Security Incidents mailing list archives
Re: Simultaneous Attacks
From: bejtlich () ALTAVISTA NET (Richard Bejtlich)
Date: Tue, 11 Jul 2000 10:14:28 -0000
Hello Harlan, I agree with your desire to protect your machine with BlackICE, but you may wish to reconsider your defensive posture. I could spend most of my free time reporting reconnaissance or intrusion attempts on my cable segment, but it's not worth it. That's my day job, and even there we must concentrate on high-end events. Unfortunately, I believe over-zealous probe reporting may be occupying far too much ISP "abuse desk" and (generic) CERT time. Rather than concentrating on serious events, ISPs have to sort through messages describing decoy probes from non-existent hosts, etc. I believe intrusion detection carries some responsibility to use the information to the advantage of the information assurance community. It would be quite easy to stress the community to the breaking point if thousands or hundreds of thousands of well-meaning but misinformed users bombarded ISPs and CERTs with dead-end reports. Richard Bejtlich -- Today I have detected three simultaneous intrusions into my computer. I report ALL intrusions and expect maximum penalties. I am using the BlackICE program. Record(s) from Attack-list.csv follow, date and time are GMT: 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 64.232.4.242, , 24.161.11.47, , port=12345&name=NetBus, 6, A 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 23.23.23.23, , 24.161.11.47, , port=12345&name=NetBus, 6, A 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 24.24.24.24, tmp1-3218.twcny.rr.com, 24.161.11.47, , port=12345&name=NetBus, 6, A It looks like an attempt to gain access by crashing my computer. The IP 23.23.23.23 is apparently unassigned in the European area. It would be interesting to know how widespread this attack was and who was really behind it. Harlan S. Barney, Jr.
Current thread:
- Re: scan log and subsequent response from the host's ISP, (continued)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 05)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
- Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
- Re: Snort SMTP expn-root Bill Pennington (Jul 06)
- Re: Snort SMTP expn-root dyer (Jul 06)
- Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
- Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
- Re: Simultaneous Attacks Ryan Russell (Jul 07)
- Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
- Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
- Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
- 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 07)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
- Re: scan log and subsequent response from the host's ISP Osvaldo Janeri Filho (Jul 10)
- Intrusion, WuFTP exploit? David Knaack (Jul 07)
- Re: scan log and subsequent response from the host's ISP Philipp Buehler (Jul 11)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 07)