Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 160.204.191.239, 212.222.191.239

From: William Stearns <wstearns () pobox com>
Date: Fri, 5 Nov 1999 13:27:06 -0500 (EST)
Good day, Eric,

On Fri, 5 Nov 1999, Eric Toll wrote:


This "address" is a repeat offender for me.

It always tries to spoof its name, and tries smap, and smapd stuff.

Seems to be coming from osaka, japan

I cant seem to trace it all the way.
Anyone have any ideas?


        You've got a couple of options:
- Keep up on security patches on your own systems; a good choice even if
you decide to do any of the following.

- Ignore it.

- Put in firewall rules that drop packets from those addresses without
sending any icmp errors (Linux example:

for BLOCKEDHOST in 160.204.191.239 212.222.191.239 ; do
        /sbin/ipchains -I input  -s $BLOCKEDHOST -d 1.2.3.0/24 -j DENY
        /sbin/ipchains -I output -s $BLOCKEDHOST -d 1.2.3.0/24 -j DENY
        /sbin/ipchains -I input  -s 1.2.3.0/24 -d $BLOCKEDHOST -j DENY
        /sbin/ipchains -I output -s 1.2.3.0/24 -d $BLOCKEDHOST -j DENY
done

        With this approach, you risk that he/she will simply pick another
address from which to launch the attack.

- Do as above, but only block incoming packets to the ports this person is
trying to attack.

- Contact the ISP and see if they have any policy in place for dealing
with outbound attacks from their network.

- Move the machines on your network that are getting attacked to other IP
addresses, route those two addresses to new boxes that look similar to the
old ones but on their own cables, put in lots of monitoring software and
see if you can pull together enough proof of actual damage to prosecute.

        The last one's a toughie; I fear it will launch a week long debate
that will put even more load on Marcus' ability to moderate the list. :-(
In point of fact, it's not something I feel is appropriate for me, but for
those with the time, resources, and motivation, a honeypot is just one
more available option.

        Cheers,
        - Bill

---------------------------------------------------------------------------
        The Web is a four-year-old, endlessly yammering, "Look what I can do!"
(Courtesy of Hank Leininger <hlein () progressive-comp com>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: