For the past days some script kiddie has been scanning our site with w3af and so
ID: 659492 • Letter: F
Question
For the past days some script kiddie has been scanning our site with w3af and some basic manual checks. Although I know the site is "secure" because I analyze it almost everyday, I'm not perfect and some hole may be found.
I told my coordinator to block that IP, as he (the kid) is always attacking from the same IP, but my coordinator said that we can't do that because we don't know whether it's a static or dynamic IP, and he didn't want to prevent some legitimate user to access the site.
So what other alternative do we have to prevent the script kiddie to keep trying to find something? A WAF is not possible.
Explanation / Answer
If there is no discriminating feature of the traffic that you can analyse for and block, and a WAF is not possible then blocking the IP is your only real option. Your coordinator is correct in that blocking the IP could result in you locking out authentic traffic, so the question is whether the potential for loss from the hacking attempts is greater than the potential for loss from blocking the IP.
Put together some statistics of authentic and malicious connections from that IP. If you have lots of authentic compared to malicious then it's not worth blocking it as you're going to alienate your customer base, however if it's mostly or all malicious you have nothing to lose from blocking the IP and the case is strong.