Re: Large DNS scans from 211.53.208.178

[epadin () WAGWEB COM (Ed Padin)]

It seems that a lot of crap is coming from Korea. I see a lot of attempts to
TCP port 109... Which is kinda silly. There was discussion on this earlier.
It seems that blocking all of korea (and demon internet in the UK?) might be
a good idea. I think that the koreans have been hit hard by virii/trojans
lately. This stuff is probably coming from compromised systems.

Does anyone know where I can find a list that shows IP addresses and
countries/location? I'm starting to think that I may want to start blocking
access from whole address ranges to certain of my servers. There are some
places on the globe with which we do no business at all.

Thanks.

> -----Original Message-----
> From: Bryan Seitz [mailto:seitz () CARTMAN EE UDEL EDU]
> Sent: Monday, May 01, 2000 2:07 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Large DNS scans from 211.53.208.178
>
>
> On Fri, 28 Apr 2000, alann lopes wrote:
> > We are seeing a substantial scans
> > of DNS from 211.53.208.178 apparently
> > from Korea...
> >
> > Anyone else?
> >
> > Thank you -- alann
> ======================================================================
> > Apr 28 12:23:44 PDT tcp  211.53.208.178(4147)
> ->132.239.242.207(53), 1
> > Apr 28 12:23:46 PDT tcp  211.53.208.178(4140)

snip
> > Apr 28 15:07:44 PDT tcp  211.53.208.178(1960)
> ->132.239.242.192(53), 1
> >
> ======================================================================
> >
>
> Not from that specific host, but from .kr yes...
>
> Apr 21 15:00:38 cartman /kernel: ipfw: 3500 Deny TCP
> 210.182.140.145:4993 128.175.200.41:53 in via xl0
>
> Apr 28 18:02:21 cartman /kernel: ipfw: 3500 Deny TCP
> 210.182.66.3:1436 128.175.200.41:53 in via xl0

snip