[unisog] Major campus-wide scans at UNC
jonah at EECS.Berkeley.EDU
Fri Mar 1 22:35:23 GMT 2002
We subscribe to www.dshield.org and their auto-"fight back" scheme.
You forward them a processed copy of your log entries and they can
auto-complain if more than some threshold of probes are detected
from a given IP. We strip out all local-source IPs from the
iptables/ipchains logs on a few hosts and send them the rest.
The local ones are handled separately.
They submit a summary of info to the SANS Internet Storm Center.
They have a top-10 most wanted by IP (which right now
contains a host at purdue.edu, one at uiuc.edu and one from
wanadoo.fr among others.)
They seem open to new ideas, so a networks "bad list" might
be a possibility.
Systems Manager, Digital Library Project
ERL, UC Berkeley
Walter G. Aiello wrote:
> Greetings, David:
> Yes, I agree that a well-protected and moderated site that
> listed problem networks would be an excellent idea. SANS
> has a list of the "Top 10 Most Wanted" that contains the 10
> worst offenders in the previous 5 day period.
> If a list such as that were combined into a list of sources
> and ISP's that are the least responsive, and if enough of us
> blocked the offenders, it might just hit their bottom line
> hard enough for them to start taking some responsibility.
> Best regards,
> Walter G. Aiello
More information about the unisog