The fact is, criminally negligent admins who allow their machines to be hacked and used are not solely limited to the .cn domain. This is an issue which applies to everyone. I am not over simplifying the issue. If you cant defend against the type of scans which you are getting, then perhaps you should be looking for a new job. Otherwise, you shouldn't waste your time chasing up every SYN that comes into your network. Personally I would say a bigger threat is presented by the thousands (millions?) of insecure machines sitting on broadband and educational networks in the US and Europe being constantly scanned and set up as DoS clients. You cannot say that chinanet is a "menace to the entire internet". This is just unfairly tarring a whole country with the same brush, and coming from an american, verges on hipocrisy and xenophobia. The facts contradict your point of view. If your machines are secure, and you notice some scans which you know are not a severe threat, then why bother wasting time and effort trying to report the perpetrator? Chances are they are using disposable dialup accounts in someone elses name, and all you do is waste your time and that of the admins at the other end, only for the guy to move to another network/ISP and continue. A machine advertising itself by scanning like that surely wont have a long lifespan anyway. If you really care so badly, why not take the vigilante role and break in and rm it? My attitude is one of sensible packet filtering, sensible levels of logging, realistic assesment of threat levels, and ultimately, if they dont break in,then _I dont care_. If you are running any sort of public service like a webserver etc, its better to ignore a few harmless portscans and allow global access, than to potentially prevent people using your service due to a lack of ability to asses and deal with threats realistically. If your network is secured properly, then you have nothing to worry about, and reporting every person who scans you essentially reduces you to the level of a busybody. Erik Fichtner wrote: > On Tue, Jul 23, 2002 at 09:49:13PM +0000, euan wrote: > > Is it really worth blocking an entire country because of a few > > trivial-to-defend-against > > scans? Do you panic after receiving scans for things like tcp 53 and 21? > > You're oversimplifying the issue. Sure, having yet another .cn machine > infected with l10n and trying to scan you for portmapper shouldn't be much > of a big deal to *YOU SPECIFICALLY*. You're patched against that sort of > thing, right? > > But... that machine isn't. That machine is probably vulnerable to a good > 20 or more well known simple exploits, as well as the unknown ones that > have been found by True Attackers .... > > .... and it's announcing that fact to the entire friggin world. > > Which significantly lowers the bar for attackers to find systems with which > to launder their connections and launch attacks against something, anything, > that might *actually matter*. > > Chinanet (and every other ISP in the world that does not deal with network > abuse issues) are a MENACE to THE ENTIRE INTERNET. You may not lose > because of .cn's apathy, but someone will. > > If everyone reading this went out, right now, and found ONE MACHINE in their > logs that is scanning them with some stupid worm infection that's been around > for a year or more, and went through the trouble to hassle the hell out of > the remote ISP until that machine ACTUALLY GOT DEALT WITH, the net would be > a better place for all of us. (well, except maybe those poor sobs that can't > be bothered to secure their hosts in the slightest that might actually have to > put in a half hour's worth of work to get their ISP to let them pass packets > again.) > > ...but since that's not about to happen, I guess I might as well just keep > collecting stats on ISP's that don't care about what the hosts in their > netblocks are up to, and filter them out. > > -- > Erik Fichtner; Unix Ronin > http://www.obfuscation.org/techs/ > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 08:52:45 PDT