Re: Attack attempts from 195.86.128.45

[Rune Kristian Viken <arcade () kvinesdal com>]

Onsdag 7. mai 2003 19:05 skreiv abuse () abuse wirehub net:

> Certainly not. It's as finely tuned as it can be. Finding open
> proxies without portscans is impossible nowadays. Open proxies have
> been found on close to 7,000 different ports ranging from 21 to
> 65531. We do stop scanning when an open proxy port has been found
> (we use 10,000 port increments, looking for a result after every
> increment), but a full scan will be done before the IP is declared
> 'clean' and then excluded for 3 months. If the full test cannot be
> done, a weekly retest may occur (depending on whether there's a
> trigger to start the test).
>
> http://groups.google.com/groups?q=group:*abuse*+insubject:Additions/Delet
> ions&hl=en&lr=&ie=UTF-8&scoring=d&selm=Pine.WNT.4.53.0305070802250.-228138
> 505%40groaarrr.bengrimm.net&rnum=1
>
> Sorry if this bothers people, but we all know how much damage open
> proxies cause, and looking at stats of our own
> (http://basic.wirehub.nl/spamstats.html) and reports from countless
> ISPs using proxies.blackholes.wirehub.net, we say there's no gain
> without some pain. The fact that we found 140,000 open proxies (and
> we're still adding 1000-3000 every single day with no indication
> that that number will decrease anytime soon) in just a few months
> should prove that point.

This, quite frankly, is blatant abuse of other people's bandwidth.  If I 
read your post correctly, you're scanning _all ports_, 10.000 ports at a 
time.  60 bytes goes to the SYN, 60 bytes to the SYN/ACK, 52 more bytes to 
the ACK.  Then the actual data needed to be sent to determine wheter it is 
a socksproxy, wingate or whatever ... I'll guesstimate at least 100bytes 
more in each direction, plus the FIN/ACK packets, which means another 52 
bytes in each direction.  This means something in the range of 260bytes 
incoming per port.  260 * 10.000 = 260.000 bytes per 'increment' of your 
scan, per IP.

Now, I used to have a 33k6bps always-on connection, with a /27 IP-range.  
This means your abusive scanning would waste 32*260.000 = 8.3MB for every 
'increment' of your scan.  If I still had that 33k6 connection, I would get 
3.5kb/s incoming ..  amounting to you wasting 40 minutes of my total 
bandwidth for every increment of your self-rightous scanning.

This pain is not acceptable.

Your scanning is quite frankly worse than most spammers - for a lot of 
people.  The argument for running blocklist is that spammers waste 
bandwidth.  You waste FAR more bandwidth for a lot of people.  This is a 
thypical example of the 'cure' *killing* the patient instead of helping.

-- 
Rune Kristian Viken


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------