TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Thanks for your comments and suggestions.
We have policy rules setup on our firewall. Traffic that doesn't meet the
rule base
are dropped. The UDP port scan that I'm getting are mostly from InterNIC
root DNS server such as
1. I.root-servers.net
2. c.root-server.net
3. g.root-server.net
4. dns5.cp.msft.net
These are just some examples of the source hitting my firewall. My network
engine detects these
traffics as UDP_Port Scan. I may have to create a filter for these traffic.
The thing is there are lots of them. I don't think they are valid UDP_Port
scan from an intruder probing my network.
My procedure is that I respond to the source sending email notifiying them
of the scans.
The UDP_Port scan doesn't have RST_kill. There is not much you can do with
them.
-Jaime
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 12, 2000 8:18 PM
To: Fontelera, Jaime C.
Cc: [EMAIL PROTECTED]
Subject: Re: UDP Port Scan -reply
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
If your Firewall rules are set correctly, as in DO NOT REPLY TO UDP
Requests for certain services, one should be fine, the fact that you are
logging the event is good.
If you are allowing it past your External firewall that is a different
problem all together.
Refer to "Building Internet Firewalls" for an overall of various firewall
architectures, especially Chapter 8.
Setting up your firewall policy can vary based on the services that are
allowed from the internal user community out through the firewalls, versus
the External rules that allow for external customers to certain network
devices that are in your DMZ.
The big question, do you have a escalation plan documented on what to do
when certain events happen like more than 5 port scans do something.
In ISS RealSecure you can set the thresholds and if the thresholds are met
you can issue an RS_KILL command to kill the entity that is attempting to
port scan you more than 5 times. Now, if each UDP port scan event is from
a different address but within the same IP address range, it is a little
easier to implement the previously mentioned statement. If you are
observing more than 5 UDP Port scans from lots of different places,
generate an exception list, and build a ACL on your external router to
deny packets originating from xxx.xxx.xxx.xxx IP address network range.
With this rule in place, the UDP port scans will no longer get past your
external router, since the packet will be dropped on the floor, therefore
allowing you to monitor valid "Intrusion" attempts that may be creeping
into your network, but could not be observed due to "annoying UDP Port
scan" attempts.
Please refer to the SANS Briefing regarding how to prevent DDOS attacks
and how to implement different ACL's on various brand-name routers.
/mark
"Fontelera, Jaime C." <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
04/04/00 09:56 AM
To: "ISSForum (E-mail)" <[EMAIL PROTECTED]>
cc:
Subject: UDP Port Scan
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I get UDP port scan on my firewall at least 5 a day. How does one respond
to a probe ?
Any suggestions ?
Thanks,
Jaime
