Page 3 of 3 FirstFirst 123
Results 21 to 24 of 24

Thread: Attacks!

  1. August 4th, 2004, 10:12 PM #21
    thread_killer
    thread_killer is offline
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Well....you've probably got an infected box acting as a zombie and it's spoofing the source address.

    How many machines do you have in the network?
    Reply With Quote Reply With Quote
  2. August 4th, 2004, 10:25 PM #22
    AngelicKnight
    AngelicKnight is offline
    AO Autobot AngelicKnight's Avatar
    Join Date
    Aug 2003
    Posts
    2,370
    Let's see...guestimate is we have 15-20 on the LAN. Running CA eTrust AV with automatic updates and realtime scanning as well (though I did catch some trojans slip through into our server lately...not a big fan of CA for that matter...).
    Reply With Quote Reply With Quote
  3. August 4th, 2004, 10:27 PM #23
    Tiger Shark
    Tiger Shark is offline
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ahem....

    A couple of people in this thread have stated that multiple connection attempts from a single IP address are a "warning"..... Sorry, I disagree..... They indicate a script kiddie who will fail if you are patched and have decent security practices in place.

    The bright ones, (the ones you need to fear), know that hammering away at a target from the same IP address will get them noticed quicker than a cat at Crufts, (it's a _big_ dog show for the uninformed).

    Divide your logs into types of events and look for ongoing patterns of attack not attacks from a single IP. Look for escalation of attack type. Silly example: FTP anon login followed by FTP administrator login, then FTP admin attempt, then maybe a buffer overflow. The events may not be contiguous in the log because some other moron, (or even legitimate users), may be on at the same time but the series is what is important not the IP address.

    It's not easy, it takes time, and it's usually bloody boring..... But it's how you stop the serious threats.... The rest are dross if you keep up with the patches and threats and mitigate threats appropriately where no patches are available.

    "Zero day" you all say...... Yep, you're screwed.... But if your IDS is good and up to date you may catch something else that happens post attack that makes you think.... "Hmmm... How did that happen?". At which point you are beginning to win the battle.....

    Chasing IP addresses is a lot like peeing in your black pants..... It gives you a nice warm feeling but nobody notices.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
    Reply With Quote Reply With Quote
  4. August 4th, 2004, 10:33 PM #24
    AngelicKnight
    AngelicKnight is offline
    AO Autobot AngelicKnight's Avatar
    Join Date
    Aug 2003
    Posts
    2,370
    Hmm...gotcha. So in my case, I don't have much going on, just repeated "IP Spoof" logs from the same address that pop in every few hours or so, no other activity besides that, which makes me wonder if it's a false positive, but I'm not one in the know enough to determine that for sure yet.

    Which really, really makes me wish they'd let me have an actual IDS!
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules