[unisog] Major campus-wide scans at UNC

Jeff Anderson-Lee jonah at EECS.Berkeley.EDU
Fri Mar 1 22:35:23 GMT 2002


We subscribe to www.dshield.org and their auto-"fight back" scheme.
You forward them a processed copy of your log entries and they can
auto-complain if more than some threshold of probes are detected
from a given IP.  We strip out all local-source IPs from the
iptables/ipchains logs on a few hosts and send them the rest.
The local ones are handled separately.

They submit a summary of info to the SANS Internet Storm Center.

They have a top-10 most wanted by IP (which right now
contains a host at purdue.edu, one at uiuc.edu and one from
wanadoo.fr among others.)

They seem open to new ideas, so a networks "bad list" might
be a possibility.

Jeff Anderson-Lee
Systems Manager, Digital Library Project
ERL, UC Berkeley

Walter G. Aiello wrote:

> Greetings, David:
> 
> Yes, I agree that a well-protected and moderated site that
> listed problem networks would be an excellent idea. SANS
> has a list of the "Top 10 Most Wanted" that contains the 10
> worst offenders in the previous 5 day period.
> 
> If a list such as that were combined into a list of sources
> and ISP's that are the least responsive, and if enough of us
> blocked the offenders, it might just hit their bottom line
> hard enough for them to start taking some responsibility.
> 
> Best regards,
> Walter G. Aiello
> 



More information about the unisog mailing list