Security Basics mailing list archives
RE: Need help from a group of experts. I am not a network expert but I play one on tv.
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 11 Sep 2003 09:40:56 -0700
I am an owner of a small business with less than 25 staff members. We do not have the budget to afford a tech person on staff. I am a power user that has taken over the task of trying to secure our T1 and I am unclear of how to handle a few issues. 1. Each day my Sonicwall firewall is hit buy at least 3 Sub Seven attacks. The firewall does say that they are blocked. I have converted my users to all use webmail with no attachment download to prevent pop3 mail virus issues.
? How do you track down these attackers when the ip address will not resolve and when i trace them they just don't list. I get the ip from the firewall log and try to trace route to no avail.
Calling these an "attack" is perhaps a misnomer, or at least an exaggeration. It seems like a lot of "script kiddies" (I've recently seen them called "skiddies", and I kind of like the term) are willing to spend a lot of time and effort scanning vast address ranges looking for systems that have been compromised and the SubSeven backdoor installed. Note that the attack you have to worry about is not the *scan*, which your firewall is handling for you, but the original introduction of the backdoor *by some other method*. [If I imagine myself in the role of a "l33t" uber-hacker who has just cracked into somebody's system, and has decided to install SubSeven to make it much easier to get back in for future havoc-wreaking, do I leave it set to use its default port so some ham-fisted skiddie can find and abuse it and probably tip the machine's user to the fact that they're owned? NO WAY. The only reason I would leave it on the default port is if there's nothing interesting here and I don't care if some skiddie gets a few jollies from it. So I figure that skiddies scanning for default trojan ports is almost as much a waste of time (admittedly, much less valuable time!) as admins worrying about scans that their firewall has dealt with.] How long is it from when your firewall logs the "attack" until you try to trace them? If the scan came from a dial-up user, then they may no longer be on-line when you trace. If they're behind certain kinds of NAT, the source address your firewall recorded may no longer be in use, although this would be a bit unusual. Perhaps the scanner has spoofed the address in hopes of sniffing target responses in transit instead of making a real TCP connection, although most skiddies probably could not get that to work. You can find out the ISP or company that owns the IP address using the WHOIS service at www.arin.net . (ARIN covers the Americas. If the source is oversees, ARIN will refer you to RIPE for Europe or APNIC for Asia and the Pacific -- they have WHOIS services, too. I think www.abuse.com (?) tries to keep an up-to-date list of abuse-reporting email addresses for domains, so once you have a domain to go with that address, you have somewhere to complain to....
? Does the webmail stop all issues of mail attacks?
No. Some mail attacks take the form of enticing readers to visit a malicious website -- users who would click on an infected attachment are just as likely to be suckered by something like that. Heck, some HTML-encoded email may include malware directly. (Your approach *will* protect you from some kinds of mail attacks, just not "all".)
? Does a program exist that would reverse hack or fight back against these attacks daily?
Not really. How many scifi/adventure movies have revolved around the evil genius's plot to launch a nuclear attack on one of the major powers, such that they will counter-attack each other and get out of the way of his taking over the world? Same thing; if you deploy a tool that counter-attacks, you will start seeing spoofed attacks claiming to come from AOL, HotMail, Amazon, Google, etc. The real attackers will remain hidden and safe, but *you* won't....
? Does a program exist that could test my network on the internet to see if the firewall is good enough or will someone tell me how I can try to trash it to test it.
Gibson Research (www.grc.com) has a pretty good "test my firewall" page. Not all of the *opinions* on that site are widely accepted, but he writes good solid code that I trust.
P.S. I also run Zone Alarm Pro at home, Does it work?
Pretty much, yes. It's possible to "run" it, and have it configured so it's not really doing much good, but it's reasonably hard to do that by accident. (See Gibson Research, above. Test your protection at home as well as at the office, especially if you transport files (or a laptop) between the two.) David Gillett --------------------------------------------------------------------------- Captus Networks Are you prepared for the next Sobig & Blaster? - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Precisely Define and Implement Network Security - Automatically Control P2P, IM and Spam Traffic FIND OUT NOW - FREE Vulnerability Assessment Toolkit http://www.captusnetworks.com/ads/42.htm ----------------------------------------------------------------------------
Current thread:
- Need help from a group of experts. I am not a network expert but I play one on tv. Randy Opper (Sep 11)
- RE: Need help from a group of experts. I am not a network expert but I play one on tv. David Gillett (Sep 11)
- RE: Need help from a group of experts. I am not a network expert but I play one on tv. Roger A. Grimes (Sep 11)
- <Possible follow-ups>
- Re: Need help from a group of experts. I am not a network expert but I play one on tv. Chris Berry (Sep 11)