Educause Security Discussion mailing list archives
Re: Not so Nice Net
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Fri, 10 Feb 2012 11:26:27 -0800
As a general rule, PLEASE DO NOT ASSUME THAT THE INTERNET IS STILL CLASSFUL. It isn't.
For example, it's correct that some of 91.0.0.0/8 is Deutsche Telekom. But some of it belongs to a provider in Iran. Some of it is Russian. Those are pretty big differences.
Now, when people say that they have been scanned by "everything" in 91.0.0.0/8, do they really mean that they have been scanned by all 16.7 million unique IP addresses in that range? That _does_ seem crazy. Or does it mean they have been scanned by every provider listed in whois? Every originating AS? What research has been done to verify that?
I have personally witnessed cases where several legitimate providers were blocked in some cases because of security threat that originated in a particular /16 (from two IP addresses within a /29 of that space!). People assumed that the entire /16 belonged to the "bad guys" and blocked the whole thing! Please don't let this be you...
michael
Current thread:
- Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net Hanson, Mike (Feb 08)
- Re: Not so Nice Net Martin Manjak (Feb 08)
- Re: Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net David Gillett (Feb 08)
- Re: Not so Nice Net Heath Barnhart (Feb 09)
- Re: Not so Nice Net Brian Helman (Feb 10)
- Re: Not so Nice Net Michael Sinatra (Feb 10)
- Re: Not so Nice Net Jeff Moore (Feb 10)
- Re: Not so Nice Net Michael Sinatra (Feb 10)
- Message not available
- Not so Nice Net Jeff Moore (Feb 10)
- Re: Not so Nice Net Brian Helman (Feb 10)
- Re: Not so Nice Net Mike Lococo (Feb 10)
- <Possible follow-ups>
- Re: Not so Nice Net Joe St Sauver (Feb 10)