This article discusses best practices for where to block an attack… the source or destination? Firewall administrators are taught to block nearest the source. System administrators are taught to block nearest the target. Let’s discuss this.
Firewall administrators sensibly want to block an attack nearest the attacker. This limits the disruption to the smallest possible scope. It wouldn’t make sense to let the attack extend past where it needs to. For example, a DOS attack from location A to location D should be blocked at location B if possible. This technique becomes less effective with DDOS attacks. But we’ll come back to that in a moment.
System administrators use a different method. They use account management techniques such as disabling accounts to disrupt an attack. The problem with this approach is that it disrupts the target more so than the attacker, who can simply switch to the next account on the system (if such information is known). Additionally, if the attacker want’s to prevent a user on the target system from signing in and doing their work, they can… just cause the targets account to become disabled and the objective is achieved.
The system administrator has other options. They can require MFA instead of locking the account in response to the attack. They can block the IP address of the attacker once multiple failed attempts have been made on one or more accounts. Both of these responses allow the legitimate user to continue use of their account and allow them to continue working as normal.
So the lesson is that system administrator should (and do) learn from the firewall administrators on how to respond to an attack. Simply locking the target account does the dirty work for the attacker – disrupts the work of the target. That might be a pretty good second-place impact for the attacker.
So by blocking the source (the attacker) from successfully compromising or disrupting the target, the attacker is impacted and the user (worker) is able to go about their work. By blocking the user (the worker), the worker is not able to do their work and the attacker get’s a prize, even if that wasn’t their primary objective.