Firewall Wizards mailing list archives
Re: 160.204.191.239, 212.222.191.239
From: William Stearns <wstearns () pobox com>
Date: Fri, 5 Nov 1999 13:27:06 -0500 (EST)
Good day, Eric, On Fri, 5 Nov 1999, Eric Toll wrote:
This "address" is a repeat offender for me. It always tries to spoof its name, and tries smap, and smapd stuff. Seems to be coming from osaka, japan I cant seem to trace it all the way. Anyone have any ideas?
You've got a couple of options: - Keep up on security patches on your own systems; a good choice even if you decide to do any of the following. - Ignore it. - Put in firewall rules that drop packets from those addresses without sending any icmp errors (Linux example: for BLOCKEDHOST in 160.204.191.239 212.222.191.239 ; do /sbin/ipchains -I input -s $BLOCKEDHOST -d 1.2.3.0/24 -j DENY /sbin/ipchains -I output -s $BLOCKEDHOST -d 1.2.3.0/24 -j DENY /sbin/ipchains -I input -s 1.2.3.0/24 -d $BLOCKEDHOST -j DENY /sbin/ipchains -I output -s 1.2.3.0/24 -d $BLOCKEDHOST -j DENY done With this approach, you risk that he/she will simply pick another address from which to launch the attack. - Do as above, but only block incoming packets to the ports this person is trying to attack. - Contact the ISP and see if they have any policy in place for dealing with outbound attacks from their network. - Move the machines on your network that are getting attacked to other IP addresses, route those two addresses to new boxes that look similar to the old ones but on their own cables, put in lots of monitoring software and see if you can pull together enough proof of actual damage to prosecute. The last one's a toughie; I fear it will launch a week long debate that will put even more load on Marcus' ability to moderate the list. :-( In point of fact, it's not something I feel is appropriate for me, but for those with the time, resources, and motivation, a honeypot is just one more available option. Cheers, - Bill --------------------------------------------------------------------------- The Web is a four-year-old, endlessly yammering, "Look what I can do!" (Courtesy of Hank Leininger <hlein () progressive-comp com>) -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/ --------------------------------------------------------------------------
Current thread:
- 160.204.191.239, 212.222.191.239 Eric Toll (Nov 05)
- Re: 160.204.191.239, 212.222.191.239 William Stearns (Nov 06)