[Dshield] RE: Kornet.Net (et al)

Clint Byrum cbyrum at erp.com
Fri Mar 8 17:03:00 GMT 2002

On Thu, 2002-03-07 at 17:20, michael nancarrow wrote:
> My first post in here but I have been following for a number of months.
> Regarding the Kornet Issue, I receive by my statistics more Hack attempts
> from the U.S. than Korea and China, excluding spam. What's more the US

This is because the "kiddiez" in the US know that (as Sue Young pointed
out earlier) Asian ISP's are ignoring abuse requests from US interests.
So they want cracked boxes in asia. In fact, it makes perfect sense, as
they probably scan apnic's address range. Another reason they want
international hosts is that admins in places like Los Angeles might be
more hesitant to call Australia than New York.

> ISP's are just as bad, I still have after 6 months a Verizon customer
> who has their DNS configured wrong and continually polls a non-used IP
> address on my subnet. Emails to Verizon have resulted in his link being
> reset, so I get a 5 minute break before he starts at a different ip address.
> I sent an email to verizon saying his DNS is misconfigured and what happens,
> his link gets reset again. I tell them contact the customer, his link gets
> reset again. I try scanning him, his link resets again, every time a
> different
> IP. So please don't assume the US ISP' are any different from a global
> perspective. I also raised this to CERT is the U.S. as well, what happened
> a got an email back saying they contected Verizon, guess what his link was
> reset.

Being in the U.S. myself, I can understand the frustration. I've almost
given up sending abuse email to ISP's. SpamCop seems to carry a little
more weight for the spam that slips through the filters. For hacked
boxes, I try my best to find the actual owner of the machine, and just
CC: the ISP. If I can't find the owner, I make an attempt to call the
ISP's NOC and get a real person's email address. But hey, maybe thats
just me.

Clint Byrum

More information about the list mailing list