Re: IPSEC not blocking specific IP address per Ethereal

From: Duane Arnold (Notme_at_Notme.com)
Date: 04/20/05


Date: Tue, 19 Apr 2005 22:47:53 GMT


"Alfredo" <alfredo@KILL_SPAM_megapath.net> wrote in message
news:4265364a.695734823@news.megapath.net...
> "T. Sean Weintz" <strap@hanh-ct.org> sez :
>
>>Alfredo wrote:
>>> it could be that ethereal is
>>> capturing the packets before IPSEC gets to block them
>>Yup. That is what's happening.
>
> Wait, that can't be it, because there's also the case of the flooding
> spammer trying to relay through me.
>
> I placed his IP on the same "block" list, and yet my SMTP inlog still
> shows his flood of email attempts *after* I put him on the IPSEC block
> list exactly like I did with the worm above. His packets are still
> getting through. This is an IPSEC issue.
>
> Can anyone see what I have done wrong in my IPSEC policy? I am getting
> overwhelmed with worms and spammers doing what amounts to a DOS attack
> on my server and I would like to stop them.
>

You put a router a border device in front of the machine a let it block the
attacks so that the machine doesn't have to use resources in blocking the
attacks slowing the machine down in doing more productive things. You can
get a router that can set rules to block a specified IP and block it at the
border. Even If you were able to set some IPsec rule and block things, it is
still going to require that the machine use unnecessary resources to
continue to block them slowing the machine down while it's doing it.

The machine seems to be compromised and you need to focus on removing the
exploit or exploits ;-) off the machine and not try to block them with
IPsec. IPsec is just one part of the security solution and is not a stop and
ends all solution. You have to help IPsec out by doing the right things in
your security setup for the machine.

You might also want to find out how to secure or *harden* the NT based O/S
to attack. The information is out on Google or dogpile.com on the how to(s).

Duane :)