Re: [unisog] Re: Re: Large Attack
From: Walter G. Aiello (Walter.Aiello@Duke.edu)Date: 03/04/02
- Previous message: Russell Fulton: "FYI - slow scans for https..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 04 Mar 2002 14:09:04 -0500 From: "Walter G. Aiello" <Walter.Aiello@Duke.edu> To: Don Wolf <SecuredSite@hotmail.com>
Greetings, Don:
I replied to David Staggs at Vanderbilt as follows:
Yes, I agree that a well-protected and moderated site that
listed problem networks would be an excellent idea. SANS
has a list of the "Top 10 Most Wanted" that contains the 10
worst offenders in the previous 5 day period.
If a list such as that were combined into a list of sources
and ISP's that are the least responsive, and if enough of us
blocked the offenders, it might just hit their bottom line
hard enough for them to start taking some responsibility.
What would be very useful would be a list of ISP's and the IP
addresses they control. That would enable us to completely
block those ISP's without having a "dribble effect" of blocking
a subnet, only to be attacked from another of their subnets,
and so on. For example, Jordan Wiens provided a list of network
blocks owned by France Telecom (wanadoo.fr's parent company),
which has been particulary unresponsive to complaints about the
hailstorm of portscanning coming from their network. Several
posters evidently indicated that they were at least considering
blocking all traffic from those IP ranges. I added a few
subnets to his list:
----------------
80.9.0.0/16 193.252.0.0/16 except for:
80.11.0.0/16 193.252.4.0/24
80.12.0.0/19 192.252.16.0/24
80.12.32.0/20 192.252.17.0/24
80.12.48.0/23 192.252.18.0/24
80.12.128.0/20 193.252.64.0/19
80.12.144.0/22 193.252.96.0/21
80.12.148.0/23 193.252.112.0/20
80.13.0.0/16 193.252.150.0/23
80.14.0.0/16 193.252.150.0/23
193.248.0.0/16 193.252.152.0/21
193.249.0.0/17 193.252.160.0/22
193.249.160.0/19 193.252.224.0/19
193.249.224.0/19
193.250.0.0/16 193.253.0.0/16 except for:
193.251.0.0/18 193.253.0.0/20
193.251.64.0/19 193.253.64.0/18
193.251.176.0/20
217.128.0.0/16
Something like a "Top 10" (perhaps Bottom Ten" would be more
appropriate) list of ISP's and their network blocks would be
extremely helpful to those of us who want to restrict access
by those ISP's.
Best regards and thank you.
Walter G. Aiello
-- Dr. Walter G. Aiello Manager, Network and Information Services Magnetic Resonance Research Section Box 3808, Department of Radiology Duke University Medical CenterWalter.Aiello@Duke.edu (919) 684 7519
Don Wolf wrote: > > In regards to your interest in seeing "a site to list 'dirty subnets' - > those subnets from which we see > repeated attacks", there is a great site in which to go. DShield has been > doing just that for some time. Just thought I'd point it out for those who > didn't know. This link according to DShield "shows the top 10 offenders > according to the DShield database". > > http://www.dshield.org/top10.html > > ___________________________________ > Don J. Wolf - Security Consultant > SANS/GIAC, MCP, CCNA, ICSA > SecuredSite Intrusion Specialists > www.SecuredSite.org
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Russell Fulton: "FYI - slow scans for https..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
