Firewall Wizards mailing list archives
Re: How do you fight an attack in progress?
From: geek () midway com (Erik Van Riper)
Date: Fri, 19 Sep 1997 10:09:58 -0700 (PDT)
Grigorof, Adrian wrote:
Hello everybody, As the subject line suggests, I'm interested to find how do you fight an attack in progress. Let's say that your firewall keeps sending you messages about a scan in progress or something similar. You have the IP address. You look-up the domain, call the administrator that you found for that domain and get just a voice mail or a "number disconnected" message. Worst case: there is no domain associated with that IP address. The firewall keeps paging you and your adrenaline level grows exponentially. So, how do you Wizards deal with such situations?
I would pull the plug on the firewall. Although, I have never had to do it. So far, I have seen no problems on the Gauntlet side, I see probes, but there is nothing to probe. :) Years ago, while working at a .edu, I came across an attack in progress, and I pulled the ethernet cable while killing processes (They were removing a user account). Make your job easier! Stick the WWW server on the outside of the firewall, tcp-wrapper the hell out of it, and keep the current working copy of the server pages inside the firewall. If someone breaks in and puts in their own WWW pages, wipe the machine, lay down a fresh OS, patch the hole(s), and stick your WWW site back on. I am a bit BOFH'ish, and do not let the users do much (like IRC, etc), since there is really no reason in the first place for them doing it at work, but also because there are too many holes associated with many of those programs. This makes my job a lot easier. :) -- Erik Van Riper (EV34) Systems / Network Administrator Midway Home Entertainment Inc. San Diego, California (619) 658 9500 (x110) Go player.
Current thread:
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Marcus J. Ranum (Sep 19)
- Re: How do you fight an attack in progress? Erik Van Riper (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
- Re: How do you fight an attack in progress? Andy Howard (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 20)
- Re: How do you fight an attack in progress? Neil Readwin (Sep 19)
- Re: How do you fight an attack in progress? John Lines (Sep 23)
- Re: How do you fight an attack in progress? Mark Coleman (Sep 20)
- Re: How do you fight an attack in progress? Joseph S. D. Yao (Sep 22)
- <Possible follow-ups>
- Re: How do you fight an attack in progress? Michele Mullins Jordan - Commercial SE-Sun-McLean VA (Sep 19)
- How do you fight an attack in progress? Grigorof, Adrian (Sep 19)
- Re: How do you fight an attack in progress? Paul Ferguson (Sep 19)
(Thread continues...)