Re: How do you fight an attack in progress?

[geek () midway com (Erik Van Riper)]

Grigorof, Adrian wrote:
> Hello everybody,
>
> As the subject line suggests, I'm interested to find how do you fight an
> attack in progress. Let's say that your firewall keeps sending you
> messages about a scan in progress or something similar. You have the IP
> address. You look-up the domain, call the administrator that you found
> for that domain and get just a voice mail or a "number disconnected"
> message. Worst case: there is no domain associated with that IP address.
> The firewall keeps paging you and your adrenaline level grows
> exponentially.
>
> So, how do you Wizards deal with such situations? 

I would pull the plug on the firewall.

Although, I have never had to do it.  So far, I have seen no problems
on the Gauntlet side, I see probes, but there is nothing to probe.  :)

Years ago, while working at a .edu, I came across an attack in progress,
and I pulled the ethernet cable while killing processes (They were
removing a user account).  

Make your job easier!  Stick the WWW server on the outside of the 
firewall, tcp-wrapper the hell out of it, and keep the current
working copy of the server pages inside the firewall.  If someone 
breaks in and puts in their own WWW pages, wipe the machine, lay down
a fresh OS, patch the hole(s), and stick your WWW site back on.

I am a bit BOFH'ish, and do not let the users do much (like IRC, etc),
since there is really no reason in the first place for them doing 
it at work, but also because there are too many holes associated with
many of those programs.  This makes my job a lot easier.  :)

-- 
Erik Van Riper (EV34)                    Systems / Network Administrator
Midway Home Entertainment Inc.                     San Diego, California
(619) 658 9500 (x110)                    
Go player.