Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: scan log and subsequent response from the host's ISP

From: cefek () CAREER PL (Michal Nazarewicz)
Date: Sat, 8 Jul 2000 01:17:42 +0200

Yesterday, Dan Hollis wrote:

DH>At one time I might have included .pl in that list :-) Thankfully someone
DH>seems to have taken a clue-by-four to the networks there. Someone hired
DH>.it and .gr mafia to have a chat with .pl network admins? :-)

Oh, stop complaining about .pl tld -- it's the only domain I know, in
which there are providers to disable accounts on malicious users, even
having sent them official letter to their homes (or, to their parents
:-]). I don't really think that with today's costs of internet access in
Poland (they are as high as in Japan and the highest in Europe, while
having mush less earnings here) there may be many script kiddies or
another haxors.

But, that's not the point. Most of abuses I receive information about
comes from KREONET (it's a korean network), BORA.NET (that same) and
Brasil. I've detected one attempt from China. To be honest, I'm scared of
reporting chinese users' abuses to their authorities -- I can't be sure
what they will do to their users.

I don't think that it's a language barrier, which prevents ISPs in .kr/.br
from reacting. It may be an issue of money, their law or -- good will? I,
however, got the official permit from my employer to cut off Korean and
Brasilian access to our network.

Having that said: if I can't get any response from ISPs involved, I don't
want to be with them in one network. It's a really simple command:
# /usr/sbin/ipchains -A input -j DENY -s [tin.it.ip.address]/255.255.255.0.

DH>As for .kr / .br I think its mainly the language barriers causing
DH>problems. Hopefully they will get clued in eventually. This is changing,
DH>slowly, for .jp and .hk thanks to the herculean efforts of some of the
DH>asia-pacific guys.

For .jp and .hk? I've reported once an issue to one of Japanese ISPs; the
reply I got were looking like my mail forwarded to another system
administrator, with added line: "please stop portscanning to
Poland!!" added at top. Yeah, that's a reply too :-)

PS. Why you wanted to include .pl to that list? Can mail me privately of
course:-), if Aleph don't want to continue this thread.

--
Michal 'CeFeK' Nazarewicz   / CAOL, DK GROUP SYSADMIN ^ NETADMIN         B
ICQ 47171266 / +48 (601) CEFEK 0 / http://www.dkgroup.pl/index.html      O
mailto:cefek at saydk dot co dot uk / MN4735-RIPE / Pengiun #164007      F
The best way to accelerate a Macintoy is 9.8 meters per second, squared. H
Previous By Date Next
Previous By Thread Next

Current thread: