Security Incidents mailing list archives

RE: Odd scans and stuff bouncing off firewalls

From: Steve Vawter <svawter () sigma net>
Date: Tue, 13 Aug 2002 09:57:33 -0700

Another reason (other than using the numbers for cash) that I can see isthat they might better help decipher where an attack that made itthrough the filters came from. If you only have the few packets thatmade it through to use to backtrack to an attacker, it may be harder tofind them.

But, of course, without the right data filters, finding the pattern inthe chaos is near impossible sometimes...


-------- Original Message --------
Subject: Odd scans and stuff bouncing off firewalls
Date: Tue 8/13/2002 8:58 AM
From: Nexus [nexus () patrol i-way co uk]
To: incidents () securityfocus com

Just a quick straw poll to see if anyone has any hard data that supportsthe logging and analysis of traffic that bounces off of filtering devices as

part of a business security plan ? Other than generating attack metrics to

wave under the noses of senior managment at budget time, is there anydefinite _business_ requirement to have IDS sensors outside the firewallor firewall "drop" logs et al regularly examined in the context of"external" attack sources ?

"We defended against X bazillion hack attacks last year so we need abigger budget for more stuff.." BableFish (H2G2 version) : "Tons of portscans and worms from non accountable netblocks bounced off of the firewall"

I don't bother to chase anything from anywhere unless it makes itthrough the filters because I could care less and it would IMHO purelybe a time sink and even then only if it's from a netblock that has awhois abuse@

entry. As I said, this is purely my own view, on my own network knowing

the sheer amount of background radiation on the internet, so I wouldappreciate some other points of view.


Cheers.
----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. Formore information on this free incident handling, management

and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Odd scans and stuff bouncing off firewalls Steve Vawter (Aug 13)
- RE: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- <Possible follow-ups>
- Re: Odd scans and stuff bouncing off firewalls Craig Billado (Aug 13)
- RE: Odd scans and stuff bouncing off firewalls Edwards, David (JTS) (Aug 14)