Firewall Wizards mailing list archives

Re: How do you fight an attack in progress?

From: Paul Ferguson <ferguson () cisco com>
Date: Fri, 19 Sep 1997 20:24:35 -0400

One thing you didn't mention, and this is how services such
as SMTP are handled in your environment.

Be aware that if you have tcp/25 wide open for an attacker,
and are running an older (read; exploitable) sendmail, then
it is fairly trivial to hack directly through this open
port. The same principal holds true for other conduits which
may be configured that allow direct port connections to
services which reside inside the perimeter of the firewall.

- paul

At 04:02 PM 9/19/97 -0400, Grigorof, Adrian wrote:


First, "Thanks!" to all who replied to my post. Maybe we can improve our
escalation procedures for such events by sharing them. But, be aware,
the real hackers get these messages too.

Unplugging the network cable from the firewall is probably something you
may want to avoid in a production environment, but obviously (and
recommended even by firewall developers) the most "secure" solution.

Here is what I am doing in such cases (fortunately I have only got
attacks from people hired to do so by the management):
-      I am making the whole IP subnet of the attacker member of a
group already defined for such situations. This group is blocked from
accessing any Internet resources advertised under our domain. This way,
the hacker cannot even browse our web site or do anything otherwise
legal. The only thing left exposed is the firewall, but this one
supposed to take care of itself, right?
-      I am monitoring the connections that the attacker is
establishing with the firewall and kill them on sight (believe me, is a
good feeling)
-      telnet or eventually running a port scan against the attacking
host - this one is more a psychological weapon meaning: "I'm watching
you!". (here I would recommend a Denial of Service attack against the
aggressor!) 

Currently I am working with my ISP in developing a procedure that will
allow me put filters on their router on a "quickly and timely manner". 

Adrian



--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Herndon, Virginia   USA                                ||||      ||||
tel: +1.703.397.5938                               ..:||||||:..:||||||:..
e-mail: ferguson () cisco com                         c i s c o S y s t e m s

Current thread:

Re: How do you fight an attack in progress?, (continued)
- Re: How do you fight an attack in progress? Erik Van Riper (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Andy Howard (Sep 19)
  - Re: How do you fight an attack in progress? Paul Ferguson (Sep 20)
- Re: How do you fight an attack in progress? Neil Readwin (Sep 19)
  - Re: How do you fight an attack in progress? John Lines (Sep 23)
- Re: How do you fight an attack in progress? Mark Coleman (Sep 20)
  - Re: How do you fight an attack in progress? Joseph S. D. Yao (Sep 22)
- Re: How do you fight an attack in progress? Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Sep 19)
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
  - Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
  - Re: How do you fight an attack in progress? Rik Harris (Sep 23)