Security Incidents mailing list archives

Re: scan log and subsequent response from the host's ISP

From: mforrester () HSACORP NET (Forrester, Mike)
Date: Fri, 7 Jul 2000 10:57:08 -0600


According to ripe.net, they own 212.216.0.0 - 212.216.255.255 so everyone
might want to block their whole range...

While poking around, I found several references to interbusiness.it as shown
near the end.

BTW - Does anyone know of a site that lists known 'rogue' ISP's and why they
are considered such?

Mike Forrester - Systems Security Engineer
High Speed Access Corp. - Denver, CO USA
mforrester () hsacorp net - +1 303 256 2134

From ripe.net:

inetnum:     212.216.0.0 - 212.216.255.255
netname:     IT-TIN-980225
descr:       Telecom Italia Net
descr:       PROVIDER
country:     IT
admin-c:     EB339-RIPE
tech-c:      DSF11
tech-c:      MC4803-RIPE
tech-c:      CC297-RIPE
tech-c:      MP3870
tech-c:      SP46-RIPE
status:      ALLOCATED PA
mnt-by:      RIPE-NCC-HM-MNT
mnt-lower:   INTERB-MNT
changed:     hostmaster () ripe net 19980225
changed:     hostmaster () ripe net 19980226
changed:     hostmaster () ripe net 19980513
changed:     hostmaster () ripe net 19980914
changed:     hostmaster () ripe net 19980916
changed:     hostmaster () ripe net 19990316
changed:     hostmaster () ripe net 19990322
changed:     hostmaster () ripe net 20000128
changed:     hostmaster () ripe net 20000303
changed:     hostmaster () ripe net 20000316
source:      RIPE

route:       212.216.0.0/16
descr:       INTERBUSINESS
origin:      AS3269
advisory:    AS690 1:701 2:1800
mnt-by:      INTERB-MNT
changed:     cgiadmin () cgi interbusiness it 19980422
source:      RIPE

-----Original Message-----
From: Dan Hollis [mailto:goemon () SASAMI ANIME NET]
Sent: Wednesday, July 05, 2000 5:08 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: scan log and subsequent response from the host's ISP


On Mon, 3 Jul 2000, Bradley Woodward wrote:

These scans are so common, I wouldn't bother posting them,

except for the

rather disappointing response from the ISP's support

department.  I've

included an edited log file and email response.


Hm time to blackhole route 212.216.184.0 - 212.216.191.255?
Their response
definitely makes them rogue.

-Dan

Current thread:

Intrusion, WuFTP exploit?, (continued)
- - - Intrusion, WuFTP exploit? David Knaack (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Philipp Buehler (Jul 11)
  - Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 10)
    - Re: scan log and subsequent response from the host's ISP Pavel Lozhkin (Jul 10)
    - Snort (about large-udp attack) JW Oh (Jul 10)
  - lifestages on IRC Omicron N (Jul 09)
    - Re: lifestages on IRC Robert van der Meulen (Jul 10)
    - Re: lifestages on IRC Vincent Hillier (Jul 10)
    - Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
  - tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
    - Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
    - Some stats of events Henri J. Schlereth (Jul 10)
    - Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
    - Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
    - Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
    - Hostile email mmurray () TAOS COM (Jul 12)
    - I Was rooted Andrew Heath (Jul 17)
    - Obfuscated URL's in spam Kee Hinckley (Jul 18)
    - 85.85.85.85 weirdness Wozz (Jul 18)

(Thread continues...)