Re: Connectivity problems with the US Army

["HALL, NATHANIEL D." <halln () OTC EDU>]

> -----Original Message-----
> From: Brock, Anthony - NET [mailto:Anthony.Brock () OREGONSTATE EDU]
> Sent: Friday, January 19, 2007 11:18 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Connectivity problems with the US Army
>
> > -----Original Message-----
> > Maybe they meant 29 IPs were probing.  We saw around 35 of
> > your IPs either
> > scanning port 2967 or actively attempting to exploit the Symantec
> > vulnerability against systems here.
>
> Very possible. However, this still seems a bit extreme for
implementing
> a "permanent block" of this scale. Also, there should be some method
for
> notifying the affected site and correcting the issue.

I both agree and disagree.  In my case I was watching for SSH brute
force scans.  Each time I saw a scan I would contact the abuse,
security, or NOC contact and send logs.  Rarely did I receive a
response.  If there were 3 or more occurrences (i.e. three or more days
of any host scanning) then I would block the organizations entire
address space.

Once when I did that I caused a lot of websites to quit loading because
the organization was a large NOC.  I began to add exclusions so that the
pages would load.  The admin thought I was going overboard because I
blocked their entire range because of 4 occurrences.  I'm sorry, but the
student information I am protecting is much more important than being
able to access those websites.  My Vice-President and Dean agree.  If a
website is important enough, then we make an exception.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535