We have seen these from time to time. When we get them, they come in one of two flavors. Either someone pounding SNMP to try to use us as an open relay or more frequently in an attempt to DOS or hack us via FTP.
To help minimize (not eliminate) the impact, we have EXITs in place for both SMTP and FTP. For SNMP, an forwarding causes the EXIT to issue a NETSTAT BLOCK for the IP address. In the case of FTP, our EXIT checks for an attempt to use an ID of ADMINxxx (and a collection of others). When that occurs, again ... NETSTAT BLOCK offending IP address. And of course when the DOS is purely DOS, and the only signal is a notification from TCPIP, we manually do a NETSTAT BLOCK for xxx.xxx.* Of course, the last example catches an entire network, but only once have we inadvertently stop a legitimate site from being to reach us. The result doesn't alway truly stop the offender, but it minimizes the impact on TCPIP and of course, our security console activity. > On Thu, 31 Jul 2008 08:27:43 -0500, Mike Walter <[EMAIL PROTECTED]> > wrote: > >>Back on July 15, we experienced our first known Denial of Service >> "attack" >>(more likely a problem server). >>I reported it to our Internet Security group including: >> >>From the nearly anonymous/invisible "TCPIP MESSAGE" file in >>TCPMAINT's reader: >>---<snip>---- >>DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 >>DTCUTI002E A denial-of-service attack has been detected >>---<snip>--- > > Nearly invisible? They show up in my reader and have since I moved into VM > Systems. Far from > being anonymous/invisible, they are rather overly frequent. > > Since I have 20 (?) of those readers, I long ago arranged to forward SOME > of these messages to my > email address. The rest just go in a log file. > > Like you, we found the DOS came from our Information Security folk's > server. (At least they didn't > try to hide it -- there is an email address attached.) So far we haven't > ever gotten a nastygram > from these folks telling us we are insecure, but I have seen such emails > addressed to others. > Presumably that means VM does the right thing. Like others our VM systems > are behind a firewall. > But information security warns us that insiders are more of a threat than > outsiders. > > Alan Ackerman > Alan (dot) Ackerman (at) Bank of America (dot) com > Regards, Tony Noto Software Development Manager Velocity Software, Inc 650/964-8867 http://www.velocitysoftware.com
