|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Simultaneous Attacks
From: Richard Bejtlich (bejtlich
ALTAVISTA.NET)Date: Tue Jul 11 2000 - 05:14:28 CDT
- Next message: sigippWELLA.COM.BR: "Re: scan log and subsequent response from the host's ISP"
- Previous message: gabriel rosenkoetter: "Re: tin.it and others non collaborative isps."
- In reply to: Harlan S. Barney, Jr.: "Simultaneous Attacks"
- Reply: Richard Bejtlich: "Re: Simultaneous Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Harlan,
I agree with your desire to protect your machine with
BlackICE, but you may wish to reconsider your defensive
posture. I could spend most of my free time reporting
reconnaissance or intrusion attempts on my cable segment,
but it's not worth it. That's my day job, and even there
we must concentrate on high-end events.
Unfortunately, I believe over-zealous probe reporting may
be occupying far too much ISP "abuse desk" and (generic)
CERT time. Rather than concentrating on serious events,
ISPs have to sort through messages describing decoy probes
from non-existent hosts, etc.
I believe intrusion detection carries some responsibility
to use the information to the advantage of the information
assurance community. It would be quite easy to stress the
community to the breaking point if thousands or hundreds of
thousands of well-meaning but misinformed users bombarded
ISPs and CERTs with dead-end reports.
Richard Bejtlich
--Today I have detected three simultaneous intrusions into my computer. I report ALL intrusions and expect maximum penalties.
I am using the BlackICE program.
Record(s) from Attack-list.csv follow, date and time are GMT: 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 64.232.4.242, , 24.161.11.47, , port=12345&name=NetBus, 6, A 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 23.23.23.23, , 24.161.11.47, , port=12345&name=NetBus, 6, A 59, 2000-07-06 23:59:50, 2003103, NetBus port probe, 24.24.24.24, tmp1-3218.twcny.rr.com, 24.161.11.47, , port=12345&name=NetBus, 6, A
It looks like an attempt to gain access by crashing my computer. The IP 23.23.23.23 is apparently unassigned in the European area. It would be interesting to know how widespread this attack was and who was really behind it.
Harlan S. Barney, Jr.
- Next message: sigippWELLA.COM.BR: "Re: scan log and subsequent response from the host's ISP"
- Previous message: gabriel rosenkoetter: "Re: tin.it and others non collaborative isps."
- In reply to: Harlan S. Barney, Jr.: "Simultaneous Attacks"
- Reply: Richard Bejtlich: "Re: Simultaneous Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]