No announcement yet.

Counter measures for attacks

  • Filter
  • Time
  • Show
Clear All
new posts

  • Counter measures for attacks

    I am seeing some repeated ALERT events on our IPS firewall (Sonicwall). I'm seeing IP spoof dropped and possible port scan detected from the same IP addresses. Is it possible to contact the service provider of these IPs? I realize that the firewall is "doing its job" by alerting me and dropping these attacks, but should I take any further steps to protect our network from future spoofing and scans? Any suggestions would be greatly appreciated.

    Thank you,


  • #2
    Re: Counter measures for attacks

    You can report the offending ip address to the address block owner but it's doubtful they will do anything. Do a WHOIS lookup on the ip address to see who owns it.


    • #3
      Re: Counter measures for attacks

      I think it is well worth contacting the ISP of the offending account especially if you can send them the logs of the "attack". I had someone spend nearly 3 hours trying to hack the Administrator account on my FTP server (hehehe, no Administrator account ), sent the logs to the account holder's ISP and receive a nice email back saying they were looking into it.

      It was most likely not the account holder that initiated the attack but at least they would be contacted or maybe their machine disconnected until it could be cleaned up. Responsible ISP are starting to take these instances seriously and try and rectify an issue like this.
      Joined: 23rd December 2003
      Departed: 23rd December 2015


      • #4
        Re: Counter measures for attacks

        Port scans are quite common and it isn't something to worry about if you've placed a good firewall. If you need to report every port scan well... good luck. It will be a hell of a job. Better is to monitor this attack in question and see if he goes further then a scan only.

        Spoof messages can be an internal network conflict (eg vpn or badly designed network) so be aware of this before contacting the ISP. I've seen this multiple times. Also not really to worry about. Just monitor the connection in question if you like to.
        Technical Consultant

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"