9:41:51 AM	Connection request
> 80.24.91.15
> >UDP(137) 
> >11/18/2002 9:33:59 AM	Connection request
> 209.73.225.95
> >TCP(24541) 
> >11/18/2002 9:33:31 AM	Connection request
> >209.73.225.108	TCP(20239) 
> >11/18/2002 9:33:14 AM	Connection request
> 209.73.225.94
> >TCP(32105) 
> >11/18/2002 9:33:03 AM	Connection request
> >216.136.224.76	TCP(1357) 
> >11/18/2002 9:32:23 AM	Connection request
> 209.73.225.94
> >TCP(12064) 
> >11/18/2002 9:32:02 AM	Connection request
> 209.73.225.95
> >TCP(24541) 
> >11/18/2002 9:31:57 AM	Connection request
> >216.136.224.76	TCP(1357) 
> >11/18/2002 9:31:42 AM	Connection request
> 61.188.126.1
> >UDP(137) 
> >11/18/2002 9:31:33 AM	Connection request
> >209.73.225.108	TCP(20239) 
> >11/18/2002 9:31:17 AM	Connection request
> 209.73.225.94
> >TCP(32105) 
> >11/18/2002 9:30:42 AM	Connection request
> >216.136.224.76	TCP(1357) 
> >11/18/2002 9:30:25 AM	Connection request
> 209.73.225.94
> >TCP(12064) 
> >11/18/2002 9:30:04 AM	Connection request
> 209.73.225.95
> >TCP(24541) 
> >11/18/2002 9:29:36 AM	Connection request
> >209.73.225.108	TCP(20239) 
> >11/18/2002 9:29:19 AM	Connection request
> 209.73.225.94
> >TCP(32105) 
> >11/18/2002 9:28:47 AM	Connection request
> >216.136.224.76	TCP(1357) 
> >11/18/2002 9:28:27 AM	Connection request
> 209.73.225.94
> >TCP(12064) 
> >11/18/2002 9:28:07 AM	Connection request
> 209.73.225.95
> >TCP(24541) 
> >11/18/2002 9:27:38 AM	Connection request
> >209.73.225.108	TCP(20239) 
> >11/18/2002 9:27:20 AM	Connection request
> 209.73.225.94
> >TCP(32105) 
> >11/18/2002 9:26:39 AM	Connection request
> >216.136.224.76	TCP(1357) 
> >11/18/2002 9:26:29 AM	Connection request
> 209.73.225.94
> >TCP(12064) 
> >11/18/2002 9:21:19 AM	Connection request
> 209.73.225.95
> >TCP(24541) 
> >11/18/2002 9:21:19 AM	Connection request
> >209.73.225.108	TCP(20239) 
> >11/18/2002 9:21:13 AM	Connection request
> 209.73.225.94
> >TCP(32105) 
> >11/18/2002 9:21:04 AM	Connection request
> 209.73.225.94
> >TCP(12064) 
> >11/18/2002 9:19:01 AM	Connection request
> 209.6.250.129
> >UDP(137) 
> >
> >
> >  
> >
> 
> -- 
> The secret to success is to start from scratch and
> keep on scratching.
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or
> unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

########################################################################
#############
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal 
- For more information please visit www.nwtechusa.com
########################################################################
#############

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list