RE: Need help from a group of experts. I am not a network expert but I play one on tv.

["David Gillett" <gillettdavid () fhda edu>]

>       I am an owner of a small business with less than 25 staff members. We
> do not have the budget to afford a tech person on staff. I am a power
> user that has taken over the task of trying to secure our T1 and I am
> unclear of how to handle a few issues.
>
> 1. Each day my Sonicwall firewall is hit buy at least 3 Sub Seven
> attacks. The firewall does say that they are blocked. I have converted
> my users to all use webmail with no attachment download to prevent pop3
> mail virus issues.

>               ? How do you track down these attackers when the ip address
> will not resolve and when i trace them they just don't list. I get the
> ip from the firewall log and try to trace route to no avail.

  Calling these an "attack" is perhaps a misnomer, or at least an
exaggeration.
It seems like a lot of "script kiddies" (I've recently seen them called
"skiddies", and I kind of like the term) are willing to spend a lot of time
and effort scanning vast address ranges looking for systems that have been
compromised and the SubSeven backdoor installed.  Note that the attack you
have to worry about is not the *scan*, which your firewall is handling for
you, but the original introduction of the backdoor *by some other method*.
  [If I imagine myself in the role of a "l33t" uber-hacker who has just
cracked into somebody's system, and has decided to install SubSeven to make
it much easier to get back in for future havoc-wreaking, do I leave it set
to use its default port so some ham-fisted skiddie can find and abuse it
and probably tip the machine's user to the fact that they're owned?  NO
WAY.  The only reason I would leave it on the default port is if there's
nothing interesting here and I don't care if some skiddie gets a few jollies
from it.  So I figure that skiddies scanning for default trojan ports
is almost as much a waste of time (admittedly, much less valuable time!)
as admins worrying about scans that their firewall has dealt with.]

  How long is it from when your firewall logs the "attack" until you try
to trace them?  If the scan came from a dial-up user, then they may no
longer
be on-line when you trace.  If they're behind certain kinds of NAT, the
source
address your firewall recorded may no longer be in use, although this would
be a bit unusual.  Perhaps the scanner has spoofed the address in hopes of
sniffing target responses in transit instead of making a real TCP
connection,
although most skiddies probably could not get that to work.

  You can find out the ISP or company that owns the IP address using the
WHOIS service at www.arin.net .  (ARIN covers the Americas.  If the source
is oversees, ARIN will refer you to RIPE for Europe or APNIC for Asia and
the Pacific -- they have WHOIS services, too.  I think www.abuse.com (?)
tries to keep an up-to-date list of abuse-reporting email addresses for
domains, so once you have a domain to go with that address, you have
somewhere to complain to....

>               ? Does the webmail stop all issues of mail attacks?

  No.  Some mail attacks take the form of enticing readers
to visit a malicious website -- users who would click on an infected
attachment are just as likely to be suckered by something like that.
Heck, some HTML-encoded email may include malware directly.
  (Your approach *will* protect you from some kinds of mail
attacks, just not "all".)

>               ? Does a program exist that would reverse hack
> or fight back against these attacks daily?

  Not really.  How many scifi/adventure movies have revolved around
the evil genius's plot to launch a nuclear attack on one of the major
powers, such that they will counter-attack each other and get out of
the way of his taking over the world?  Same thing; if you deploy a
tool that counter-attacks, you will start seeing spoofed attacks
claiming to come from AOL, HotMail, Amazon, Google, etc.  The real
attackers will remain hidden and safe, but *you* won't....

>               ? Does a program exist that could test my network on the internet to
> see if the firewall is good enough or will someone tell me how I can
> try to trash it to test it.

  Gibson Research (www.grc.com) has a pretty good "test my firewall"
page.  Not all of the *opinions* on that site are widely accepted, but
he writes good solid code that I trust.

> P.S. I also run Zone Alarm Pro at home, Does it work?

  Pretty much, yes.  It's possible to "run" it, and have it configured
so it's not really doing much good, but it's reasonably hard to do
that by accident.  (See Gibson Research, above.  Test your protection
at home as well as at the office, especially if you transport files
(or a laptop) between the two.)

David Gillett



---------------------------------------------------------------------------
Captus Networks 
Are you prepared for the next Sobig & Blaster? 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
 - Precisely Define and Implement Network Security 
 - Automatically Control P2P, IM and Spam Traffic 
FIND OUT NOW -  FREE Vulnerability Assessment Toolkit 
http://www.captusnetworks.com/ads/42.htm
----------------------------------------------------------------------------