On Tue, 2002-07-23 at 13:24, Alif The Terrible wrote: > > The issue with .cn space is a complete, TOTAL lack of responsiveness > to the everyday issues: spam, scanning, the skript-kiddies who spend *months* > at their Hax0r hobbies without being removed from the networks they inhabit, Here, here! As someone who used to own/run an ISP, I second this experience. > I formally gave up on .cn IP space late last year on all networks under > my direct control, For me it was on 9/11/01. At 3:00 PM EST I started seeing a semi-coordinated attack against one of my clients (incidents.org) that involved hundreds of .cn source IP addresses. After 12 hours of chasing IDS & log detects, my choices where: 1) ban the whole country 2) not go home I went with #1. ;) > as the effort (several hours a week of reports that > were all completely ignored) simply wasn't worth the return (the one or two > "real" connections a week we had with .cn space). This was my motivation as well, $$$. The choices where simple, maintain the ban on China or pay out of my own pocket to hire another security specialist to do log review. This pretty much made the choice a no brainer. > Network operators in China seem to have forgotten that no network is, > or can be, forced to carry anybody's traffic. Again, I concur. Up till recently .cn was blocked from accessing sans.org, incident.org, dshield.org, whitehats.ca, 3 financial institutions and a host of other .org and .com's under my wing. If they can't play nice why let them play at all. > And if I am going to carry > their traffic, their are going to HAVE to be responsive to my everyday > headaches (when those headaches live on .cn space). In my spare time I teach the Perimeter track for SANS. One thing I'm *very* big on with my students is banning subnets that are high maintenance and provide no value add. For example, if you don't do business with .cn's, why expose yourself to attack from this source? True, they can always bounce off of another IP, but this raises the required skill level and cuts down on much of the noise. BTW, if anyone is thinking "How do I find out what IP's are in use in China?", check out: http://www.idefense.com/Intell/CI022702.html HTH, C -- ************************************** cbrentonat_private find / -name \*yourbase\* -exec chown us:us {} \; ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 15:00:49 PDT