RE: [FW1] hacker 194.73.175.25

Thu, 15 Jun 2000 08:49:59 -0700

Title: RE: [FW1] hacker 194.73.175.25
That is not always an option.  My ISP (I work for the government) won't block scans, they have too much to manage with too little staff to worry about me.  I am on my own for the most part. 
 
I guess I need to qualify my remarks a little.  I don't always report scans.  I get at least one or two a week from Korea or Hong Kong.  I used to report them but never got a response so now just ignore them.  If I see a new country pop up, I'll generally report them just to see what happens.  I have gotten responses from Russia, Spain, Bahrain, Iran, India, China, England, France and a lot from the US and Canada.  I have been ignored by Japan, Korea, Hong Kong, and a few more.
 
I look on reporting these guys as my duty to the security community, sort of a golden rule thing because I know one thing for sure, I would DEFINATELY want to know if someone was scanning people from my network.
 
Jim Edwards
 
 -----Original Message-----
From: Oxenreider, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 15, 2000 8:33 AM
To: '[EMAIL PROTECTED]'; fw mailing list
Subject: RE: [FW1] hacker 194.73.175.25

I usually pass those types of things off to my ISP if I don't get a satisfactory response from the offenders ISP.  If nothing else, you can have YOUR ISP block the offending range of IP's from your ISP's router, that way it's not wasting any of YOUR bandwidth, and you leave the ball in your ISP's court to figure out how to solve, and it's not longer an issue on your network.

JMHO.



Jeffrey A. Oxenreider
Network Security Analyst
Safelite Glass Corp



-----Original Message-----
From: Karim Amrani [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 15, 2000 9:16 AM
To: fw mailing list
Subject: Re: [FW1] hacker 194.73.175.25


Hi,

I agree with you for the 'I am in the pissed-off stage right now' part.
Unfortunately, I did not have such wonderful results with emailing [EMAIL PROTECTED]
The one that is really on my nerves right now is one of the main ISP in France
(subsidiary of the original telco in France). They never respond to emails to
[EMAIL PROTECTED] (that's their name) and are not able to answer you on the phone
about that ('just customer support').
The scans from their customers are occurring on a daily basis for over 9 months.

I'm not a big fan of retaliation but I'm not a big fan of being cornered either...

Any suggestions to obtain cooperation from an ISP ?

Karim

James Edwards wrote:

> Not to start a flame war here but I would imagine his suggestion was only
> half serious.
>
> I certainly understand how he feels.  I am personally at the point where I
> am really, really sick of all the wanna-be hackers out their running their
> little script kiddies and probing my network.  I'm quite sure most of them
> wouldn't have a clue what to do if they really did find something but since
> that is an assumption we can't afford to make, every single one has to be
> taken seriously and that takes time I sure could spend on other, more
> productive things.  There seems to be phases to this business and I am in
> the pissed-off stage right now.
>
> I would never retaliate on a scan or even an attack, I can only imagine the
> consequences of such action if it went wrong.  However, I do dream about it
> sometimes and wake up smiling.
>
> Jim Edwards
>
> P.S.  I have had excellent results from sending my scan outputs to the
> various abuse@isp addresses.
>
> -----Original Message-----
> From: Dan R Dunn -CTR [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 15, 2000 6:13 AM
> To: John Stevenson
> Cc: 'hermit1'; [EMAIL PROTECTED]
> Subject: RE: [FW1] hacker 194.73.175.25
>
>
>        (Embedded
>       image moved
>        to file:
>      pic10108.pcx)
>
>
> Now there's a real thoughtful, mature suggestion.  If all of us ping bombed
> everyone who scanned us every time we got scanned, nothing else would move
> on
> the Internet.  Not to mention ping bombing a site (better known as a Denial
> of
> Service attack) is ILLEGAL in most civilized countries, including the US and
> Britain.  Can we say law suit?  Possible prosecution?  I hope you're not
> expressing Southwest Security Group's official position on how to handle
> scans,
> intrusion attempts, etc.  Your suggestion is the most irresponsible thing
> I've
> ever heard.  I wonder what your ISP would think if they knew you advocated
> retaliatory strikes against possible probes?  Or maybe your CIO/CEO should
> be
> informed of what you advocate.  What you suggest makes you no better than
> the
> hackers/crackers/script kiddies out there.
>
> I'll get off my soapbox now.
>
> For hermit1:  If you can't get in touch directly with bt.net, contact their
> up-channel ISP.  You can usually get a response by sending an email to
> [EMAIL PROTECTED] or [EMAIL PROTECTED]  NEVER attempt to retailate
> against
> a suspected probe.  It could be an innocent misconfiguration, or as you
> suggested, the source address may be spoofed, in which case you just nuked
> the
> wrong source.  Any retaliation, other than legal steps through proper
> channels,
> only lowers us to the level of the slime out there that has nothng better to
> do
> than to probe other people's networks.
> ----------------------------------------------------------------------------
> ---
> Daniel R. (Dan) Dunn, EE
> Sr. INFOSEC Engineer, GRC Int'l (an AT&T company)
> OSD-ITD Firewall Administrator
> p: 703-614-8086, ext 300
>
> The opinions expressed by the author are entirely his own, and
> do not reflect those of AT&T, GRCI, Inc., or its subsidiaries,
> nor do they reflect policy, opinion, or endorsement by the
> US Department of Defense or any of its agencies.
>
> -------------- In Response to  --------------
>
> From:     John Stevenson <[EMAIL PROTECTED]> on 06/14/2000 04:29 PM
>
> To:  "'hermit1'" <[EMAIL PROTECTED]>
>      [EMAIL PROTECTED]
> cc:
> Subject:  RE: [FW1] hacker 194.73.175.25
>
> PING BOMB THEM!
>
> -----Original Message-----
> From: hermit1 [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 14, 2000 2:54 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] hacker 194.73.175.25
>
> This is relevant only because my FW-1 logs show me this problem, but
> someone on this list must know the answer.  I am trying to get in touch
> with someone at bt.net (apparently in England) to get them to stop scanning
> my address space (currently on scan number 4), or maybe someone is spoofing
> their IP address.  The email addresses listed in RIPE do not exist.
>
> Any help will be appreciated.
>
> hermit1
>
> ***************************************************
> This is an email.  Don't rely on anything seen here
> as being accurate without testing it yourself.
> ***************************************************
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

Reply via email to