Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Re: How do you fight an attack in progress?

Re: How do you fight an attack in progress?

Erik Van Riper (geekmidway.com)
Fri, 19 Sep 1997 10:09:58 -0700 (PDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Donald R. Martin: "Spoofed Email"
Previous message: Sandeep_Talwarnotes.pw.com: "Re: TIS FWTK"
Maybe in reply to: Ken Roy: "TIS FWTK"
Next in thread: Paul Ferguson: "Re: How do you fight an attack in progress?"

Grigorof, Adrian wrote:
>
> Hello everybody,
>
> As the subject line suggests, I'm interested to find how do you fight an
> attack in progress. Let's say that your firewall keeps sending you
> messages about a scan in progress or something similar. You have the IP
> address. You look-up the domain, call the administrator that you found
> for that domain and get just a voice mail or a "number disconnected"
> message. Worst case: there is no domain associated with that IP address.
> The firewall keeps paging you and your adrenaline level grows
> exponentially.
>
> So, how do you Wizards deal with such situations?

I would pull the plug on the firewall.

Although, I have never had to do it. So far, I have seen no problems
on the Gauntlet side, I see probes, but there is nothing to probe. :)

Years ago, while working at a .edu, I came across an attack in progress,
and I pulled the ethernet cable while killing processes (They were
removing a user account).

Make your job easier! Stick the WWW server on the outside of the
firewall, tcp-wrapper the hell out of it, and keep the current
working copy of the server pages inside the firewall. If someone
breaks in and puts in their own WWW pages, wipe the machine, lay down
a fresh OS, patch the hole(s), and stick your WWW site back on.

I am a bit BOFH'ish, and do not let the users do much (like IRC, etc),
since there is really no reason in the first place for them doing
it at work, but also because there are too many holes associated with
many of those programs. This makes my job a lot easier. :)

-- 
Erik Van Riper (EV34)                    Systems / Network Administrator
Midway Home Entertainment Inc.                     San Diego, California
(619) 658 9500 (x110)                    
Go player.

Next message: Donald R. Martin: "Spoofed Email"
Previous message: Sandeep_Talwarnotes.pw.com: "Re: TIS FWTK"
Maybe in reply to: Ken Roy: "TIS FWTK"
Next in thread: Paul Ferguson: "Re: How do you fight an attack in progress?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT