Firewall Wizards mailing list archives
Re: How do you fight an attack in progress?
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 19 Sep 1997 12:24:44 +0000
As the subject line suggests, I'm interested to find how do you fight an attack in progress. Let's say that your firewall keeps sending you messages about a scan in progress or something similar.
GOOD question!! The first problem is defining an attack. Is being scanned an attack? Is being telnetted to an attack? Is having your SMTP port telnetted to and the DEBUG command issued an attack? Is having IP spoofing tools run against you an attack? I think that at each level the aggressive intent becomes clearer. At each level it is more resonable to say you're under attack. These days I consider myself to be under attack when 2 things occur: 1) there is some kind of potential attack analysis (a scan of some sort, or other fact-gathering) 2) a follow-up is launched based on the previous fact-gathering. When the second occurs, that means that someone has (usually) gone to the effort to understand my defenses and then tailor a mission against them. A simple scan isn't quite hostile enough to justify breaking out the desert eagle and paying the travel costs to go talk to the responsible party.
You have the IP address. You look-up the domain, call the administrator that you found for that domain and get just a voice mail or a "number disconnected" message. Worst case: there is no domain associated with that IP address.
Or you get a university lab machine, or whatever. If there's no domain associated with the IP address then you're DEFINITELY in an interesting situation. :)
The firewall keeps paging you and your adrenaline level grows exponentially.
This is actually a comfort signal. Think about it this way: the firewall is telling you "someone is hitting me with something I know how to deal with." That's GOOD news. The time that you should really inhale your seat cushion is when the firewall is silent. Which, of course, is a problem, because by definition then you don't KNOW you're under attack at all.
So, how do you Wizards deal with such situations?
1) Become a disciple of the dump. Do your backups religiously 2) Become a friend of the checksum. Identify things that shouldn't change on your system and set up things like tripwire to watch for changes 3) Install burglar alarms. Know what shouldn't happen on your network, set up things to look for it, and tell you when it happens. 4) Talk to your senior management and legal counsel about how much time they feel is appropriate for you to invest in backtracking incidents. Hunting an attack could eat a week of your time. Decide if you want to go there or not. 5) If you're under a successful attack and you want to try to catch the guy and prosecute DEFINITELY talk to legal counsel and get guidance about what constitutes admissable evidence. 6) Relax, have a home-brew. If you're getting traffic from a known site, then you can start picking up the phone and making calls. If you're getting traffic from a nonexistent site then there's not much you can do unless you start calling your ISP and seeing if they're willing to track the packets off their backbone. If they are, then you can try to walk back up the 'net and find the source. That's a VERY hard thing to do unless you have major clout. mjr. ----- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. <A HREF=http://www.clark.net/pub/mjr>Personal</A> <A HREF=http://www.nfr.net>Work</A> <A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>
Current thread:
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Marcus J. Ranum (Sep 19)
- Re: How do you fight an attack in progress? Erik Van Riper (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Andy Howard (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 20)
- Re: How do you fight an attack in progress? Neil Readwin (Sep 19)
- Re: How do you fight an attack in progress? John Lines (Sep 23)
- Re: How do you fight an attack in progress? Mark Coleman (Sep 20)
- Re: How do you fight an attack in progress? Joseph S. D. Yao (Sep 22)
- <Possible follow-ups>
- Re: How do you fight an attack in progress? Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Sep 19)
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
(Thread continues...)