How do you fight an attack in progress?

["Grigorof, Adrian" <agrigoro () mobility com>]

First, "Thanks!" to all who replied to my post. Maybe we can improve our
escalation procedures for such events by sharing them. But, be aware,
the real hackers get these messages too.

Unplugging the network cable from the firewall is probably something you
may want to avoid in a production environment, but obviously (and
recommended even by firewall developers) the most "secure" solution.

Here is what I am doing in such cases (fortunately I have only got
attacks from people hired to do so by the management):
-       I am making the whole IP subnet of the attacker member of a
group already defined for such situations. This group is blocked from
accessing any Internet resources advertised under our domain. This way,
the hacker cannot even browse our web site or do anything otherwise
legal. The only thing left exposed is the firewall, but this one
supposed to take care of itself, right?
-       I am monitoring the connections that the attacker is
establishing with the firewall and kill them on sight (believe me, is a
good feeling)
-       telnet or eventually running a port scan against the attacking
host - this one is more a psychological weapon meaning: "I'm watching
you!". (here I would recommend a Denial of Service attack against the
aggressor!) 

Currently I am working with my ISP in developing a procedure that will
allow me put filters on their router on a "quickly and timely manner". 

Adrian