RE: Help me

• Previous message: Monty Ree: "anyone who saw this arp traffic?"
• In reply to: Tran Nguyen Vu: "Help me"
• Next in thread: Mitchell Rowton: "Re: Help me"
• Reply: Mitchell Rowton: "Re: Help me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Tran Nguyen Vu'" <tran.vunguyen@gmail.com>, <security-basics@securityfocus.com>
Date: Thu, 24 Feb 2005 11:59:27 -0800

As a double check of what your ISP says, you could use MRTG to determine
what kind of bandwidth your router is seeing.

Additionally, you could enable logging on your router to determine what /
who /when these attacks are happening.

Further (although I'm not that familiar with ISA ) doesn't ISA have the
capability to log what it drops ?

-----Original Message-----
From: Tran Nguyen Vu [mailto:tran.vunguyen@gmail.com]
Sent: Monday, February 21, 2005 3:20 AM
To: security-basics@securityfocus.com
Subject: Help me

Dear all,
I have a problem and i dont know how to explain.
Last month, my ISP give our company a report about the capacity download and
upload, It was about 47GB.
The problem is my isa server has logged at about 7GB data down/upload.
When I asked them explain this great unequal capacity they said that
although My isa firewall prevented almost requests from the untrust network
(so this request was not included in capacity logfile and only 7GB was
allowed),their server logged all requests to my router and firewall from the
other local Loop . It mean, there are 40GB data of requests that not
except (attack, scan ping ...) in a month.
So I make some caculation, every second, there are 16035 byte attack (I call
"attack" because I was not allowed.
Everybody help me explain this situation. I know, A request does not have
big capacity and my ISA server was not logged any attack!

Please help me. (sorry because of my english!)
Thanks in advance.

• Previous message: Monty Ree: "anyone who saw this arp traffic?"
• In reply to: Tran Nguyen Vu: "Help me"
• Next in thread: Mitchell Rowton: "Re: Help me"
• Reply: Mitchell Rowton: "Re: Help me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Why is ISA letting outside clients into DHCP and WINS? ... ISA is not a router and would not route from the outside to the inside. ... ISA will not pass such requests from the outside to the inside unless the ... DHCP requests are done by broadcasting and broadcasts do not cross ... (microsoft.public.isa) Re: Web Chaining - Ausgehender Port für SSL ... den isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen ... auseinandernimmt und je nach Aufbau an den entsprechenden Port ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ... (microsoft.public.de.german.isaserver) Re: Web Chaining - Ausgehender Port für SSL ... isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen wiederum ... dass der ISA auf Port 80 ein HTTP-Connect an den Squid stellt.. ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ... (microsoft.public.de.german.isaserver) [Full-disclosure] RE: RLA ("Remote LanD Attack") ... if the router of my internet provider has ACL's to deny ... and the LAND attack no longer works. ... hping2 on Comcast Cable connection behind Linksys Router ... (Full-Disclosure) Re: ISA configuration question ... - create a certificate that uses either the name or IP of the ISA web proxy listener (depends on how you want the clients to ... - configure the web proxy listener to listen for SSL connections and choose the port you want ... For clients that support secure communication directly with ISA Server, ... > I'm referring to web proxy requests. ... (microsoft.public.isa.configuration)