[unisog] Re: Re: Large Attack

Don Wolf SecuredSite at hotmail.com
Mon Mar 4 19:39:31 GMT 2002

Points taken and I too agree.  I strongly urged all my clients as well as my
current employer to publicize any and all intruders.  I assumed this would
let the administrators of those addresses take responsibility for their
users actions and possibly build themselves a better case for IT security
"upgrades".  Unfortunately I failed to see the big picture.  You see, the
perpetrators of the probing, hacking, scanning, etc. took advantage of the
minimal publicity and  increased their activity.  I seemed to get the
impression they were trying a "let's see what this shows up as" approach to
hacking. Some times publicity can have a entirely different outcome then
what was intended, that's all I'm trying to imply!

 Don J. Wolf - Security Consultant
 SecuredSite Intrusion Specialists

----- Original Message -----
From: "Walter G. Aiello" <Walter.Aiello at Duke.edu>
To: "Don Wolf" <SecuredSite at hotmail.com>
Cc: <doug at unc.edu>; <incidents at securityfocus.org>; <unisog at sans.org>; "ITS
Security" <security at unc.edu>
Sent: Monday, March 04, 2002 2:09 PM
Subject: Re: [unisog] Re: Re: Large Attack

> Greetings, Don:
> I replied to David Staggs at Vanderbilt as follows:
>  Yes, I agree that a well-protected and moderated site that
>  listed problem networks would be an excellent idea. SANS
>  has a list of the "Top 10 Most Wanted" that contains the 10
>  worst offenders in the previous 5 day period.
>  If a list such as that were combined into a list of sources
>  and ISP's that are the least responsive, and if enough of us
>  blocked the offenders, it might just hit their bottom line
>  hard enough for them to start taking some responsibility.
> What would be very useful would be a list of ISP's and the IP
> addresses they control. That would enable us to completely
> block those ISP's without having a "dribble effect" of blocking
> a subnet, only to be attacked from another of their subnets,
> and so on. For example, Jordan Wiens provided a list of network
> blocks owned by France Telecom (wanadoo.fr's parent company),
> which has been particulary unresponsive to complaints about the
> hailstorm of portscanning coming from their network. Several
> posters evidently indicated that they were at least considering
> blocking all traffic from those IP ranges. I added a few
> subnets to his list:
> ----------------
>   except for:
> except for:
> Something like a "Top 10" (perhaps Bottom Ten" would be more
> appropriate) list of ISP's and their network blocks would be
> extremely helpful to those of us who want to restrict access
> by those ISP's.
> Best regards and thank you.
> Walter G. Aiello
> --
> Dr. Walter G. Aiello
> Manager, Network and Information Services
> Magnetic Resonance Research Section
> Box 3808, Department of Radiology
> Duke University Medical Center
> Walter.Aiello at Duke.edu
> (919) 684 7519
> Don Wolf wrote:
> >
> > In regards to your interest in seeing "a site to list 'dirty subnets' -
> > those subnets from which we see
> > repeated attacks", there is a great site in which to go.  DShield has
> > doing just that for some time.  Just thought I'd point it out for those
> > didn't know.  This link according to DShield "shows the top 10 offenders
> > according to the DShield database".
> >
> > http://www.dshield.org/top10.html
> >
> > ___________________________________
> >  Don J. Wolf - Security Consultant
> >  SecuredSite Intrusion Specialists
> >  www.SecuredSite.org

More information about the unisog mailing list