Re: How do you fight an attack in progress?

[Andy Howard <achowar () erenj com>]

I'm not a wizard, but would suggest the following........

The scan itself is not dangerous.... just rattling the door knob.  Some
Web search and indexing sites do this.... there are some legitimate
reasons to get the door knob rattled.

Now, if you start getting logon attempts... somebody is trying to pick
the lock on the door... that's not so good.  Your risk assessment should
address your several levels of response and that should be folded into
your Intrusion Response procedures.

If you don't have lots of staff but do have lots of secrets, pull the
plug.  The other extreme is to just watch and be ready to pull the
plug.  You could make elaborate areas for the hacker to go into and
watch, but most people don't have time.  Your management should be able
to give some guidance as well.......
--------
Grigorof, Adrian wrote:
> Hello everybody,
>
> As the subject line suggests, I'm interested to find how do you fight an
> attack in progress. Let's say that your firewall keeps sending you
> messages about a scan in progress or something similar. You have the IP
> address. You look-up the domain, call the administrator that you found
> for that domain and get just a voice mail or a "number disconnected"
> message. Worst case: there is no domain associated with that IP address.
> The firewall keeps paging you and your adrenaline level grows
> exponentially.
>
> So, how do you Wizards deal with such situations?
>
> Adrian
> Apprentice Wizard

-- 
Andy Howard   713-656-4396
achowar () erenj com
"Think hard!  Think Fast!  Think Often!  But Think!"
The contents of this note are my opinion and should
be treated only as that.