RE: [fw-wiz] Under attack

From: Guy Hadsall (
Date: 07/25/02

From: "Guy Hadsall" <>
Date: Thu Jul 25 11:16:02 2002


You are doing the right things, and blocking their IP blocks from your
border router is the next thing I too would recommend.

On the topic of "who do I report them to?" you can start with the Hong
Kong CERT team. Unfortunately is not a member of the F.I.R.S.T. (Forum
for Incident Response Security Teams) organization. Hong Kong does not
have an official CERT listed with FIRST. Several of their neighbors are
though, so maybe if you fire off a question to the Japan or Taiwan CERT
teams they can help point you in the right direction.

You can find them by checking out, or eMailing, the website Last time I checked they, as well as their neighbors,
were active members of this international CERT organization. Fire off a
note to the FIRST team coordinator too, maybe they can help too.

On the topic of an international CERT they've been attempted and
fortunately have not yet taken hold. The WIPO folks tried the other
year, and the UN has eyes for such a team too. Fear it for regulations
sake... Internet liberty is to be guarded and not easily given away.


-----Original Message-----
From: R. DuFresne []
Sent: Thursday, July 25, 2002 7:20 AM
To: Allan Tagliaferro
Cc: ''
Subject: Re: [fw-wiz] Under attack

On Thu, 25 Jul 2002, Allan Tagliaferro wrote:

> Hi all,
> We are using Raptor 6.5 on a NT box, at present we are getting a lot
> inbound attempts being made by a Hong Kong ISP, I have sent several
> notifying them of this but no changes have occurred, the connections
> unauthorized by gwcontrol so they fail. I've tried several times to
> rules using a subnet of the IP range that this ISP uses but for some
> the rules are not stopping the attempts rather it just fails due it
> unauthorized. I'm happy they are not getting through but am I feel
like I've
> lost control.

It sounds like you have stopped them, though, you seem to be getting
annoying log messages about the attempts. You could just block the IP
block of the offending ISP at your border or screening router. This
from having the annoying log messages from hitting you with alerts and

> Can anyone please let me know how to successfully block an IP range
> entering our network. Also I would keen to know if there is an
> that can be contacted to inform of these attempts ( a governing body
> sorts).

Tis a shame there is no such thing, yet, it would be hard to put some
universal/international organization together that all other nations
be forced to comply with, afterall, we don't even have the ability for
nations to agree to or deal with extradition in a coherent manner
all borders. It's even more confounding when one understands that there
are no standards enforced on the net about how ISP's and different
connected organisations and companies should handle abuse complaints.
Well there is a standard, but, like many, it's not followed by all and
certainly there is not governing body to enforce it. But, we try to
contact and/or <replacing with the domain in question>. You can get the info you
on the offenders in question by querying the specific domain servers for
the regoin you are being hit by. And, rather then point you at each one
of those regional domain servers, we'll point you at two sites that will
query the proper one for you via nslookup queries:


Understand, even if the ISP of the offender has an abuse or security
address taking complaints, there's nothing to ensure that anyone will
action on your complaints. But, it's better to try then to do nothing,
this is changing muchly in recent years. Also be aware that many sites
get tons of these replies, and so, you might get nothing back but a
reply, if anything. As a last resort, if you speak the language of the
others on the offending ISP site, you might try placing a call to tech
folks, or additionally contacting their upstream provider<s>

Thanks, good luck,

Ron DuFresne

        admin & senior security consultant:
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
firewall-wizards mailing list

Relevant Pages

  • Re: Publishing server through IP
    ... Out of the box the routers will route them if they have a route table entry ... The ISP actually has to go out of their way to configure their ... money you spent on the Cert is wasted and you have to buy a new Cert. ...
  • Re: Changing internet static IP
    ... If the cert was issued to an IP the CEICW should be run again and a new cert ... and not using a router (ie. ISA direct to ISP, change ISP, get new IP, some ... router between SBS and the internet connection, ... This is one of the major bonuses to a two nic SBS configuration - the IP ...
  • Re: Ping John
    ... Since your ISP is slow as molasses need a favor. ... I don't know what the source is of the border, ... Sunflower Kitchen Accessories - Home ... (IIRC with the CSS thingy it will look like: ...
  • Re: RWW question
    ... Created new cert using IP address and same error. ... I did try another PC with a different modem and a different ISp and it ... I then tried the same ISP on my regular PC and it didn't. ... >>I'm using that to TS to the server for now but I'd like to get RWW ...
  • Re: Cant finish internet connection wizard
    ... For cert, the fixed ip given by our isp and for mail domian, our ... company domain which is hosted on an external webhost. ... Did you add the ISP ... what did you use for the cert and what did you use ...