• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Block Attacker Script

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Programming >> Block Attacker Script Page: [1]
Login
Message << Older Topic   Newer Topic >>
Block Attacker Script - 21.May2004 5:39:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
The Block Attacker Script that was written for ISA 2000 looks exactly like what I need. Does ISA 2004 have something internal that you can set up to block an attacker? Or is something I should attempt to "Re-Script".

I'm working on the script now, but will stop if there is something "built-in"

Thanks,

-Tim
Post #: 1
RE: Block Attacker Script - 21.May2004 6:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

Jim actually took that script down because of the problems it creates. People end up with 100,000 bogus entries from the spoofed attacks and then all sorts of problems result. If you're getting DoS'd, the only place to stop them is at the ISP's fat pipe.

HTH,
Tom

(in reply to _Trip)
Post #: 2
RE: Block Attacker Script - 26.May2004 5:08:00 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Here's what you need to do with that script:

1 - delete it from any drive where it exists
2 - format that hard drive where you deleted the script
3 - get wipedisk and run it on the hard drive you formatted
4 - take a large degaussing device and leave it plugged overnight in on the hard drive you wiped
5 - beg, buy or borrow a 25-pound sledgehammer and flatten the degaussed hard drive
6 - find a metal recycling source and watch as they shred the flattened hard drive.
7 - repeat for all devices that ever held this script.

HTH,
Jim

(in reply to _Trip)
Post #: 3
RE: Block Attacker Script - 26.May2004 5:46:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
I'm very confused now. I have written a Block Attacker script and used it sucessfully to block any "specific" attack on my 2004 server.

perhaps the problem with the script is that it was for 2000? In ISA 2004, I can assign the block script to "Any intrusion" or specific ones. I wouldn't assign it to "spoofed" or DoS attacks.

I've been testing with nessus and it works beautifully every time! 3 minutes into a scan and the attacker is blocked completely. I had to include some exclusions because my internal network server(s) were "all-port scanning" the firewall, but it's very slick.

The pain was in adding computers to a "ComputerSet". The docs on the api really stink...

Could either of you clarify why this might be so bad to run? Is there an attack I should attempt that might show me what you are talking about?

Thanks!

-Tim
(If you would like to view the script and how I implemented it, please let me know)

(in reply to _Trip)
Post #: 4
RE: Block Attacker Script - 30.May2004 2:21:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

The problem isn't with the scripting itself, is that since many "attacks" are using spoofed addresses, you end up blocking legit addresses and doing nothing to the actual attacker.

HTH,
Tom

(in reply to _Trip)
Post #: 5
RE: Block Attacker Script - 8.Jun.2004 7:33:00 AM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
That script was written to illustrate the use of environment variables created during alerts by ISA 2000.
Unfortunately, it became teh de-facto "standard" for the most misused piece of code ever written.

(in reply to _Trip)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Programming >> Block Attacker Script Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts