RE: China Experience ?
From: YAO,TONY (HP-NewZealand,ex1) (tony_yao@hp.com)Date: 07/24/02
- Previous message: Ken Blinco: "Re: China Experience ?"
- Maybe in reply to: Bob DeRosier: "China Experience ?"
- Next in thread: euan: "Re: China Experience ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "YAO,TONY (HP-NewZealand,ex1)" <tony_yao@hp.com> To: "'euan'" <j46@btinternet.com>, Chris Brenton <cbrenton@altenet.com>, incidents@securityfocus.com Date: Wed, 24 Jul 2002 09:50:14 +1000
Totally agree.
People get far more attacks from US than China, no matter whether these
attacks are a result of lack of responsiveness, or from script-kiddies, or
from real malicious attackers, etc.
Based on the Internet Security Threat report from Riptech, US was the source
of largest number of attacks (29.6%), while China was 7.8% (the 3rd though)
during July-December 2001. For the period January-June 2002, US again was
the 1st, 40.0% of the attacks were from US, while 6.9% was from China (4th).
So other countries should block everything from US?
Tony
Security Officer
HP New Zealand
-----Original Message-----
From: euan [mailto:j46@btinternet.com]
Sent: Wednesday, 24 July 2002 9:49 a.m.
To: Chris Brenton; incidents@securityfocus.com
Subject: Re: China Experience ?
In my experience the majority of network probes I see originate from the USA
or
Europe - 99% of the scans originating from .cn or .kr networks are just
automated
worm-esque scanners looking for ancient vulns such as wuftp and BIND
Is it really worth blocking an entire country because of a few
trivial-to-defend-against
scans? Do you panic after receiving scans for things like tcp 53 and 21?
Perhaps you should consider changing your IDS policies if you waste so much
time
investigating non-issues.
How many of these scans/"hacking" attempts actually led to a successful
comprimise?
Frankly this thread, complete with 11/09 references now, smacks of
xenophobia,
and that is indeed a sad thing to see appearing on the internet.
Chris Brenton wrote:
> On Tue, 2002-07-23 at 13:24, Alif The Terrible wrote:
> >
> > The issue with .cn space is a complete, TOTAL lack of
responsiveness
> > to the everyday issues: spam, scanning, the skript-kiddies who spend
*months*
> > at their Hax0r hobbies without being removed from the networks they
inhabit,
>
> Here, here! As someone who used to own/run an ISP, I second this
> experience.
>
> > I formally gave up on .cn IP space late last year on all networks under
> > my direct control,
>
> For me it was on 9/11/01. At 3:00 PM EST I started seeing a
> semi-coordinated attack against one of my clients (incidents.org) that
> involved hundreds of .cn source IP addresses. After 12 hours of chasing
> IDS & log detects, my choices where:
>
> 1) ban the whole country
> 2) not go home
>
> I went with #1. ;)
>
> > as the effort (several hours a week of reports that
> > were all completely ignored) simply wasn't worth the return (the one or
two
> > "real" connections a week we had with .cn space).
>
> This was my motivation as well, $$$. The choices where simple, maintain
> the ban on China or pay out of my own pocket to hire another security
> specialist to do log review. This pretty much made the choice a no
> brainer.
>
> > Network operators in China seem to have forgotten that no network
is,
> > or can be, forced to carry anybody's traffic.
>
> Again, I concur. Up till recently .cn was blocked from accessing
> sans.org, incident.org, dshield.org, whitehats.ca, 3 financial
> institutions and a host of other .org and .com's under my wing. If they
> can't play nice why let them play at all.
>
> > And if I am going to carry
> > their traffic, their are going to HAVE to be responsive to my everyday
> > headaches (when those headaches live on .cn space).
>
> In my spare time I teach the Perimeter track for SANS. One thing I'm
> *very* big on with my students is banning subnets that are high
> maintenance and provide no value add. For example, if you don't do
> business with .cn's, why expose yourself to attack from this source?
> True, they can always bounce off of another IP, but this raises the
> required skill level and cuts down on much of the noise.
>
> BTW, if anyone is thinking "How do I find out what IP's are in use in
> China?", check out:
> http://www.idefense.com/Intell/CI022702.html
>
> HTH,
> C
> --
> **************************************
> cbrenton@altenet.com
>
> find / -name \*yourbase\* -exec chown us:us {} \;
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Ken Blinco: "Re: China Experience ?"
- Maybe in reply to: Bob DeRosier: "China Experience ?"
- Next in thread: euan: "Re: China Experience ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
