Re: China Experience ?

[Chris Brenton <cbrenton () altenet com>]

In the interest of saving bandwidth, I've taken the liberty of doing a
combination response to euan, Dapeng Zhu and Ken Blinco.


On Tue, 2002-07-23 at 17:49, euan wrote:
> In my experience the majority of network probes I see originate from the USA or
> Europe - 99% of the scans originating from .cn or .kr networks are just automated
> worm-esque scanners looking for ancient vulns such as wuftp and BIND

These patterns still need to be correlated however. Does the attack
match a known tool or worm? Is this the only attack ever received from
this IP? From this network? If there is a history, is the attack more
timely than the last? Is the exploit related to the actual application
(i.e. WU-FTP exploit against WU-FTP vs. Microsoft FTP)? or are they
shooting in the dark? What is OS of the source IP? 

If you are not going to dig into these events, why bother logging them
in the first place. All this takes time and of course analyst time costs
money.

> Is it really worth blocking an entire country because of a few
> trivial-to-defend-against scans? 

I think we are looking at this from two different schools of thought.
You seem to perceive Internet access as "Let anyone connect to you
unless they give you a serious reason to worry about them" while I come
at it from "The risk of Internet connectivity is accepted because of
business need but if that business need does not require you to provide
access from known to be hostile networks, why accept that additional
risk?". This does not make either of us right or wrong, just that our
priorities are different.

> How many of these scans/"hacking" attempts actually led to a successful
> comprimise?

Again, we come from this from two different schools of thought. This
reads to me like "Don't worry about them unless they actually cause
damage" while I'm of the mind set "Don't give them the chance". If
someone is taking shots at me with a 45, I'm not going to hang out to
see if they are a good shot to have to actually worry about them. ;)


On Tue, 2002-07-23 at 18:38, Dapeng Zhu wrote:
> Have you told your clients about your decision to block all .cn
> addresses? 

Yup, in fact they sign an agreement stating that they know and accept
this as well as permit me to ban other networks as well provided it does
not conflict with their business needs.

> Have you considered the possible loss of business
> opportunities caused by your action?  

LOL! If I was global, that might be an issue. ;)

As for my clients, yes I did and in fact query each of them before
blocking a country. Again, it's all about business need. (BTW, anyone
else notice that Saudi Arabia seems to be running about 6-10 open
proxies?).

> I think there is a reason why you would want to carry other people's
> traffic.  That is, the traffic can make money for you or for your
> clients.

Agreed, again this is why I verify before shutting them down.

>  You have to consider the trade-off between blocking .cn access
> (saves you time and money) and potential business opportunities. 

While I can't speak for my clients, I know I personally can show a lot
more red ink than black from the days I permitted access from .cn and
others. Now all they do is waste a bit of disk space. ;)


On Tue, 2002-07-23 at 19:16, Ken Blinco wrote:
> We (like most people) have talked about blocking certain ranges at our
> firewall for the reasons already discussed.  My concern is that we are
> introducing a form of prejudice into the Internet. 

Again, it has nothing to do with prejudice and everything to do with
business need. Personally I would *love* to ban AOL. Not because of any
kind of prejudice, but because I see a very large number of attacks
originating from there. The problem is I can't however as I have clients
that need to be able to communicate with that network. Thus I/we need to
accept the risk of permitting access from those networks in order to
facilitate business need. Blocking .cn however is a different story as
business need does not require exposure to those networks.

> i.e. if you come from crountry X then you aren't allowed in, 
> regardless of whether your intentions are freindly or hostile.

I hate to sound like I'm on a soapbox, but if that's what it takes to
clean up those networks then so be it. I know if I was to subscribe to
an ISP and find that I can't access chunks of the Internet because the
ISP has been black listed, I'm going to take my money elsewhere. This
translates into a loss in revenue for the ISP. When the loss in revenue
exceeds the savings incurred by not reacting to security events, they
will now react because it's more cost effective and better for the
bottom line. Money talks and all of that. In a similar fashion, I would
certainly consider turning access back on if the financial model
justifies accepting the additional risk. Again, it's profit and
operational costs, not prejudice.

> If you had a physical shop, it would be pretty dodgy if you stopped
certain people from entering the shop just because they looked like they
came from a particular geographical area of the world (I think that's
called racism)

Actually, I think a better analogy would be "not opening a physical shop
in an area where you are not going to do any business". For example,
making the decision to not open a shop to sell air conditioners in the
northern territories of Canada does not mean that you hate Canadians. It
simply means you do not want to accept the risk of opening a store front
in that area because the potential gains do not warrant it. Choosing to
block access from networks to which you will not derive any business
anyway is simply a business decision.

> Perhaps we should be focusing on building our server infrastructure to
> better withstand attacks rather than sheepishly blocking address 
> ranges at the perimeter?

Defense in depth dude. Better to leverage every tool in your arsenal
then rely on any one solution. So yes, lock down the servers as well as
perform better logging and IDS. Perform better audits as well as pen
testing and code review. At the same time, beef up the perimeter to
filter out as much of the noise or potential hostile traffic that
business need will allow.

HTH,
Chris
-- 
************************************** 
cbrenton () altenet com

find / -name \*yourbase\* -exec chown us:us {} \; 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com