Foreign Attacks (was Re: [Snort-users] Firing off Abuse emai l based on Snort Traffic)

Pacheco, Michael F. MPacheco at ...6219...
Fri May 30 08:10:06 EDT 2003


IMHO and Experience

I've been tracking and sending abuse letters for the better part of a year
now based off of Snort output.  The best results have always been through
direct calls to block owners when you can get them or if a block is
registered to Sam Jones and his ARIN contact E-mail is sam at ...9336... I go to
www.xyz.com and try to find a contact number.  The only people that seem to
react to abuse letters are in the education community - kudos to them!
Although some company admins are great to work with if you can get a direct
line to them and are polite (No one likes to be told your network has holes
in it in an aggressive manner by a total stranger).

My company does not do any business in the Asian geographical world, yet 60%
of my malicious traffic originates from that region.  I have IP blocked the
entire continent of China as well as Korea on my external routers and my
SNORT log is now much more manageable and I have more time to fully
investigate the traffic I am seeing cross my sensors now.

The few times I did attempt to follow up on abuse letters sent to APNIC
traced block owners I was meet with dead-ends and gave up after a wasted day
of pursuing them.  A very nice and complete IP based geographical block list
in both Cisco ACL and straight block notation is available at 

http://www.okean.com/asianspamblocks.html

I modified my block list for total port block instead of just spam blocking.
As a side note our sendmail admin also tells me he has seen a marked
decrease in spam into the network since this block list was installed.

Just my 2 cents on the subject, your mileage may vary.  If you don't do
business there, why put up traffic you don't need if it's causing issues?

Mike Pacheco

-----Original Message-----
From: bmcdowell at ...7861... [mailto:bmcdowell at ...7861...] 
Sent: Friday, May 30, 2003 9:58 AM
To: snort-users at lists.sourceforge.net
Subject: Foreign Attacks (was Re: [Snort-users] Firing off Abuse email based
on Snort Traffic)


I too have noticed that most of the high-scoring offenders appear to be
Asian.  (Of course, there's no way to know that those Asian haven't been
somehow hijacked, but that's another topic...)  Since my firm provides a
mostly-domestic product, I wonder if it wouldn't be best just to black
hole that whole continent.  Or, for that matter, everything but North
America.  It seems extreme, but since it shouldn't necessarily cost me
any business, I haven't totally dismissed it yet.

As I see it, there is no good reason to pursue (on your own) an attack
from outside your native land.  I have never imagined myself working
hand-in-hand with, say, Korean law enforcement to track down a hacker.

Has anyone else on the list had any positive experiences with foreign
law enforcement?  Does anyone take a different stance toward foreign
IP's?

Just curious...


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Skip Carter
Sent: Thursday, May 29, 2003 8:45 PM
To: Matt Howell
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Firing off Abuse email based on Snort Traffic





> How do other administrators handle genuine attacks and Portscans from
> International sources?

  Persistant  portscans we generally respond to by black holing the
address
  or network at the border routers or firewalls.  Other attacks tend to
get
  more attention; it helps if you can engage the assistance of security
  admins from other Internet locations (we once got the assistance of
the
  US Air Force when one of our investigations and theirs inadvertently
crossed
  paths; they were a great help in shutting down some Korean attacks!).


  BTW: is anybody else seeing slow scans (3 or 4 addresses per day)
apparently
  coming from Cuba ?



Skip

  

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip at ...1552...
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            













-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Confidentiality Notice: This e-mail message (including any attachments) may
contain confidential and privileged information, and is for the sole use of
the intended recipient(s). Any unauthorized review, use, disclosure or
distribution is strictly prohibited. If you are not the intended recipient,
please notify the sender by replying to this e-mail message, permanently
deleting the original message and destroying any hard copies of the original
message that may have been created.




-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list