[Snort-users] Route Null

Zymophideth zymophideth at ...125...
Mon Oct 28 13:02:04 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The best way to stop specific IPs without using an ACL is just
setting up a null device on your router. Then routing that address to
the null device. That way any return traffic gets sent to the null
device rather than back to the internet. Sure this won't stop all
attacks but any that require return traffic.

ip route 192.168.0.1 null0 (or something to that effect, haven't had
to do it in a while)

What's also good about this method is you can still watch what the
attacker is doing and how your computers respond with snort without
fear of compromise. The attacker learns nothing, you learn
everything, effective and educational, you gotta love it.


- -----Original Message-----
From: twig les [mailto:twigles at ...131...] 
Sent: Monday, October 28, 2002 10:32 AM
To: Justin Jessup; snort at ...7160...; jarret at ...7313...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Action Recommendations


I worked at an ISP that blocked offending IPs at the
border.  It was an insane policy and resulted in Cisco
7500s with 99% CPU utilization because the acls were 6,000-10,000
lines each.  I wouldn't go down that road unless the attacking
IP/range is particularly nasty.


- --- Justin Jessup <jaager7 at ...741...> wrote:
> i believe SANS has such a database setup, with the
> most frequent abusive IP addresses listed
> 
> 
> jj
> 
> Steve Suehring <snort at ...7160...> wrote:
> __________
> >On Sun, Oct 27, 2002 at 01:20:04PM -0500, Jarret
> Gibson wrote:
> >>    - Should I bother with reporting these
> security problems to the
> >>    offending person's ISP / office?  I've heard
> most of you say that
> >>    people rarely (if ever) do anything about the
> script kiddies / hackers
> >>    when you report them.
> > 
> >I can't so much speak to the other questions in the
> email, but as far as
> >reporting goes, it depends on a few factors.   
> > 
> >I've found that three major factors come into play
> when reporting:  Which
> >ISP owns the IP space, what you're reporting, what
> you include in the
> >report.
> > 
> >First and foremost, it is unfortunate to say that
> it depends on which ISP
> >you report the activity to.  It appears that some
> ISPs absolutely don't
> >care what happens within their IP space.  This is
> the direct result of the
> >abuse department not having enough resources and in
> some cases not having
> >a clue.  I've found *and this is just my opinion*
> that cable companies and
> >telephone companies that now sell Internet are many
> times lacking in both.   
> > 
> >Secondly, what you're reporting is also important.
> The abuse department
> >receives massive amounts of email.  If you're
> reporting a simple 'wrong
> >number' type scan where someone typed in the wrong
> IP, they're likely to
> >not pursue it.  Again, this goes back to the abuse
> department not having
> >enough resources.
> > 
> >Finally, what you include in the report is also
> important.  I've seen a
> >number of reports come in from people all over
> claiming that a customer
> >was doing something.  In fact, sometimes the report
> would say just that
> >"one of your customers is doing something to my web
> server, stop now!"   
> >Obviously, there's lots we could do with a report
> like that.  :)  If you
> >include information such as logfiles, timezone, why
> exactly this was bad
> >or indicative of abuse, etc, your report would have
> a better chance of
> >being investigated.  This somewhat ties in with the
> abuse department not
> >having a clue and not having resources.
> > 
> >Again, the ISP is the biggest factor in the
> process.  Some ISPs are great
> >at slapping users, others seem to have a blackhole
> abuse mailbox.   
> > 
> >One idea (that someone else has already had, I'm
> sure) would be to set up
> >centralized site that contained an abuse reports
> database.  You could then
> >grab the list sorted by the top 10 subnets that the
> hijinx originates from
> >and block 'em.  Part of the databse could contain
> whether or not the
> >activity was reported to the ISP and what they did
> about it.  Correlating
> >that information it would become evident which ISPs
> are attempting to do
> >something about abuse from their IP space.  If this
> isn't out there
> >already and there is some interest, I'd be willing
> to look into it
> >further. I thought I saw something like this on ISS
> or SANS or someone, I
> >can't remember.
> > 
> >Anyway, hope that helps to give you an idea on
> reporting things.
> > 
> >Steve
> > 
> > 
>
>-------------------------------------------------------
> 
> >This SF.net email is sponsored by: ApacheCon,
> November 18-21 in
> >Las Vegas (supported by COMDEX), the only Apache
> event to be
> >fully supported by the ASF.
> http://www.apachecon.com
> >_______________________________________________
> >Snort-users mailing list 
> >Snort-users at lists.sourceforge.net 
> >Go to this URL to change user options or
> unsubscribe:
>
>https://lists.sourceforge.net/lists/listinfo/snort-users
> 
> >Snort-users list archive:
>
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> 
> 
> 
>
- -------------------------------------------------------
> This SF.net email is sponsored by: ApacheCon,
> November 18-21 in
> Las Vegas (supported by COMDEX), the only Apache
> event to be
> fully supported by the ASF. http://www.apachecon.com 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
- -----------------------------------------------------------
Heavy metal made me do it.                        
- -----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/


- -------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPb2dsRLyphRSVba5EQLDfQCgyOPwaNBY+/kUX6RydKy6CWt5Zx0An2u6
n2lqNQU821J2bKq3stV6hg04
=TFok
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list