Re: Under attack

["R. DuFresne" <dufresne () sysinfo com>]

On Thu, 25 Jul 2002, Allan Tagliaferro wrote:

> Hi all,
>
> We are using Raptor 6.5 on a NT box, at present we are getting a lot of
> inbound attempts being made by a Hong Kong ISP, I have sent several emails
> notifying them of this but no changes have occurred, the connections are
> unauthorized by gwcontrol so they fail. I've tried several times to include
> rules using a subnet of the IP range that this ISP uses but for some reason
> the rules are not stopping the attempts rather it just fails due it being
> unauthorized. I'm happy they are not getting through but am I feel like I've
> lost control.


It sounds like you have stopped them, though, you seem to be getting
annoying log messages about the attempts.  You could just block the IP
block of the offending ISP at your border or screening router.  This keeps
from having the annoying log messages from hitting you with alerts and
such.

> Can anyone please let me know how to successfully block an IP range from
> entering our network. Also I would keen to know if there is an institute
> that can be contacted to inform of these attempts ( a governing body of
> sorts).

Tis a shame there is no such thing, yet, it would be hard to put some
universal/international organization together that all other nations would
be forced to comply with, afterall, we don't even have the ability for all
nations to agree to or deal with extradition in a coherent manner accorss
all borders.  It's even more confounding when one understands that there
are no standards enforced on the net about how ISP's and different
connected organisations and companies should handle abuse complaints.
Well there is a standard, but, like many, it's not followed by all and
certainly there is not governing body to enforce it.  But, we try to
contact abuse () offending com and/or security () offending com <replacing
offending.com with the domain in question>.  You can get the info you seek
on the offenders in question by querying the specific domain servers for
the regoin you are being hit by.  And, rather then point you at each one
of those regional domain servers, we'll point you at two sites that will
query the proper one for you via nslookup queries:

whois.thur.de

and

whois.geektools.com

Understand, even if the ISP of the offender has an abuse or security
address taking complaints, there's nothing to ensure that anyone will take
action on your complaints.  But, it's better to try then to do nothing, as
this is changing muchly in recent years.  Also be aware that many sites
get tons of these replies, and so, you might get nothing back but a canned
reply, if anything.  As a last resort, if you speak the language of the
others on the offending ISP site, you might try placing a call to tech
folks, or additionally contacting their upstream provider<s> (traceroute).

Thanks,  good luck,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards