Re: China Experience ?

From: euan (j46@btinternet.com)
Date: 07/24/02 

Date: Wed, 24 Jul 2002 00:10:50 +0000
From: euan <j46@btinternet.com>
To: techs@obfuscation.org, incidents@securityfocus.com

The fact is, criminally negligent admins who allow their machines to be hacked
and used are not solely limited to the .cn domain. This is an issue which applies
to
everyone. I am not over simplifying the issue. If you cant defend against the
type
of scans which you are getting, then perhaps you should be looking for a new job.

Otherwise, you shouldn't waste your time chasing up every SYN that comes into
your network. Personally I would say a bigger threat is presented by the
thousands
(millions?) of insecure machines sitting on broadband and educational networks in

the US and Europe being constantly scanned and set up as DoS clients.

You cannot say that chinanet is a "menace to the entire internet". This is just
unfairly
tarring a whole country with the same brush, and coming from an american, verges
on hipocrisy and xenophobia. The facts contradict your point of view.

If your machines are secure, and you notice some scans which you know are not
a severe threat, then why bother wasting time and effort trying to report
the perpetrator? Chances are they are using disposable dialup accounts in someone

elses name, and all you do is waste your time and that of the admins at the other

end, only for the guy to move to another network/ISP and continue.

A machine advertising itself by scanning like that surely wont have a long
lifespan
anyway. If you really care so badly, why not take the vigilante role and break in

and rm it?

My attitude is one of sensible packet filtering, sensible levels of logging,
realistic
assesment of threat levels, and ultimately, if they dont break in,then _I dont
care_.

If you are running any sort of public service like a webserver etc, its better to

ignore a few harmless portscans and allow global access, than to potentially
prevent people using your service due to a lack of ability to asses and deal with

threats realistically.

If your network is secured properly, then you have nothing to worry about, and
reporting every person who scans you essentially reduces you to the level of a
busybody.

Erik Fichtner wrote:

> On Tue, Jul 23, 2002 at 09:49:13PM +0000, euan wrote:
> > Is it really worth blocking an entire country because of a few
> > trivial-to-defend-against
> > scans? Do you panic after receiving scans for things like tcp 53 and 21?
>
> You're oversimplifying the issue. Sure, having yet another .cn machine
> infected with l10n and trying to scan you for portmapper shouldn't be much
> of a big deal to *YOU SPECIFICALLY*. You're patched against that sort of
> thing, right?
>
> But... that machine isn't. That machine is probably vulnerable to a good
> 20 or more well known simple exploits, as well as the unknown ones that
> have been found by True Attackers ....
>
> .... and it's announcing that fact to the entire friggin world.
>
> Which significantly lowers the bar for attackers to find systems with which
> to launder their connections and launch attacks against something, anything,
> that might *actually matter*.
>
> Chinanet (and every other ISP in the world that does not deal with network
> abuse issues) are a MENACE to THE ENTIRE INTERNET. You may not lose
> because of .cn's apathy, but someone will.
>
> If everyone reading this went out, right now, and found ONE MACHINE in their
> logs that is scanning them with some stupid worm infection that's been around
> for a year or more, and went through the trouble to hassle the hell out of
> the remote ISP until that machine ACTUALLY GOT DEALT WITH, the net would be
> a better place for all of us. (well, except maybe those poor sobs that can't
> be bothered to secure their hosts in the slightest that might actually have to
> put in a half hour's worth of work to get their ISP to let them pass packets
> again.)
>
> ...but since that's not about to happen, I guess I might as well just keep
> collecting stats on ISP's that don't care about what the hosts in their
> netblocks are up to, and filter them out.
>
> --
> Erik Fichtner; Unix Ronin
> http://www.obfuscation.org/techs/
>
> ------------------------------------------------------------------------
> Part 1.2Type: application/pgp-signature

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: multiple uplinks from ISP
    ... Getting VMware network to network can be hard. ... I think he knows a lot about multipath routing with or without quagga. ... Subject: multiple uplinks from ISP ...
    (freebsd-net)
  • Re: multiple uplinks from ISP
    ... machines for building a test network, in other words I cannot do experiments ... Subject: multiple uplinks from ISP ... What you need is two machines with 3 interfaces each. ...
    (freebsd-net)
  • Rh 9 Modem Connection Problem
    ... I have a problem with connecting to my ISP with RH 9 and it is driving me ... Network tool, I keep getting the error messages "Can not activate network ... adapter, add modem adapter, did the whole lot again by deleting the modem ... Feb 29 07:06:02 localhost wvdial: Initializing modem. ...
    (linux.redhat.misc)
  • Rh 9 Modem Connection Problem
    ... I have a problem with connecting to my ISP with RH 9 and it is driving me ... Network tool, I keep getting the error messages "Can not activate network ... adapter, add modem adapter, did the whole lot again by deleting the modem ... Feb 29 07:06:02 localhost wvdial: Initializing modem. ...
    (linux.redhat.install)
  • Re: Help needed on ip forwarding
    ... >> Here's my current network. ... >> My modem gets an external IP from the ISP. ... >> external IP address on the virtual interface (I have two physical ... > PORTS, not IPs. ...
    (comp.os.linux.networking)
Quantcast