[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
Re: RE: [isp-linux] Re: Blocking all APNIC IP Addresses
Methinks that we are going slightly overboard here.
Steve - blocking the APNIC addresses at this point is going to do you
precious little good. At this very moment, I am being scanned from New
Zealand, Germany, the US, Denmark, UK, etc. All these scans originate from
address blocks other than those that you are planning to block off. They
come from badly configured, compromised machines in *non-Asian* countries.
I have complained to various admins who own the addresses that these scans
came from - the answer was simple - these machines have been compromised
and appear to have been set up as scanners themselves. There is a
sustained and massive-scale port-scan operation on, at DDoS levels. Most
servers in India (yes, even dialup servers) are being scanned for
vulnerabilities, and many of them have already been broken into.
LIG - if you dont believe this, I suggest you set up portsentry and other
security systems on your servers and let them watch. You won't *believe*
what you will find.
All - while Steve's concerns are genuine, methinks the methodology of
solving the issue is not the right one. Blocking entire continents off
because *some* machines are acting badly is not exactly condusive to
keeping the Internet alive.
The solution is to use tools to *block* scans (no matter where they come
from) and *stay informed* about such attempted attacks.
My $0.02
Atul
--
----------------------------------------------------------
Atul Chitnis | achitnis@xxxxxxxxxxx (PGP:6011BCB8)
Exocore Consulting | http://www.exocore.com
Bangalore, India | +91 (80) 3440397 Fax +91 (80) 3341137
----------------------------------------------------------