Re: Another source other than KRNIC?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/10/05
- Next message: Moe Trin: "Re: Another source other than KRNIC?"
- Previous message: Pat: "Re: Fortigate 3.0"
- In reply to: JC: "Re: Another source other than KRNIC?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Nov 2005 14:13:18 -0600
In the Usenet newsgroup comp.security.firewalls, in article
<bu46n1doj3iac1vcsbd16mdhso8o0le43e@4ax.com>, JC wrote:
> (Moe Trin) wrote:
>> Have you tried asking Pubnet? (Yeah, I know, but I'm trying to be
>> politically correct.)
> Good idea. I have sent them an email and await their response.
I'm not sure how much good it would do, as some people are 'sensitive'
to criticism - constructive or otherwise - from "outsiders".
>> The APNIC delegation files don't even agree even with the results of a
>> whois query.
> One hopes that this is organised correctly but I do have my doubts.
You're not alone. I've seen inconsistencies between the RIR zonefiles
and queries quite often. Usually it doesn't matter, but occasionally
it takes mail to a contact address to straighten things out.
> The WHOIS service only appears to give the option of entering an IP
> address. APNIC and RIME both have the -L flag which gives the parent
> details but this doesn't seem to be an option with KRNIC.
You can often ask with different queries - an example being ARIN querying
by Organization Code, etc. I haven't tried this at KRNIC (or any NIR/LIR).
> Is there a site on the net from which I can download a copy of the assignments
You can get the zone files from the FTP servers at the five RIRs
> I need ISP name, IP address range and abuse email address for each range?
but the zone files don't list that.
> I looked on the APNIC site but couldn't find such a list.
My _guess_ is that the information exists at the RIR (or more likely at
the NIR or LIR level), but is incomplete (for example, abuse addresses
are rarely available - try whois.abuse.net instead), or not public.
> What I am trying to do is cut down, and keep cut down, the number of net
> abuse attempts on my IP address.
If you are talking about receipt of spam (your original post), there are
a large number of blocklists available, as well as simple techniques such
as refusing mail _connections_ to hosts with DNS problems (A != PTR,
missing PTR, "generic names" that don't reflect a mail function), false
or misleading 'ELHO/HELO' names, and so on.
If you are talking about windoze messenger spam, unless you can have your
upstream block UDP to ports 1025 - 1035 (or so), the only solution is to
drop UDP to those ports. Over a seven day period a week ago, as a test
I logged the UDP spam headers - much of it from CNCGROUP Heilongjiang
Province Network. This was averaging 1000 messages a day, or about 450K
of wasted bandwidth per day. Nearly all of the crap was fake windoze
error messages indicating a configuration problem (seeing them _would_
indicate this), and directing the victim to some wankers web site
(usually hosted at hosting services well known for supporting spammers,
in FL.us, WA.us, TX.us, or CA.us). The domain names in the spams were
freshly registered (often less than 36 hours old), probably to avoid
name recognition blocking. (What I'd love to be able to do is block
based on the domain registrar who registered the domains - some of them
seem to covet spammer business.)
Two of the three ISPs I use from home block the standard windoze "Hello
Sailor" ports, but the third shows the usual noise of people looking for
windoze shares, etc. This should be silently dropped at all routers.
A more annoying problem for me is the constant probing for open SMTP
servers, and any SSH servers (ports 25 and 22 respectively). This appears
to be zombies - and are usually coming from home (cable/DSL) networks
around the world. If you are listed as an MX box - restricting access
as above is best. If not an MX box, or if only expecting mail from
defined areas, restricting access by IP address blocks (this also
applies emphatically to port 22) is very helpful.
> It is now running at around 100 per day which is well down from the 800
> - 1,000 it was when I first started sending reports, in the form of
> firewall log extracts, back to the ISPs listing the attempts.
I don't admin the corporate firewalls (heck, I don't even have access),
but at home, it's a block and ignore situation. Occasionally, I'll turn on
logging to see what's out there, but the firewall is working, so who cares.
I know the policy at work is similar.
Old guy
- Next message: Moe Trin: "Re: Another source other than KRNIC?"
- Previous message: Pat: "Re: Fortigate 3.0"
- In reply to: JC: "Re: Another source other than KRNIC?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
