RE: Network 195.70.202.0/24 is hacker-freindly

[Justin Silles <JUSTIN () m-m-s com>]

At a company I worked at three years ago I called the offending company's
ISP and informed them of the traffic and the load it was trying to use on
our ISDN line.  While it was a minor situation, the ISP handled it as THEIR
responsibility to find out why one of THEIR accounts / THEIR IP Addresses
was generating "hacker" traffic.

In a similar instance, I used to txt dump my NT logs and e-mail them to an
administrator for my home ISP for every possible hack attack.  There was a
group of three users on my ISP's network that would continually try to log
onto my machine at night for 2 hour time blocks using usernames that were
obvious break-in attempts.  My home ISPs position was that they would not
punish a user biased on my log reports (because of possible forgery),
however, they would begin logging that user's activity biased on my NT logs
and from there they would determine if that user was abusing the ISPs
"acceptable use policy."  All four users at that ISP had their accounts
removed and one of them was changed with computer B&E by a local company
that they were stealing secrets/documents from (details were cloudy).  They
were caught because of my original NT logs and the ISP thanked me for
monitoring my home dial-up connection.

To this day I use the same tactics against computers with Code Red and
nimda.  I e-mail the company admin when possible and I cc the admin of their
ISP if I can figure it out.  Whether it's SAPM, viruses or break-ins...I'm
all for stopping it in it's tracks.  If an ISP pulls the plug on an
offending company's Internet connection because they didn't fix things
within a reasonable time...so be it.  I don't think if you have issues with
your server you should have to fix it within 5 minutes, but I do think that
there should be a time within reason that you can fix it, or pull it off the
Internet.

Regards,
Justin M. Silles


-----Original Message-----
From: Boyan Krosnov [mailto:bkrosnov () lirex bg]
Sent: Monday, December 03, 2001 7:49 PM
To: Pavel Lozhkin; incidents () securityfocus com
Subject: RE: Network 195.70.202.0/24 is hacker-freindly

I had an abuse report case today in which the party responsible for the
addresses basicaly said:
"Viruses are not network abuse" and " People who have registered the
addresses are not the ones who the abuse report should be sent to."
And they were, of course, given a course on how abuse reporting
works(and has worked in mass histeria times like Code Red, etc.), and
why they should participate in it. Not that it changed their mind, but
we tried, really.

The last exchange was like:
me: "If you don't take responsibility for actions made from your
addresses, we are seriously considering the posibility of stopping any
exchage of traffic with your addresses."
them: "NO PROVIDER ON THIS WORLD takes this responsibility. You are
wrong " and bla,bla,bla and "There is a recomendation of the European
union that every provider should provide anonymous access to their
network, so we don't have to care who is behind every single account."
a colegue: "If you really think that "phone companies are not
responsible for conversations over their networks" (an actual quote of
you), would you please give me your phone number so that I can call you
every night between 2 and 5. But don't contact the phone company about
that, because they "are not responsible", so there is no need for them
to do anything."

What do you all-on-this-list think about it?
Are you willing to communicate with address blocks that have a
report-handling policy like this one?
Do you know of a blacklist for documented networks with bad network
abuse handling policies aka. hacker friendly.

BR,
CCNP Boyan Krosnov
Network Administrator
Lirex Net
phone: +359-2-91815

> -----Original Message-----
> From: Pavel Lozhkin [mailto:pavel () atrivo com]
> Sent: Monday, December 03, 2001 11:01 PM
> To: incidents () securityfocus com
> Subject: Network 195.70.202.0/24 is hacker-freindly
>
>
> Hello !
>
> I got attempt to infect my server by Nimda virus from 195.70.202.138
> The administrator of the network (it is San Peterburg state
> University's
> net) wrote me on my complain that he does not want to clean
> his infected
> machines and that he does not have any contract with my firm
> so that i'm
> unable to ask him to clean these computers from where i got these
> attempts and unable to ask him anything.
> And he will scan me in any time if he wants, and i should not
> ask him to
> stop that.
>
> So that i consider the net 195.70.202.0/24 as uncontrolled
> one and block
> the network by my firewall and recommend all peoples do the same thing
>
> Pavel
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com