Snort mailing list archives
Route Null
From: "Zymophideth" <zymophideth () hotmail com>
Date: Mon, 28 Oct 2002 12:28:13 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The best way to stop specific IPs without using an ACL is just setting up a null device on your router. Then routing that address to the null device. That way any return traffic gets sent to the null device rather than back to the internet. Sure this won't stop all attacks but any that require return traffic. ip route 192.168.0.1 null0 (or something to that effect, haven't had to do it in a while) What's also good about this method is you can still watch what the attacker is doing and how your computers respond with snort without fear of compromise. The attacker learns nothing, you learn everything, effective and educational, you gotta love it. - -----Original Message----- From: twig les [mailto:twigles () yahoo com] Sent: Monday, October 28, 2002 10:32 AM To: Justin Jessup; snort () braingia org; jarret () osa comax com Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Action Recommendations I worked at an ISP that blocked offending IPs at the border. It was an insane policy and resulted in Cisco 7500s with 99% CPU utilization because the acls were 6,000-10,000 lines each. I wouldn't go down that road unless the attacking IP/range is particularly nasty. - --- Justin Jessup <jaager7 () earthlink net> wrote:
i believe SANS has such a database setup, with the most frequent abusive IP addresses listed jj Steve Suehring <snort () braingia org> wrote: __________On Sun, Oct 27, 2002 at 01:20:04PM -0500, JarretGibson wrote:- Should I bother with reporting thesesecurity problems to theoffending person's ISP / office? I've heardmost of you say thatpeople rarely (if ever) do anything about thescript kiddies / hackerswhen you report them.I can't so much speak to the other questions in theemail, but as far asreporting goes, it depends on a few factors. I've found that three major factors come into playwhen reporting: WhichISP owns the IP space, what you're reporting, whatyou include in thereport. First and foremost, it is unfortunate to say thatit depends on which ISPyou report the activity to. It appears that someISPs absolutely don'tcare what happens within their IP space. This isthe direct result of theabuse department not having enough resources and insome cases not havinga clue. I've found *and this is just my opinion*that cable companies andtelephone companies that now sell Internet are manytimes lacking in both.Secondly, what you're reporting is also important.The abuse departmentreceives massive amounts of email. If you'rereporting a simple 'wrongnumber' type scan where someone typed in the wrongIP, they're likely tonot pursue it. Again, this goes back to the abusedepartment not havingenough resources. Finally, what you include in the report is alsoimportant. I've seen anumber of reports come in from people all overclaiming that a customerwas doing something. In fact, sometimes the reportwould say just that"one of your customers is doing something to my webserver, stop now!"Obviously, there's lots we could do with a reportlike that. :) If youinclude information such as logfiles, timezone, whyexactly this was bador indicative of abuse, etc, your report would havea better chance ofbeing investigated. This somewhat ties in with theabuse department nothaving a clue and not having resources. Again, the ISP is the biggest factor in theprocess. Some ISPs are greatat slapping users, others seem to have a blackholeabuse mailbox.One idea (that someone else has already had, I'msure) would be to set upcentralized site that contained an abuse reportsdatabase. You could thengrab the list sorted by the top 10 subnets that thehijinx originates fromand block 'em. Part of the databse could containwhether or not theactivity was reported to the ISP and what they didabout it. Correlatingthat information it would become evident which ISPsare attempting to dosomething about abuse from their IP space. If thisisn't out therealready and there is some interest, I'd be willingto look into itfurther. I thought I saw something like this on ISSor SANS or someone, Ican't remember. Anyway, hope that helps to give you an idea onreporting things.Steve-------------------------------------------------------This SF.net email is sponsored by: ApacheCon,November 18-21 inLas Vegas (supported by COMDEX), the only Apacheevent to befully supported by the ASF.http://www.apachecon.com_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -------------------------------------------------------
This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users ===== - ----------------------------------------------------------- Heavy metal made me do it. - ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ - ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPb2dsRLyphRSVba5EQLDfQCgyOPwaNBY+/kUX6RydKy6CWt5Zx0An2u6 n2lqNQU821J2bKq3stV6hg04 =TFok -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Route Null Zymophideth (Oct 28)