[Dshield] RE: Hacker Blocks

Grant Thurman Grant at Netprecision.Net
Mon Mar 11 19:26:13 GMT 2002


Thanks for your input, my blocks are doing a decent job for us, do I need to
find more time to do a better job, yes of course. I just block IP blocks
that generate the largest amount of incoming attacks at this time.

Ripe, is within the range of some of the IP blocks I feel we need to block,
sending you a cc was just to advise you of a growing movement within the USA
to deal with hacking, block it out. We as a group have sent thousands of
hacking complaints to RIPE, Tier One's and ISP's, 99% of the time nothing is
done or acted on.

Very little is being done about hacking from APNIC, RIPE or any major tier
one's or ISP's, we have to protect ourselves since no one else seems to


-----Original Message-----
From: Bruce Campbell [mailto:bruce_campbell at ripe.net]
Sent: Monday, March 11, 2002 11:13 AM
To: grant at netprecision.net
Cc: list at dshield.org
Subject: Re: Hacker Blocks

On Mon, 11 Mar 2002, Grant Thurman wrote:

> I promised to report on my efforts to advise of my success in coming up
> blocks of hacker haven IP's that I block out without hurting my clients or

> Please don't complain to me that I am blocking your "Country" out of
> revenge. I am only blocking time consuming hack attacks that cost me hours
> ever day, contact the ISP's Admin and get them to do something about their
> network hacker problems. Keep in mind DShield has sent warnings to a
> of these ISP's and all of us have sent complaints all of which for the
> part were ignored and laughed off.


Citing your list, being:

> Denmark  -
> Italy  -

Assuming that you meant -, a small firm in Germany, -, a largish firm in the United Kingdom and -, an internal network in Italy, I've checked
the authoritative WHOIS database for these (whois.RIPE.net).

As the entries for the above make no mention of 'ops at ripe.net',
'hostmaster at ripe.net' or 'lir-help at ripe.net' (the addresses at the NCC
which you bcc'd) in any valid contact address, nor have you asked for any
further assistance, the RIPE NCC cannot assist you further.

( Note that apparent email addresses within 'changed' fields are NOT valid
  contact addresses )

> We all realize that APNIC will do a big fat ZERO about "their" problem:
> "apnic-is-a-registry-recheck-your-data-before-emailing at apnic.net", what a
> crock!

Ah, you'd be a citizen of the United States of America.  Nice to see that
you're keeping abreast of global events, why, APNIC Pty Ltd was only
founded in 1993 to allocate IP addresses in the Asia Pacific Region, a
comparitive eyeblink ago.

Now, its fairly simple to obtain Useful Information(tm) from the above
string.  Try this one which I prepared earlier:

	APNIC is a Registry.  Recheck your data BEFORE emailing APNIC.

or to expand on the message that I originally wished to put in the
abuse.net database:

	APNIC Pty Ltd (apnic.net) operates a Registry.  If you are
	emailing this address, you have most probably been mislead by your
	tools or your own incorrect conceptions of the world.  Please go
	away and recheck the data that lead you here.  If you still insist
	on emailing this address, there is a nice handy reference guide to
	the world of Regional Internet Registries awaiting you by way of
	an autoresponder.  Please read this.  Note that if you have
	configured your systems block the 'APNIC' IPs and thus cannot
	receive this message, thats your problem, not that of APNIC Pty
	Ltd (apnic.net).

> APNIC  -

Within the above range (a mere 33 million IP addresses, give or take),
APNIC Pty Ltd has allocated IP addresses to various entities amongst 42
seperate countries.  As only 6 entities within that space are within the
USA (Guam), you probably don't particularly care.

Some of the other IP ranges are also under the control of APNIC, eg:

> China  -
> China  -
> China  -
> Korea  -
> Korea  -

For all of these, APNIC Pty Ltd, as one of three Regional Internet
Registries, has a responsibility as per BCP 12 / RFC2050 in:

  to provide operational staff with information on who is using
  the network number and to provide a contact in case of
  operational/security problems,

This is done via the WHOIS interface, at whois.APNIC.net.  Similar WHOIS
interfaces can be found being operated by the other two Regional Internet
Registries, the RIPE NCC (whois.ripe.net) and ARIN (whois.arin.net).

My personal suggestion is to use the Geektools whois proxy if this is a
tad too much information to absorb at once:  www.geektools.com

Kind Regards,

                             Bruce Campbell                            RIPE
                ( Formerly Senior Systems )                             NCC
                (   Administrator - APNIC )                      Operations

More information about the list mailing list