Stopping ip range scans
Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue and I'm getting tired of it to say the least (not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not). So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis? Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other? -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Cachibility analysis software ?
In article [EMAIL PROTECTED], Yu Ning [EMAIL PROTECTED] wrote: Hi nanog, Can anyone tell me is there any tool to analysis if a web site is cachable ? Or now many content in a given site is cachable ? Go to http://www.ircache.net/ and click on the cachability checker link in the left navigation menu. Mike. -- When life hands you lemons, grab the salt and pass the tequila.
Re: Stopping ip range scans
On Mon, 2003-12-29 at 06:47, [EMAIL PROTECTED] wrote: Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. You're lucky. I've been watching this slowly ramp up for the last 10. ;-) At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. Since no one (to my knowledge) has ever been arrested or sued over a port scan, there is nothing holding back the script kiddies from doing them at will. Heck, check the archives here and you will find a number of posts where various people feel this is legitimate and justifiable activity. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?) Simplicity. Its easier to write a scanner that just hits every and/or random IPs rather than troll to look for legitimate name servers. That and the unadvertised ones are more likely to be vulnerable anyway. So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis? Check out Bill Stearns Firebrick project: http://www.stearns.org/firebricks/ Basically, these are plug-in rule sets for iptables. The three you are interested in are ban30, checksban and catchmapper. If you want a little less overhead, you can use catchmapreply. Also, the bogons module might be interesting for an ISP environment. Note that the plength module implements some of the fragment size limitations I was querying this group about a few weeks back. :) Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other? Check: http://www.dshield.org/ I *think* Johannes has even added the ability to query based on AS. HTH, C
RE: Stopping ip range scans
On Mon, 29 Dec 2003, Abdullah Hameed Sheikh wrote: There are two types of network: Enterprise and Service Provider. I kind of have both types. I call them unmanaged and managed. For certain ip blocks (always larger then /24) all traffic is passing through linux firewall with multiple vlans ethernet ports to be able to accomodate multiple customers at the same time. I'd like to at least stop this scan for everything behind the firewall. Would be best if I stop it for entire network too, but that is just a wish and I did not see any easy way to do it using cisco configuration and modifying access lists every minute is probably not too interesting (here I again get reminded of the cooperative bgp filtering draft I worked on for bogons with Michael, Rob Joren, see http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt I'll have to wait until its part of OS to try something for scan prevention...). The job of the service provider is very simple. Just provide plain Internet connectivity. The above is true if you're very plain network provider. Some of us do more then just simple internet connectivity services... if the traffic is detined to an IP which is in my network, it is considered legitimate traffic. ) The problem is these are random scans, the traffic is going to ips that are not used and never were. They're clearly a random sequential scans. But it can block your legitimate traffic as well. I've thought about it and the way I see it - if somebody is scanning me, its not a legitimate traffic to me and big potential security risk. So if same ip hits within fraction of a sec 2 or 3 sequential ip addresses on some monitoring device, it seems ok for me if its blocked for next 10 minutes (but not permanently). I don't think any legitimate traffic would be lost in this case. (Note: definition of legitimate varies from network to network and from one person to another). -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Stopping ip range scans
BTW - By my tests it appears I'm being scanned by unix hosts between 500 to 1000 times per day! I don't know, maybe it seems a low number for some of you, but I'm not at all happy about it. -- William Leibzon Elan Networks [EMAIL PROTECTED]
African porn dialers, civil war and networks
Forwarded from the Risks digest (www.risks.org) Date: Sun, 21 Dec 2003 19:37:31 + From: Patrick O'Beirne [EMAIL PROTECTED] Subject: GuineTel seeks ways of clamping down on scam fraud By Brian King, Balancing Act's News Update 188 (21 Dec 2003) http://www.balancingact-africa.com Phantom Calls In 2003, Terri Lockwood of Indianapolis, Indiana received a phone bill with hefty charges for calls to Guinea-Bissau, a West African country she had never heard of, and much less had reason to call. When she disputed the charges, the American operator ATT told her that the calls were genuine, and that she or someone in her house must have called, or accessed an adult entertainment site on the Internet. The intruder was a program that had slipped unnoticed onto the family computer, and reconfigured the connection to dial a number in Guinea-Bissau (code 245). The number, however, does not officially exist. The national operator, the regulatory body, and the International Telecommunications Union all agree that the number dialed from Terri Lockwood¹s computer is not programmed within the territory of Guinea-Bissau. Communications infrastructure of the country, furthermore, could not conceivably support the graphic-intensive content production and broadcast of many adult entertainment sites. For the last few years the national operator Guine Telecom has been concerned with repairing basic telephony infrastructure damaged in a devastating civil war. At the beginning of this year Guine Telecom had no new cables to repair its network, no wires to install phones for clients, and approximately 50,000 people on waiting lists. This is not a company receiving revenue from a brisk adult entertainment business, legitimate or not, apparently conducted in its name. The History In 1989 the Government of Guinea-Bissau cemented a strategic partnership with Marconi (now part of the Portugal Telecom group) All international traffic to and from Guinea-Bissau would run through Marconi in Portugal. Marconi was also given the right to open and maintain bank accounts abroad in the name of Guine Telecom. Critics of the company say that management of the company became increasingly chaotic and untransparent. Around 1996 Portugal Telecom managers set up a bank of computers at the earth station to receive pornographic calls from abroad. The calls were received at Guine Telecom and were immediately transmitted back without entering the national network. The practice reportedly generated significant new traffic to Guinea-Bissau, and the added revenue funded new investments in infrastructure. On June 7, 1998 a failed coup d¹etat tipped the country into civil war; key infrastructure (such as the earth station) was destroyed and in the midst of it the bank of audiotext (read 'phone sex') computers. After their departure in 1998 Portugal Telecom began withholding settlement payments for international calls terminating in Guinea-Bissau, and has continued to do so. A journalist from the major Spanish newspaper El País confirmed a so-called ³epidemic² of calls to Guinea-Bissau from Spain, appearing on the bills of people who had no relationship with the country. In all these instances the Spanish operator Telefonica responded that the calls were genuine. Around the same time, a dissatisfied Spanish pornography consumer actually called Guine Telecom to complain about the service. Technical Director Malam Fati was alerted, and so discovered for himself the existence of a number of web pages advertising live pornographic video. The pages appear to be designed to target particular countries; all are linked to a home page at www.sexhotel.com. The pages offer 'free' access to live pornographic video without requiring credit card information. Interested viewers need only to call a number on the screen (dialing instructions from each country are included), to receive a password. These access numbers bear the (245) international code, but the regional codes are not assigned within the territory of Guinea-Bissau. For the rest of this story, go to: http://www.balancingact-africa.com Patrick O'Beirne, Systems Modelling Ltd., Gorey, Co. Wexford, Ireland. +353 55 22294
Re: Stopping ip range scans
[.. SNIP ..] The problem is these are random scans, the traffic is going to ips that are not used and never were. They're clearly a random sequential scans. In this particular case, null-routing your aggregate is your friend. Or get a sink hole and suck down all the !traffic to it. Please, it's the internet. Port scans are nothing out of the ordinary. -James -- James Jun (formerly Haesu) TowardEX Technologies, Inc. 1740 Massachusetts Ave. Boxborough, MA 01719 Consulting, IPv4 IPv6 colocation, web hosting, network design implementation http://www.towardex.com | [EMAIL PROTECTED] Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | AIM: GigabitEthernet0 NOC: http://www.twdx.net | POC: HAESU-ARIN, HDJ1-6BONE
Re: Stopping ip range scans
On Mon, 29 Dec 2003 [EMAIL PROTECTED] wrote: Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various What ports are being probed? SOP for script kiddies for at least 10 years has been find a box you can hack root on, install a vulnerability scanner for the remote-root vulnerability d'jour, fire it up, and come back in a day or so to see what you've found. Then hack the newly found vulnerable boxes, install the scanner on each of them, and repeat the process. Some of these packages have done things like download the .com zone (back when F allowed this) and scan all NS's for bind vulnerabilities. Others just pick a random IP and scan sequentially higher IPs. More recently, some packages have combined the scanning and hacking. If you don't want the scans, block everything you don't want at your router. Otherwise, just make sure your systems are up to date. A common OS with unpatched known remotely exploitable holes doesn't last long on an unfiltered internet connection. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Automated Network Abuse Reporting
We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
Re: Automated Network Abuse Reporting
try LogDog to act on the syslog data...it sends all syslog log files through a pipe and scans for specific data...then you can email the complete message to anyone. It can have a negative performance impact depending on the number of sustained syslog logs being generatedbut I used it on a system receiving syslog logs from over 200 routers and didn't see any issues. Of course syslog-ng can also do thisbut I found logdog easier to implement. Not sure how you can automate the abuse email address?? You can specify a perl script from within the logdog conf file that could do a dig on the ip address from the source address...but that's just me thinking out loud. I think you'll find many programs out there that can do this...both commercial and opensource...but you'll need to do some customization. steve On Monday 29 December 2003 09:04 am, Jason Lixfeld wrote: We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI?
Re: Automated Network Abuse Reporting
Jason Lixfeld wrote: ...Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI? With rare exceptions, I'd say don't bother, even if you do come up with such a thing. I've actually sent off two in the past week, which is my normal total for the month (any month). One was to a machine that was agressively testing identd (and starting to annoy me) on every machine in my netblock (it's little, but it's mine). The other was more interesting. A tool that had been used to attack imap servers earlier this year has apparently been modified to hit FTP instead. The common bond is the user name lizdy, which is only one of the multiple of names attempted. If you're curious, hit google with the words (lizdy ftp), and you'll come up with a few machines already hit by it. One of the machines that hit was an NT machine in a block that had an actual abuse dept, and I thought the owner would probably want to know. I got a nice response back, and I'd bet that it was probably taken care of. The others were also owned, but out of networks where I know that they just won't care. Pity there's no way to let the owner of the machine know, but that's just life. A nice little FYI will just be adding to the brownian motion of the internet as we know it today. On those rare cases where you have the time, and are sure of the target, of course, send something off. Just please don't automate it. Oh, and I no longer have an internet facing FTP server (that tool hits about 200-400 times in less than 5 seconds...really abusive). -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking.-- Larry Wall
Re: Automated Network Abuse Reporting
if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. joelja On Mon, 29 Dec 2003, Jason Lixfeld wrote: We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI? -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Stopping ip range scans
[EMAIL PROTECTED] writes: Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue It isn't a serious security issue. and I'm getting tired of it to say the least Then turn off your logging of it. I quit paying attention to scans MANY years ago, when they started happening more than once an hour. In an era where a honeypot will be attacked minutes after being put on the net, scans are as interesting to report as litter at a landfill. (not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not). Drain on resources? I bet if you actually calculate the cost in dollars of answering the scans per year, it is probably smaller than the amount you are paid in a few minutes. The time you've spent thinking about it has been the biggest drain on your company's resources. So I'm wondering what are others doing on this regard? Most people I know are ignoring scans. There is no other rational course to take. People will twist your doorknobs, and if you pay attention every time they do, you'll go mad. You can't possibly block every host on the net trying it, and some are even doing it for perfectly legitimate purposes like mapping the network or trying to figure out if one of your users has been infected with a virus or some such. In any case, there are huge numbers of infected and compromised machines out there doing this. You'd have to black hole most of the net to stop it. I don't see what the point is. You won't make your machines more secure by pretending you could block scans. Sure, you can waste your time and money trying to stop that, but I'd suggest you simply spend that time actually making your machines more secure instead of adding Potemkin security like blocking scans. I've seen many people complain about such things in the past, and then it turns out they don't even have all their Windows servers patched properly and they aren't doing any ingress filtering so their machines can happily send forged packets all over the net. Fix your actual security problems first -- worry about window dressing later if at all. By the way, the most sophisticated attackers are scanning using techniques that don't trigger IDS systems, like doing random walks of the port space in thousands of blocks at once from large numbers of scan hosts -- any given CIDR block only sees the occasional packet, and they don't have nice signatures like being sequential and from the same initiating address. Taken to extreme levels, you will never catch such people. Spend your time fixing security holes on your net instead. -- Perry E. Metzger[EMAIL PROTECTED]
Re: Automated Network Abuse Reporting
When we get something that looks automated, we send back a reply saying We received this, if you'd like us to take action, please have a human reply. I've been thinking of instead having them send us a cryptographic hash of their message, saying that we MUST have all such notifications validated. I'd give them the URL to some page that would provide the hash, of course. Doug On Mon, 29 Dec 2003, Joel Jaeggli wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. joelja On Mon, 29 Dec 2003, Jason Lixfeld wrote: We're a small company but none the less are inundated with firewall logs reporting numerous attempts to find holes in our network; c'est la vie. Seeing as how we are small, we don't have the resources to go through and send emails off to the abuse departments of each network sourcing the probes. Question is: Has there been development of some sort of intelligent unix land app that can understand Cisco syslog output, find the abuse departments of the sourcing networks and send them off a nice little FYI? -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Automated Network Abuse Reporting
On Monday, December 29, 2003 11:24 AM [GMT-5=EST], Joel Jaeggli [EMAIL PROTECTED] wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. Most likely, automated abuse reports will be treated like abuse reports from users with those lovely software firewalls that whine all the time that their ISP's nameserver is trying to hack them on port 53 (IE: thrown in with the rest of the reports in the round filing cabinet on the floor next to the desk). I refused to accept automated abuse reports of probes or similar when I was an ISP netadmin. Portscans/pingscans/etc are not illegal (and I've seen this sucessfully proven in court at least once). They are illegal if you use it to bring down someone's machine though. Basically, if I were you, I'd turn your firewall's sensitivity WAY down and only track events that are obviously attempts to hack. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org
Re: Automated Network Abuse Reporting
On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both). For example: Your web server is hacking my web browser on port 80, or Why are you probing me with UDP packets on port 53 from this host named NS1..., but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) Things only seem to get worse when you actually try to have a halfass team of people respond to these. Usually the victim is someone who gets a syn flood from random sourced addresses, correctly responds with RSTs, and ends up being accused of port scanning due to the backscatter hitting some random military IP address. Anyone with a reasonable amount of experience should be able to look at any of the detailed packet logs and clearly see the very obvious patterns which indicate the differences between legitimate port scans, backscatter, or classic spoofed source syn floods. But they never do, even when they claim to be highly experienced and in positions of power. For many providers, getting a threatening e-mail from a government agency will result in someone being turned off, even if they have done nothing wrong. Recently I saw someone running an online gaming service who experienced this in the other direction. The attacker set his IP as the source, and directly fired off millions of packets to random destinations. Not only was their a direct DoS effect due to all the RST coming in, but over the course of 48 hours he received THOUSANDS of angry calls, many complaints to his provider, and even several death threats. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Stopping ip range scans
My router is set up to send me daily reports of IP addresses that hit the port 137-139 block more than 1000 times a day. The sources are all over the place, including a lot of IANA reserved address space that Sprint and my ISP should be filtering upstream, but a lot of the scans are from hosts on my ISP's network that I know are consumer DSL. My working assumption is that these are worms looking for new hosts to attack. When I have time, I tell the ISP about the local ones so they can tell their customer to fix it, otherwise I don't bother. So long as you have reasonable router filters, port scans are an annoyance but not a security issue. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 330 5711 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: Automated Network Abuse Reporting
I have, according to my ids around 400pps arriving at my home network that don't belong there. if I payed attention to all of it I'd be busy, if I generated abuse reports and fired them off it would generate a lot of noise... random portscans, dos backsplash and worm traffic don't really rise to the level that would make me want to invest my time in trying to identify and deal with the sources. joelja On Mon, 29 Dec 2003, Richard A Steenbergen wrote: On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both). For example: Your web server is hacking my web browser on port 80, or Why are you probing me with UDP packets on port 53 from this host named NS1..., but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) Things only seem to get worse when you actually try to have a halfass team of people respond to these. Usually the victim is someone who gets a syn flood from random sourced addresses, correctly responds with RSTs, and ends up being accused of port scanning due to the backscatter hitting some random military IP address. Anyone with a reasonable amount of experience should be able to look at any of the detailed packet logs and clearly see the very obvious patterns which indicate the differences between legitimate port scans, backscatter, or classic spoofed source syn floods. But they never do, even when they claim to be highly experienced and in positions of power. For many providers, getting a threatening e-mail from a government agency will result in someone being turned off, even if they have done nothing wrong. Recently I saw someone running an online gaming service who experienced this in the other direction. The attacker set his IP as the source, and directly fired off millions of packets to random destinations. Not only was their a direct DoS effect due to all the RST coming in, but over the course of 48 hours he received THOUSANDS of angry calls, many complaints to his provider, and even several death threats. -- -- Joel Jaeggli Unix Consulting [EMAIL PROTECTED] GPG Key Fingerprint: 5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2
Re: Stopping ip range scans
[EMAIL PROTECTED] said: So I'm wondering what are others doing on this regard? One of the more effective ways to deal with this would be to request that upstream(s) null-route your aggregate until the attack subsides. --Tk
Re: Automated Network Abuse Reporting
Not wanting to be ripped to shreds here, I think it's still worthwhile to alert people to, say, Slammer-infected hosts on their networks. Sure, the good folks are already monitoring their networks for hosts sourcing things like that, and they're also the ones that will know how to deal with automated complaints. The people that don't already monitor their networks will benefit from being alerted. On Mon, Dec 29, 2003 at 12:32:52PM -0500, Richard A Steenbergen wrote: On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both). For example: Your web server is hacking my web browser on port 80, or Why are you probing me with UDP packets on port 53 from this host named NS1..., but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) ... [snip] -- medina
Re: African porn dialers, civil war and networks
On Mon, 29 Dec 2003 04:42:06 -0800 Eric Kuhnke [EMAIL PROTECTED] wrote: | Forwarded from the Risks digest (www.risks.org) | By Brian King, Balancing Act's News Update 188 (21 Dec 2003) | http://www.balancingact-africa.com This is a serious fraud-related issue that my company has investigated over the last few years. The problems go a LOT deeper that the Risks item would at first suggest, and I have sent a suitable note to the original author. Details are unquestionably off-topic for NANOG, so if anyone here wants more details, private mail would be appropriate. So far I have resisted all temptations to resubscribe to Risks! -- Richard Cox
Paging RR.COM regarding ISP mail blockage
I've been trying to get in contact with RR.COM as well regarding blockage of mail from the netblock of our mail servers. Would an RR security/spam rep please contact me via [EMAIL PROTECTED], [EMAIL PROTECTED] or by phone regarding this issue. I have already mailed [EMAIL PROTECTED] and received an autoreply yesterday morning but have had no dialog with a human as of yet. Thanks, Mike Tindor FIRST Internet 740-695-2280 x 3070
Re: Cachibility analysis software ?
BTW, Is there any cache solution, other than Cisco, or Inktomi, that you think working well under 500~1000M backgroud traffic ? thanks ! Yu my semi-informed guess is that a netapp (or other good nfs raid array) and a foundry (or other good load balancer), along with several load-balanced squid boxen would do a pretty good job at this rate. might have to modify squid a bit, but the throughput would be there. s.
Re: Automated Network Abuse Reporting
Agreed. Take www.dshield.org for instance. They aggregate logs from various sources and send complaints to the upstream provider. This is something that would work for you Jason. Working for an AUP department at an ISP, we gladly accept automated complaints. Sending the complaint downstream for investigation should be standard procedure. Taking action against repeated complaints (differing time stampts of course) after at least one warning should follow. Forwarding the complaint either by email or by phone to your downstream shouldn't be considered a problem. Just don't shoot first and ask questions later. It's a pretty safe bet to say that something is going wrong on a downstream network if you are getting complaints from multiple sources. In fact, reactions seem to be split in 3. The angry ones are the ones we get logs about their PAT address and they freak out because null routing them would effectively shut down their entire network. The indifferent ones are typically used to these problems and rectify the problem, case closed. Finally, we actually get customers giving us kudos because we advised them of a problem on their network. [Mon, Dec 29, 2003 at 12:59:09PM -0500] Daniel Medina Inscribed these words... Not wanting to be ripped to shreds here, I think it's still worthwhile to alert people to, say, Slammer-infected hosts on their networks. Sure, the good folks are already monitoring their networks for hosts sourcing things like that, and they're also the ones that will know how to deal with automated complaints. The people that don't already monitor their networks will benefit from being alerted. On Mon, Dec 29, 2003 at 12:32:52PM -0500, Richard A Steenbergen wrote: On Mon, Dec 29, 2003 at 08:24:16AM -0800, Joel Jaeggli wrote: if you automate abuse reporting you can basically assume that the reciver will automate abuse handling. since that has in fact happened as far as i can tell the probably of you automated asbuse replaies ever reaching a human who cares or can do something about it is effecetivly zero. It's difficult to sort out legitimate complaints for port scanning. Consider that the vast majority of such complaints a provider receieves, particularly automated ones (groan), are just flat out wrong or stupid (or both). For example: Your web server is hacking my web browser on port 80, or Why are you probing me with UDP packets on port 53 from this host named NS1..., but usually stated with far more capital letters, misspellings, profanity, and threats to sue or report your web server to the authorities because it dared to respond to their port 80 connection. :) ... [snip] -- medina -- Stephen (routerg) irc.dks.ca
Re: Stopping ip range scans
Out of curiosity. How many of your scans come from hijacked IP space? On Dec 29, 2003, at 6:47 AM, [EMAIL PROTECTED] wrote: Recently (this year...) I've noticed increasing number of ip range scans of various types that envolve one or more ports being probed for our entire ip blocks sequentially. At first I attributed all this to various windows viruses, but I did some logging with callbacks soon after to origin machine on ports 22 and 25) and substantial number of these scans are coming from unix boxes. I'm willing to tolerate some random traffic like dns (although why would anybody send dns requests to ips that never ever had any servers on them?), but scans on random port of all my ips - that I consider to be a serious security issue and I'm getting tired of it to say the least (not to mention that its drain on resources as for example routers have to answer and try to route all the requests or answer back that they could not). So I'm wondering what are others doing on this regard? Is there any router configuration or possibly intrusion detection software for linux based firewall that can be used to notice as soon as this random scan starts and block the ip on temporary basis? Best would be some kind of way to immediatly detect the scan on the router and block it right there... Any people or networks tracking this down to perhaps alert each other? -- William Leibzon Elan Networks [EMAIL PROTECTED] --Phil Rosenthal ISPrime, Inc.
Re: Paging RR.COM regarding ISP mail blockage
Would an RR security/spam rep please contact me via [EMAIL PROTECTED], [EMAIL PROTECTED] or by phone regarding this issue. I have already mailed [EMAIL PROTECTED] and received an autoreply yesterday morning but have had no dialog with a human as of yet. If they do not respond to you on that, you may want to call your local TW office and talk to the abuse person there, that's what it took for them to remove my IP block, and it was removed within 30 minutes (includes propigation time) Thanks -a- Adam 'Starblazer' Romberg Appleton: 920-738-9032 System Administrator Valley Fair: 920-968-7713 ExtremePC LLC-=- http://www.extremepcgaming.net
