>Not knowing the details IP addressing I blocked 61.0.0.0/61.255.255.255
>addesses.
one notation is 61/8, or 61.0.0.0/8. that's a whole Class A.
or
61.0.0.0 netmask 255.0.0.0
>Is
>61.183.0.0/61.184.255.255 the subnet I should be blocking?
that notation would be 61.183/16
or
61.183.0.0 netmask 255.255.0.0
btw, if this gets up you jingo knee a-jerkin, here's a message from the
snort list today. the guy set up a honey pot and watched it with snort:
I used LaBrea in this way - created a bogus /24 off my production
network, poked a global allow for that /24 at my border, fired
up LaBrea and Snort on an unaddressed laptop on the /24, and
listened.
Some points of order regarding this quasi-honeypot:
- no dns, no outbound traffic, no nothing to indicate to an external
party that the subnet even existed - thus, any traffic coming to
that network was either misdirected or hostile;
- historically, the subnet had been unused and unallocated out of our
/16 core (.edu network) for over two years;
- the subnet came into existence on Thu Dec 20 2001 sometime after 4:15 p.m.;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- in the first full day of listening (December 21st) - one 24-hour period:
^^^^^^^^^^^^^^^^^^
================================================================
- 1,702 different external hosts attempted at least one initial TCP connection;
- 1,026 attempted more than one;
- 335 attempted 20 or more;
- 71 attempted 255 or more, thereby scanning the entire subnet multiple times -
of the top 60 or so:
- 12 unique IP's came from U.S. educational institutions
(UCLA 128.97.0.0/16, UVA 128.143.0.0/16, UGA 128.192.0.0/16,
SunyBuffalo 128.205.0.0/16, UWA 128.208.0.0/16,
UHI 128.171.0.0/16, SunyBinghamtom 128.226.0.0/16,
Syracuse 128.230.0.0/16, WashUStLouis 128.252.0.0/16,
UOKNorman 129.15.0.0/16, UMI 131.213.0.0/16);
- 12 unique IP's came from US providers (HSACorp 24.240.23.0/24,
AOL 172.128.0.0/10, rr.com 24.24.0.0/13sortof, genuity.net 4.0.0.0/8,
naxs.com 216.98.64.0/19, arnet 209.40.128.0/18, UUNET 208.254.72.0/23,
Comastpc.com 68.40.0.0/13, @home 65.9.112.0/20,
SBCIS/PacBell 63.192.0.0/12);
- 5 came from a random US ".com" (tag.com 216.177.32.0/19,
mrws.net 63.166.61.0/24, "Oilgear" (AT&T) 209.36.148.0/24,
BritSys.com 192.216.171.0/24, RuralNet 216.169.69.32/27);
- 3 came from Canada (BellNexxia 65.93.160.0/19,
ShawFiberlink 24.80.0.0/13, hyperlinx.net 207.107.55.0/24);
- 3 came from Mexico (UnivAutonomaZacatecas 148.217.0.0/16,
MERKANET 200.23.95.0/24, Avantel 148.240.0.0/16);
- 2 came from South America (cable.net.co-Colombia 200.68.160.0/21,
ImpSat-Venezuela 200.31.4.0/24);
- 5 came from Germany (denoc.net 62.116.128.0/20,
JWGoethe-UnivFrankfurt 141.2.0.0/16, t-online.com 80.128.0.0/12sortof,
t-online.com 217.80.0.0/12sortof);
- 4 came from France (internet-fr.net 212.37.210.0/22,
wanadoo 217.128.39.0/24, wanadoo 193.252.192.0/24,
wanadoo 80.13.214.0/24);
- 2 came from Norway (nextgentel.com 213.145.160.0/19,
NTANET 128.39.0.0/16);
- 2 came from the Netherlands (tiscali.nl 195.241.0.0/16,
UnivUtrecht 131.211.0.0/16);
- 6 came from other European countries
(InstitutoDaAgua-Portugal 193.136.235.0/24,
Lidkopings-Sweden 195.84.233.128/26, MedUnivLodz-Poland
212.5.198.0/23,
telefonica.es-Spain 213.96.0.0/15, tin.it-Italy 62.211.128.0/17,
hispeed.ch-Switzerland 217.162.0.0/16sortof);
- 1 came from Australia (bigpond.net.au 203.40.0.0/13);
- 1 came from India (vsnl.net 203.199.84.128/26);
- 9 came from Korea (rapitel.co.kr 211.189.198.0/25,
KoreaTelecom 128.134.0.0/16, nuri.net 210.1221.56.192/26,
kornet.net 61.73.128.0/20sortof, kornet 61.73.152.0/21sortof);
- 2 came from China (Chinanet 202.104.0.0/16,
LianyungangFoodMfry 61.155.96.0/19sortof);
- 1 came from Taiwan (TANET 140.109.0.0/16);
- 1 came from Japan (u-tokyo.ac.jp 133.11.0.0/16);
- activity peaks occurred 6-7am (97 hits), 11-12am (148), 5-6pm (158),
6-7pm (202), and 7-8pm (295); [all times CST]
- most of these were reconnaissance (see below).
================
- of the initial connection attempts, 845 were to HTTP port 80 (presumably
Code Red, Nimda, or more serious Web attackers), 243 were to FTP port
21 (widely vulnerable), 242 were to SOCKS/Wingate port 1080 (widely
exploitable), 232 were to ssh port 22 (recent exploits), and 14
were to portmapper port 111 (an oldie but a goodie - widely
exploitable, but most people block it nowadays)
================
- 56 hosts completed a TCP connection, 53 more than one, 43 hosts completed
20 or more, and 9 hosts completed 255 or more; this number was
presumably attempting exploits in realtime.
================
- 4 internal security issues were detected:
3 incidences of Code Red or Nimda
1 incidence of a compromised internal machine portscanning ssh
================
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
