Firewall Wizards mailing list archives
Re: How do you fight an attack in progress?
From: Paul Ferguson <ferguson () cisco com>
Date: Fri, 19 Sep 1997 20:24:35 -0400
One thing you didn't mention, and this is how services such as SMTP are handled in your environment. Be aware that if you have tcp/25 wide open for an attacker, and are running an older (read; exploitable) sendmail, then it is fairly trivial to hack directly through this open port. The same principal holds true for other conduits which may be configured that allow direct port connections to services which reside inside the perimeter of the firewall. - paul At 04:02 PM 9/19/97 -0400, Grigorof, Adrian wrote:
First, "Thanks!" to all who replied to my post. Maybe we can improve our escalation procedures for such events by sharing them. But, be aware, the real hackers get these messages too. Unplugging the network cable from the firewall is probably something you may want to avoid in a production environment, but obviously (and recommended even by firewall developers) the most "secure" solution. Here is what I am doing in such cases (fortunately I have only got attacks from people hired to do so by the management): - I am making the whole IP subnet of the attacker member of a group already defined for such situations. This group is blocked from accessing any Internet resources advertised under our domain. This way, the hacker cannot even browse our web site or do anything otherwise legal. The only thing left exposed is the firewall, but this one supposed to take care of itself, right? - I am monitoring the connections that the attacker is establishing with the firewall and kill them on sight (believe me, is a good feeling) - telnet or eventually running a port scan against the attacking host - this one is more a psychological weapon meaning: "I'm watching you!". (here I would recommend a Denial of Service attack against the aggressor!) Currently I am working with my ISP in developing a procedure that will allow me put filters on their router on a "quickly and timely manner". Adrian
-- Paul Ferguson || || Consulting Engineering || || Herndon, Virginia USA |||| |||| tel: +1.703.397.5938 ..:||||||:..:||||||:.. e-mail: ferguson () cisco com c i s c o S y s t e m s
Current thread:
- Re: How do you fight an attack in progress?, (continued)
- Re: How do you fight an attack in progress? Erik Van Riper (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Andy Howard (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 20)
- Re: How do you fight an attack in progress? Neil Readwin (Sep 19)
- Re: How do you fight an attack in progress? John Lines (Sep 23)
- Re: How do you fight an attack in progress? Mark Coleman (Sep 20)
- Re: How do you fight an attack in progress? Joseph S. D. Yao (Sep 22)
- Re: How do you fight an attack in progress? Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Sep 19)
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Rik Harris (Sep 23)