In the interest of saving bandwidth, I've taken the liberty of doing a combination response to euan, Dapeng Zhu and Ken Blinco. On Tue, 2002-07-23 at 17:49, euan wrote: > In my experience the majority of network probes I see originate from the USA or > Europe - 99% of the scans originating from .cn or .kr networks are just automated > worm-esque scanners looking for ancient vulns such as wuftp and BIND These patterns still need to be correlated however. Does the attack match a known tool or worm? Is this the only attack ever received from this IP? From this network? If there is a history, is the attack more timely than the last? Is the exploit related to the actual application (i.e. WU-FTP exploit against WU-FTP vs. Microsoft FTP)? or are they shooting in the dark? What is OS of the source IP? If you are not going to dig into these events, why bother logging them in the first place. All this takes time and of course analyst time costs money. > Is it really worth blocking an entire country because of a few > trivial-to-defend-against scans? I think we are looking at this from two different schools of thought. You seem to perceive Internet access as "Let anyone connect to you unless they give you a serious reason to worry about them" while I come at it from "The risk of Internet connectivity is accepted because of business need but if that business need does not require you to provide access from known to be hostile networks, why accept that additional risk?". This does not make either of us right or wrong, just that our priorities are different. > How many of these scans/"hacking" attempts actually led to a successful > comprimise? Again, we come from this from two different schools of thought. This reads to me like "Don't worry about them unless they actually cause damage" while I'm of the mind set "Don't give them the chance". If someone is taking shots at me with a 45, I'm not going to hang out to see if they are a good shot to have to actually worry about them. ;) On Tue, 2002-07-23 at 18:38, Dapeng Zhu wrote: > Have you told your clients about your decision to block all .cn > addresses? Yup, in fact they sign an agreement stating that they know and accept this as well as permit me to ban other networks as well provided it does not conflict with their business needs. > Have you considered the possible loss of business > opportunities caused by your action? LOL! If I was global, that might be an issue. ;) As for my clients, yes I did and in fact query each of them before blocking a country. Again, it's all about business need. (BTW, anyone else notice that Saudi Arabia seems to be running about 6-10 open proxies?). > I think there is a reason why you would want to carry other people's > traffic. That is, the traffic can make money for you or for your > clients. Agreed, again this is why I verify before shutting them down. > You have to consider the trade-off between blocking .cn access > (saves you time and money) and potential business opportunities. While I can't speak for my clients, I know I personally can show a lot more red ink than black from the days I permitted access from .cn and others. Now all they do is waste a bit of disk space. ;) On Tue, 2002-07-23 at 19:16, Ken Blinco wrote: > > We (like most people) have talked about blocking certain ranges at our > firewall for the reasons already discussed. My concern is that we are > introducing a form of prejudice into the Internet. Again, it has nothing to do with prejudice and everything to do with business need. Personally I would *love* to ban AOL. Not because of any kind of prejudice, but because I see a very large number of attacks originating from there. The problem is I can't however as I have clients that need to be able to communicate with that network. Thus I/we need to accept the risk of permitting access from those networks in order to facilitate business need. Blocking .cn however is a different story as business need does not require exposure to those networks. > i.e. if you come from crountry X then you aren't allowed in, > regardless of whether your intentions are freindly or hostile. I hate to sound like I'm on a soapbox, but if that's what it takes to clean up those networks then so be it. I know if I was to subscribe to an ISP and find that I can't access chunks of the Internet because the ISP has been black listed, I'm going to take my money elsewhere. This translates into a loss in revenue for the ISP. When the loss in revenue exceeds the savings incurred by not reacting to security events, they will now react because it's more cost effective and better for the bottom line. Money talks and all of that. In a similar fashion, I would certainly consider turning access back on if the financial model justifies accepting the additional risk. Again, it's profit and operational costs, not prejudice. > If you had a physical shop, it would be pretty dodgy if you stopped certain people from entering the shop just because they looked like they came from a particular geographical area of the world (I think that's called racism) Actually, I think a better analogy would be "not opening a physical shop in an area where you are not going to do any business". For example, making the decision to not open a shop to sell air conditioners in the northern territories of Canada does not mean that you hate Canadians. It simply means you do not want to accept the risk of opening a store front in that area because the potential gains do not warrant it. Choosing to block access from networks to which you will not derive any business anyway is simply a business decision. > Perhaps we should be focusing on building our server infrastructure to > better withstand attacks rather than sheepishly blocking address > ranges at the perimeter? Defense in depth dude. Better to leverage every tool in your arsenal then rely on any one solution. So yes, lock down the servers as well as perform better logging and IDS. Perform better audits as well as pen testing and code review. At the same time, beef up the perimeter to filter out as much of the noise or potential hostile traffic that business need will allow. HTH, Chris -- ************************************** cbrentonat_private find / -name \*yourbase\* -exec chown us:us {} \; ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 24 2002 - 09:30:19 PDT