Snort mailing list archives
Re: Foreign Attacks (was Re: Firing off Abuse email based on Snort Traffic) OT
From: "Allan Dover" <adover () storm ca>
Date: Tue, 3 Jun 2003 09:06:25 -0400
Hi everyone, This has been a problem for a while. Being a one man shop, I have sent abuse letters to US and Canadian ISP's and schools. Most of the time responses are positive, and admins fix the problem right away. The Asian problem is another matter, I have sent abuse letters, no response. We run a corporate business centre here, and most of our users aren't tech savvy. I get so many Proxy scans and SPP scans from Asia I am thinking of Banning those sources completely. I Have a Linux box as a firewall for all the users, so using the IP information of the previous email will allow me to block port 25 traffic, Am I going overboard by just dropping any Asian packets using iptables ? Suggested iptables -A INPUT -i eth0 -p tcp -s 61.32.0.0/13 --destination-port 25 -j DROP modified iptables -A INPUT -i eth0 -p tcp -s 61.32.0.0/13 -j DROP This should stop all spam and scans from that subnet correct ? Should I be concerned with adding so many rules to IPTABLES that I will slow performance of my box ? Any suggestions ideas ? Allan Dover <mailto:allan () iiwishiv com> <http://www.iiwishiv.com> ################################################### This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. ----- Original Message ----- From: "Pacheco, Michael F." <MPacheco () elcom com> To: <bmcdowell () coxhealthplans com>; <snort-users () lists sourceforge net> Sent: Friday, May 30, 2003 11:09 AM Subject: RE: Foreign Attacks (was Re: [Snort-users] Firing off Abuse email based on Snort Traffic)
IMHO and Experience I've been tracking and sending abuse letters for the better part of a year now based off of Snort output. The best results have always been through direct calls to block owners when you can get them or if a block is registered to Sam Jones and his ARIN contact E-mail is sam () xtz com I go to www.xyz.com and try to find a contact number. The only people that seem
to
react to abuse letters are in the education community - kudos to them! Although some company admins are great to work with if you can get a
direct
line to them and are polite (No one likes to be told your network has
holes
in it in an aggressive manner by a total stranger). My company does not do any business in the Asian geographical world, yet
60%
of my malicious traffic originates from that region. I have IP blocked
the
entire continent of China as well as Korea on my external routers and my SNORT log is now much more manageable and I have more time to fully investigate the traffic I am seeing cross my sensors now. The few times I did attempt to follow up on abuse letters sent to APNIC traced block owners I was meet with dead-ends and gave up after a wasted
day
of pursuing them. A very nice and complete IP based geographical block
list
in both Cisco ACL and straight block notation is available at http://www.okean.com/asianspamblocks.html I modified my block list for total port block instead of just spam
blocking.
As a side note our sendmail admin also tells me he has seen a marked decrease in spam into the network since this block list was installed. Just my 2 cents on the subject, your mileage may vary. If you don't do business there, why put up traffic you don't need if it's causing issues? Mike Pacheco -----Original Message----- From: bmcdowell () coxhealthplans com [mailto:bmcdowell () coxhealthplans com] Sent: Friday, May 30, 2003 9:58 AM To: snort-users () lists sourceforge net Subject: Foreign Attacks (was Re: [Snort-users] Firing off Abuse email
based
on Snort Traffic) I too have noticed that most of the high-scoring offenders appear to be Asian. (Of course, there's no way to know that those Asian haven't been somehow hijacked, but that's another topic...) Since my firm provides a mostly-domestic product, I wonder if it wouldn't be best just to black hole that whole continent. Or, for that matter, everything but North America. It seems extreme, but since it shouldn't necessarily cost me any business, I haven't totally dismissed it yet. As I see it, there is no good reason to pursue (on your own) an attack from outside your native land. I have never imagined myself working hand-in-hand with, say, Korean law enforcement to track down a hacker. Has anyone else on the list had any positive experiences with foreign law enforcement? Does anyone take a different stance toward foreign IP's? Just curious... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Skip Carter Sent: Thursday, May 29, 2003 8:45 PM To: Matt Howell Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Firing off Abuse email based on Snort TrafficHow do other administrators handle genuine attacks and Portscans from International sources?Persistant portscans we generally respond to by black holing the address or network at the border routers or firewalls. Other attacks tend to get more attention; it helps if you can engage the assistance of security admins from other Internet locations (we once got the assistance of the US Air Force when one of our investigations and theirs inadvertently crossed paths; they were a great help in shutting down some Korean attacks!). BTW: is anybody else seeing slow scans (3 or 4 addresses per day) apparently coming from Cuba ? Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Confidentiality Notice: This e-mail message (including any attachments)
may
contain confidential and privileged information, and is for the sole use
of
the intended recipient(s). Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended
recipient,
please notify the sender by replying to this e-mail message, permanently deleting the original message and destroying any hard copies of the
original
message that may have been created. ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Foreign Attacks (was Re: Firing off Abuse emai l based on Snort Traffic) Pacheco, Michael F. (May 30)
- Re: Foreign Attacks (was Re: Firing off Abuse email based on Snort Traffic) OT Allan Dover (Jun 04)
- <Possible follow-ups>
- RE: Foreign Attacks (was Re: Firing off Abuse emai l based on Snort Traffic) Jared Ingersoll (Jun 01)