Re: Block Attacker showing wierd name - not just IP...

From: Tony Su (anonymous_at_discussions.microsoft.com)
Date: 03/05/04 

Date: Thu, 4 Mar 2004 22:38:00 -0800

I have seen this with only one ISA in the "array."

I wonder if the attack comes fast enough so that ISA is
not able to respond fast enough it might appear like
multiple blocks are created at once for the same IP
address?

I personally believe the BlockAttacker script has value
that goes beyond the normal IDS defenses...

- Although I don't know for sure, intuitively I feel that
it likely takes more processing to evaluate an attack than
to simply block all communications from that IP address
- IDS is purely defensive. Although it will drop packets
when a possible attack is perceived, it does nothing to
discourage the attacker. I feel alot better if in response
to a port scan <everything> is then denied to the
attacker. In other words, rattle just one lock and now
you're denied everything. I don't want the hacker trying
different locks in turn looking for a weakness.

Tony Su

>-----Original Message-----
>It means you have the script running on more than one ISA
in an array and both instances of the script are trying to
create
>identical packet filters.
>This is yet another example of why using this script as
a "think for me" mechanism is a bad idea.
>Think about it:
>1 - the script is fired from an "intrusion detected"
alert action
>2 - if the alert fired, ISA already blocked the traffic
>
>Since ISA is already blocking the traffic it
deems "invasive", adding a PF to block what was already
blocked only adds rule
>processing time to ISA default behavior.
>
>Solution:
>1 - ditch the script
>2 - delete the PF it created
>3 - start using a log analysis tool to see what's really
an "attack" and what isn't. Mark Burnett has a good
article on how you can
>do that here:
> http://www.securityfocus.com/infocus/1712
>--
> Jim Harrison [ISASE]
> Read the help, books and articles!
>
> This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"darthbaggins" <spam?@nothanks.com> wrote in message
news:OqVa2dFAEHA.692@TK2MSFTNGP11.phx.gbl...
>What does it mean when, instead of just an IP address,
block attacker
>displays the IP address followed by hex codes in the
following pattern:
>{11A1A1A1-1111-1A11-11AA-1AA1AA1AA11A} ?
>
>I noted this all relative to a single IP but with about
20 or so different
>variations on the same code. The name is the only thing
that changes, the
>actual IP under the properties is still the same.
>
>Thanks in advance.
>
>
>
>
>.
>

Relevant Pages

  • Re: Block Attacker showing wierd name - not just IP...
    ... There is no way the script can properly evaluate the traffic because it doesn't exist by the time the script runs. ... I wonder if the attack comes fast enough so that ISA is ... >2 - if the alert fired, ...
    (microsoft.public.isa)
  • RE: Help me
    ... you could enable logging on your router to determine what / ... Further (although I'm not that familiar with ISA) doesn't ISA have the ... allowed),their server logged all requests to my router and firewall from the ... except (attack, scan ping ...) in a month. ...
    (Security-Basics)
  • Firewall-1 and ISA D.o.S.
    ... Check Point was not able to reproduce this attack ... a special situation: a firewall that accepts ... packets to port 80 with the SYN flag. ... In the case of Microsoft ISA Server I have been ...
    (Vuln-Dev)
  • Re: Publishing ftp server
    ... if the attack "fits" one of the attack profiles ISA is built to look ... Understanding the ISA 2004 Access Rule Processing ... Microsoft Internet Security & Acceleration Server: Partners ... Microsoft ISA Server Partners: Partner Hardware Solutions ...
    (microsoft.public.isa.publishing)
  • RE: ISA Server or Firewall Appliance?
    ... There is a clear distinction between "under attack" and "compromised". ... Security Platform Group (ISA SE) ... ISA Server or Firewall Appliance? ... " The only last point I'd make is that I'd be hesitant in deploying ISA ...
    (Focus-Microsoft)