Foreign Attacks (was Re: [Snort-users] Firing off Abuse email based on Snort Traffic) OT

Allan Dover adover at ...9373...
Wed Jun 4 06:25:41 EDT 2003


 Hi everyone,

 This has been a problem for a while.  Being a one man shop, I have sent
 abuse  letters to US and Canadian ISP's and schools.  Most of the time
 responses are positive, and admins fix the problem right away.  The Asian
 problem is another matter, I have sent abuse letters, no response.  We run
a
 corporate business centre here, and most of our users aren't tech savvy.  I
 get so many Proxy scans and SPP scans from Asia I am thinking of Banning
 those sources completely.

 I Have a Linux box as a firewall for all the users, so using the IP
 information of the previous email will allow me to block port 25 traffic,
Am
 I going overboard by just dropping any Asian packets using iptables ?

 Suggested  iptables -A INPUT -i eth0 -p tcp -s
 61.32.0.0/13 --destination-port 25 -j DROP

 modified   iptables -A INPUT -i eth0 -p tcp -s 61.32.0.0/13 -j DROP

 This should stop all spam and scans from that subnet correct ?
 Should I be concerned with adding so many rules to IPTABLES that I will
slow
 performance of my box ?

 Any suggestions ideas ?

 Allan Dover
 <mailto:allan at ...8977...>
 <http://www.iiwishiv.com>

 ###################################################
 This e-mail communication (including any or all attachments) is intended
 only for the use of the person or entity to which it is addressed and may
 contain confidential and/or privileged material. If you are not the
intended
 recipient of this e-mail, any use, review, retransmission, distribution,
 dissemination, copying, printing, or other use of, or taking of any action
 in reliance upon this e-mail, is strictly prohibited. If you have received
 this e-mail in error, please contact the sender and delete the original and
 any copy of this e-mail and any  printout thereof, immediately. Your
 co-operation is appreciated.


> ----- Original Message ----- 
> From: "Pacheco, Michael F." <MPacheco at ...6219...>
> To: <bmcdowell at ...7861...>; <snort-users at lists.sourceforge.net>
> Sent: Friday, May 30, 2003 11:09 AM
> Subject: RE: Foreign Attacks (was Re: [Snort-users] Firing off Abuse email
> based on Snort Traffic)
>
>
> > IMHO and Experience
> >
> > I've been tracking and sending abuse letters for the better part of a
year
> > now based off of Snort output.  The best results have always been
through
> > direct calls to block owners when you can get them or if a block is
> > registered to Sam Jones and his ARIN contact E-mail is sam at ...9336... I go
to
> > www.xyz.com and try to find a contact number.  The only people that seem
> to
> > react to abuse letters are in the education community - kudos to them!
> > Although some company admins are great to work with if you can get a
> direct
> > line to them and are polite (No one likes to be told your network has
> holes
> > in it in an aggressive manner by a total stranger).
> >
> > My company does not do any business in the Asian geographical world, yet
> 60%
> > of my malicious traffic originates from that region.  I have IP blocked
> the
> > entire continent of China as well as Korea on my external routers and my
> > SNORT log is now much more manageable and I have more time to fully
> > investigate the traffic I am seeing cross my sensors now.
> >
> > The few times I did attempt to follow up on abuse letters sent to APNIC
> > traced block owners I was meet with dead-ends and gave up after a wasted
> day
> > of pursuing them.  A very nice and complete IP based geographical block
> list
> > in both Cisco ACL and straight block notation is available at
> >
> > http://www.okean.com/asianspamblocks.html
> >
> > I modified my block list for total port block instead of just spam
> blocking.
> > As a side note our sendmail admin also tells me he has seen a marked
> > decrease in spam into the network since this block list was installed.
> >
> > Just my 2 cents on the subject, your mileage may vary.  If you don't do
> > business there, why put up traffic you don't need if it's causing
issues?
> >
> > Mike Pacheco
> >
> > -----Original Message-----
> > From: bmcdowell at ...7861... [mailto:bmcdowell at ...7861...]
> > Sent: Friday, May 30, 2003 9:58 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: Foreign Attacks (was Re: [Snort-users] Firing off Abuse email
> based
> > on Snort Traffic)
> >
> >
> > I too have noticed that most of the high-scoring offenders appear to be
> > Asian.  (Of course, there's no way to know that those Asian haven't been
> > somehow hijacked, but that's another topic...)  Since my firm provides a
> > mostly-domestic product, I wonder if it wouldn't be best just to black
> > hole that whole continent.  Or, for that matter, everything but North
> > America.  It seems extreme, but since it shouldn't necessarily cost me
> > any business, I haven't totally dismissed it yet.
> >
> > As I see it, there is no good reason to pursue (on your own) an attack
> > from outside your native land.  I have never imagined myself working
> > hand-in-hand with, say, Korean law enforcement to track down a hacker.
> >
> > Has anyone else on the list had any positive experiences with foreign
> > law enforcement?  Does anyone take a different stance toward foreign
> > IP's?
> >
> > Just curious...
> >
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Skip Carter
> > Sent: Thursday, May 29, 2003 8:45 PM
> > To: Matt Howell
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic
> >
> >
> >
> >
> >
> > > How do other administrators handle genuine attacks and Portscans from
> > > International sources?
> >
> >   Persistant  portscans we generally respond to by black holing the
> > address
> >   or network at the border routers or firewalls.  Other attacks tend to
> > get
> >   more attention; it helps if you can engage the assistance of security
> >   admins from other Internet locations (we once got the assistance of
> > the
> >   US Air Force when one of our investigations and theirs inadvertently
> > crossed
> >   paths; they were a great help in shutting down some Korean attacks!).
> >
> >
> >   BTW: is anybody else seeing slow scans (3 or 4 addresses per day)
> > apparently
> >   coming from Cuba ?
> >
> >
> >
> > Skip
> >
> >
> >
> > -- 
> >  Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
> >  Taygeta Scientific Inc.        INTERNET: skip at ...1552...
> >  1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
> >  Monterey, CA. 93940
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: eBay
> > Get office equipment for less on eBay!
> > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Confidentiality Notice: This e-mail message (including any attachments)
> may
> > contain confidential and privileged information, and is for the sole use
> of
> > the intended recipient(s). Any unauthorized review, use, disclosure or
> > distribution is strictly prohibited. If you are not the intended
> recipient,
> > please notify the sender by replying to this e-mail message, permanently
> > deleting the original message and destroying any hard copies of the
> original
> > message that may have been created.
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: eBay
> > Get office equipment for less on eBay!
> > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: eBay
> > Get office equipment for less on eBay!
> > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list