Re: How do you fight an attack in progress?

[Paul Ferguson <ferguson () cisco com>]

Not much you can do, really. As long as you have the
appropriate ports blocked, just be glad that the probes
are being repelled.

Other than attempting to contact the technical &
zone contacts in the WHOIS database, there is really
no much more you can do, other than attempt to trace
it back to it's source and convince the first-hop
service provider upstream from the source of the
attack to shut down/disconnect the offender. This is
extraordinarily difficult to do (the convincing, not
the tracing), however.

I've helped a couple of ISP's trace back attacks
(both TCP SYN and UDP flooding) to the sender, and
it has to be done in real-time, requires the
cooperation of operations staff at each administrative
domain (AS) in the traffic path, and can be equally
tedious, although it's been done on many occasions.

- paul

At 11:21 AM 9/19/97 -0400, Grigorof, Adrian wrote:

> Hello everybody,
>
> As the subject line suggests, I'm interested to find how do you fight an
> attack in progress. Let's say that your firewall keeps sending you
> messages about a scan in progress or something similar. You have the IP
> address. You look-up the domain, call the administrator that you found
> for that domain and get just a voice mail or a "number disconnected"
> message. Worst case: there is no domain associated with that IP address.
> The firewall keeps paging you and your adrenaline level grows
> exponentially.
>
> So, how do you Wizards deal with such situations? 
>
>
> Adrian
> Apprentice Wizard


--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: ferguson () cisco com                         c i s c o S y s t e m s