Educause Security Discussion mailing list archives
Re: Not so Nice Net
From: Jeff Moore <mail () JEFFMOORE COM>
Date: Fri, 10 Feb 2012 12:21:11 -0800
First - Thank you all for responding to my question. It has made it clear that what we were seeing was not crazy but that you all have been seeing similar things. Thanks everyone!! Second - Michael Sinatra - I am assuming you must have read this on a bad day. I am sorry for any problems you are having. From what I have read from folks on this thread I assume that folks are quite intelligent and that none of them assume that the internet is still classful. It is simply a way that they communicate. Perhaps it is my mistake for how I phrased the question. My apologies if that was the case. I think that these intelligent professionals also have the courtesy not to yell and not to try to make others looks or feel bad. In your case it looks as though my assumptions were incorrect. I am not a member of this group to get into arguments over semantics with folks that have no respect for their peers. If you read my message and the other kind folks that replied you would see that we did not say we got scanned by every host in these ranges. Please take the time to read the messages that you are responding to. I think folks here understand the consequences of blocking entire ranges. Its their job. So in the future please read the messages thoroughly before replying. And please keep your replies constructive. The kind of reply you sent benefits no one. This listserve is for professionals. Please act like one. Thank you! Jeff Moore On Fri, Feb 10, 2012 at 11:26 AM, Michael Sinatra < michael () rancid berkeley edu> wrote:
As a general rule, PLEASE DO NOT ASSUME THAT THE INTERNET IS STILL CLASSFUL. It isn't. For example, it's correct that some of 91.0.0.0/8 is Deutsche Telekom. But some of it belongs to a provider in Iran. Some of it is Russian. Those are pretty big differences. Now, when people say that they have been scanned by "everything" in 91.0.0.0/8, do they really mean that they have been scanned by all 16.7 million unique IP addresses in that range? That _does_ seem crazy. Or does it mean they have been scanned by every provider listed in whois? Every originating AS? What research has been done to verify that? I have personally witnessed cases where several legitimate providers were blocked in some cases because of security threat that originated in a particular /16 (from two IP addresses within a /29 of that space!). People assumed that the entire /16 belonged to the "bad guys" and blocked the whole thing! Please don't let this be you... michael
-- Jeff Moore Desk (503) 877-4707 <https://www.google.com/voice?pli=1#phones> Cell (503) 9 <https://www.google.com/voice?pli=1#phones>10-0756 Mail () JeffMoore com
Current thread:
- Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net Hanson, Mike (Feb 08)
- Re: Not so Nice Net Martin Manjak (Feb 08)
- Re: Not so Nice Net Jeff Moore (Feb 08)
- Re: Not so Nice Net David Gillett (Feb 08)
- Re: Not so Nice Net Heath Barnhart (Feb 09)
- Re: Not so Nice Net Brian Helman (Feb 10)
- Re: Not so Nice Net Michael Sinatra (Feb 10)
- Re: Not so Nice Net Jeff Moore (Feb 10)
- Re: Not so Nice Net Michael Sinatra (Feb 10)
- Message not available
- Not so Nice Net Jeff Moore (Feb 10)
- Re: Not so Nice Net Brian Helman (Feb 10)
- Re: Not so Nice Net Mike Lococo (Feb 10)
- <Possible follow-ups>
- Re: Not so Nice Net Joe St Sauver (Feb 10)