[unisog] Re: Re: Large Attack

Don Wolf SecuredSite at hotmail.com
Mon Mar 4 19:39:31 GMT 2002


Points taken and I too agree.  I strongly urged all my clients as well as my
current employer to publicize any and all intruders.  I assumed this would
let the administrators of those addresses take responsibility for their
users actions and possibly build themselves a better case for IT security
"upgrades".  Unfortunately I failed to see the big picture.  You see, the
perpetrators of the probing, hacking, scanning, etc. took advantage of the
minimal publicity and  increased their activity.  I seemed to get the
impression they were trying a "let's see what this shows up as" approach to
hacking. Some times publicity can have a entirely different outcome then
what was intended, that's all I'm trying to imply!

___________________________________
 Don J. Wolf - Security Consultant
 SANS/GIAC, MCP, CCNA, ICSA
 SecuredSite Intrusion Specialists
 www.SecuredSite.org


----- Original Message -----
From: "Walter G. Aiello" <Walter.Aiello at Duke.edu>
To: "Don Wolf" <SecuredSite at hotmail.com>
Cc: <doug at unc.edu>; <incidents at securityfocus.org>; <unisog at sans.org>; "ITS
Security" <security at unc.edu>
Sent: Monday, March 04, 2002 2:09 PM
Subject: Re: [unisog] Re: Re: Large Attack


> Greetings, Don:
>
> I replied to David Staggs at Vanderbilt as follows:
>
>  Yes, I agree that a well-protected and moderated site that
>  listed problem networks would be an excellent idea. SANS
>  has a list of the "Top 10 Most Wanted" that contains the 10
>  worst offenders in the previous 5 day period.
>
>  If a list such as that were combined into a list of sources
>  and ISP's that are the least responsive, and if enough of us
>  blocked the offenders, it might just hit their bottom line
>  hard enough for them to start taking some responsibility.
>
> What would be very useful would be a list of ISP's and the IP
> addresses they control. That would enable us to completely
> block those ISP's without having a "dribble effect" of blocking
> a subnet, only to be attacked from another of their subnets,
> and so on. For example, Jordan Wiens provided a list of network
> blocks owned by France Telecom (wanadoo.fr's parent company),
> which has been particulary unresponsive to complaints about the
> hailstorm of portscanning coming from their network. Several
> posters evidently indicated that they were at least considering
> blocking all traffic from those IP ranges. I added a few
> subnets to his list:
>
> ----------------
> 80.9.0.0/16            193.252.0.0/16 except for:
> 80.11.0.0/16                193.252.4.0/24
> 80.12.0.0/19                192.252.16.0/24
> 80.12.32.0/20               192.252.17.0/24
> 80.12.48.0/23               192.252.18.0/24
> 80.12.128.0/20              193.252.64.0/19
> 80.12.144.0/22              193.252.96.0/21
> 80.12.148.0/23              193.252.112.0/20
> 80.13.0.0/16                193.252.150.0/23
> 80.14.0.0/16                193.252.150.0/23
> 193.248.0.0/16              193.252.152.0/21
> 193.249.0.0/17              193.252.160.0/22
> 193.249.160.0/19            193.252.224.0/19
> 193.249.224.0/19
> 193.250.0.0/16        193.253.0.0/16 except for:
> 193.251.0.0/18              193.253.0.0/20
> 193.251.64.0/19             193.253.64.0/18
> 193.251.176.0/20
> 217.128.0.0/16
>
> Something like a "Top 10" (perhaps Bottom Ten" would be more
> appropriate) list of ISP's and their network blocks would be
> extremely helpful to those of us who want to restrict access
> by those ISP's.
>
> Best regards and thank you.
> Walter G. Aiello
>
> --
> Dr. Walter G. Aiello
> Manager, Network and Information Services
> Magnetic Resonance Research Section
> Box 3808, Department of Radiology
> Duke University Medical Center
>
> Walter.Aiello at Duke.edu
> (919) 684 7519
>
> Don Wolf wrote:
> >
> > In regards to your interest in seeing "a site to list 'dirty subnets' -
> > those subnets from which we see
> > repeated attacks", there is a great site in which to go.  DShield has
been
> > doing just that for some time.  Just thought I'd point it out for those
who
> > didn't know.  This link according to DShield "shows the top 10 offenders
> > according to the DShield database".
> >
> > http://www.dshield.org/top10.html
> >
> > ___________________________________
> >  Don J. Wolf - Security Consultant
> >  SANS/GIAC, MCP, CCNA, ICSA
> >  SecuredSite Intrusion Specialists
> >  www.SecuredSite.org
>



More information about the unisog mailing list