Re: Simultaneous Attacks

[bejtlich () ALTAVISTA NET (Richard Bejtlich)]

Hello Harlan,

I agree with your desire to protect your machine with 
BlackICE, but you may wish to reconsider your defensive 
posture.  I could spend most of my free time reporting 
reconnaissance or intrusion attempts on my cable segment, 
but it's not worth it.  That's my day job, and even there 
we must concentrate on high-end events.  

Unfortunately, I believe over-zealous probe reporting may 
be occupying far too much ISP "abuse desk" and (generic) 
CERT  time.  Rather than concentrating on serious events, 
ISPs have to sort through messages describing decoy probes 
from non-existent hosts, etc.

I believe intrusion detection carries some responsibility 
to use the information to the advantage of the information 
assurance community.  It would be quite easy to stress the 
community to the breaking point if thousands or hundreds of 
thousands of well-meaning but misinformed users bombarded 
ISPs and CERTs with dead-end reports.

Richard Bejtlich

--

Today I have detected three simultaneous intrusions into my 
computer.
I report ALL intrusions and expect maximum penalties.

I am using the BlackICE program.

Record(s) from Attack-list.csv follow, date and time are 
GMT:
59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 
64.232.4.242, ,
24.161.11.47, , port=12345&name=NetBus, 6, A
59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 
23.23.23.23, ,
24.161.11.47, , port=12345&name=NetBus, 6, A
59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 
24.24.24.24,
tmp1-3218.twcny.rr.com, 24.161.11.47, , 
port=12345&name=NetBus, 6, A

It looks like an attempt to gain access by crashing my 
computer.  The IP
23.23.23.23 is apparently unassigned in the European area.  
It would be
interesting to know how widespread this attack was and who 
was really
behind it.

Harlan S. Barney, Jr.