> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 28 September 2000 11:47 AM
> To: Firewalls Mailinglist
> Subject: Re: Counter Measures for a SMB logon.
>
>
> Thinking more along the line of a grenade behind the door.
>
>
> > Does anyone have some good counter measures for an SMB attack?
> >
> > The IP was listed as 195.128.157.67 with a domian name of VINT.
> >
> > And how could they get the login ID's with this approach?
> >
> > What program would they be using?
> > (This was sytematic with a 4 second interval.)
> >
> > Alex
Hrmm, just an idea...
Anyone thought of a honeypot running SAMBA with 40,000 sids/usernames just
to bog them down?
I know on LAN it takes an awful long time to enumerate 10,000 odd, 40k
should be pretty painful :)
Similarly you could set up that same SAMBA to trigger (is there any way to
trigger an external event on a login etc?) - you could
spawn 100 smbclients to try and logon to the destination domain using the
names exchanged in the connection attempt.
Dunno, for stuff like 139 attempts it's not worth the effort of responding -
it's easy enough to block and you could spend forever trying to chase people
down for it. After all, if you listen on 139 you deserve to be probed and
br00ted :)
________.-~-.________
Ben Ryan
Network Engineer
Kiandra Systems Solutions Pty Ltd
Level 9, 455 Bourke Street
Melbourne, Vic. 3000
Australia
Cellphone - +61-(0)417-502-061
Work - +61-(0)3-9600-1639
Fax - +61-(0)3-9600-1656
email: - [EMAIL PROTECTED]
URL: - www.kiandra.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
