Firewall Wizards mailing list archives
RE: Under attack
From: "Guy Hadsall" <ghadsall () telcordia com>
Date: Thu, 25 Jul 2002 10:37:38 -0400
Allan, You are doing the right things, and blocking their IP blocks from your border router is the next thing I too would recommend. On the topic of "who do I report them to?" you can start with the Hong Kong CERT team. Unfortunately is not a member of the F.I.R.S.T. (Forum for Incident Response Security Teams) organization. Hong Kong does not have an official CERT listed with FIRST. Several of their neighbors are though, so maybe if you fire off a question to the Japan or Taiwan CERT teams they can help point you in the right direction. You can find them by checking out, or eMailing, the website www.FIRST.org. Last time I checked they, as well as their neighbors, were active members of this international CERT organization. Fire off a note to the FIRST team coordinator too, maybe they can help too. On the topic of an international CERT they've been attempted and fortunately have not yet taken hold. The WIPO folks tried the other year, and the UN has eyes for such a team too. Fear it for regulations sake... Internet liberty is to be guarded and not easily given away. GuyH -----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com] Sent: Thursday, July 25, 2002 7:20 AM To: Allan Tagliaferro Cc: 'firewall-wizards () honor icsalabs com' Subject: Re: [fw-wiz] Under attack On Thu, 25 Jul 2002, Allan Tagliaferro wrote:
Hi all, We are using Raptor 6.5 on a NT box, at present we are getting a lot
of
inbound attempts being made by a Hong Kong ISP, I have sent several
emails
notifying them of this but no changes have occurred, the connections
are
unauthorized by gwcontrol so they fail. I've tried several times to
include
rules using a subnet of the IP range that this ISP uses but for some
reason
the rules are not stopping the attempts rather it just fails due it
being
unauthorized. I'm happy they are not getting through but am I feel
like I've
lost control.
It sounds like you have stopped them, though, you seem to be getting annoying log messages about the attempts. You could just block the IP block of the offending ISP at your border or screening router. This keeps from having the annoying log messages from hitting you with alerts and such.
Can anyone please let me know how to successfully block an IP range
from
entering our network. Also I would keen to know if there is an
institute
that can be contacted to inform of these attempts ( a governing body
of
sorts).
Tis a shame there is no such thing, yet, it would be hard to put some universal/international organization together that all other nations would be forced to comply with, afterall, we don't even have the ability for all nations to agree to or deal with extradition in a coherent manner accorss all borders. It's even more confounding when one understands that there are no standards enforced on the net about how ISP's and different connected organisations and companies should handle abuse complaints. Well there is a standard, but, like many, it's not followed by all and certainly there is not governing body to enforce it. But, we try to contact abuse () offending com and/or security () offending com <replacing offending.com with the domain in question>. You can get the info you seek on the offenders in question by querying the specific domain servers for the regoin you are being hit by. And, rather then point you at each one of those regional domain servers, we'll point you at two sites that will query the proper one for you via nslookup queries: whois.thur.de and whois.geektools.com Understand, even if the ISP of the offender has an abuse or security address taking complaints, there's nothing to ensure that anyone will take action on your complaints. But, it's better to try then to do nothing, as this is changing muchly in recent years. Also be aware that many sites get tons of these replies, and so, you might get nothing back but a canned reply, if anything. As a last resort, if you speak the language of the others on the offending ISP site, you might try placing a call to tech folks, or additionally contacting their upstream provider<s> (traceroute). Thanks, good luck, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Under attack Allan Tagliaferro (Jul 25)
- Re: Under attack R. DuFresne (Jul 25)
- <Possible follow-ups>
- RE: Under attack Bruce Platt (Jul 25)
- RE: Under attack Guy Hadsall (Jul 25)
- Re: Under attack Thom Dyson (Jul 25)