North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Scanning (was Re: Stealth Blocking)
On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote: > [ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ] > > Subject: Re: Scanning (was Re: Stealth Blocking) > > > > About two years ago the <vijay> promising local ISP </vijay> I worked > > for saw the number or ORBS-listed hosts withing its netspace go from ~400 > > to over 3,000 in one week. > > Hmmmm.... you don't say exactly, but two years ago you were probably > seeing the results of manual list entries (perhaps even entered as > netblocks). Back then you had to be really smart and look at the value > of the A RR returned from a DNS query into the database to be able to > tell the difference between a proper ORBS entry and one of the > supplemental manual entries. These days it's much more difficult to > confuse the mechanical part of ORBS with the ego part. Nah, there was a relay test on the ORBS site for each IP...it was a customer who had put all 254 usable IPs in one of his blocks on a few similarly misconfigured servers. Each IP was tested and listed by ORBS. There were other patterns in the listings, as well as logged relay tests on non-open relays, that suggested wholesale scanning, but the one quotesd was the most egregious. We had one other large web-hosting customer that had accounted for about 500 of the listings tell us later that they proactively scanned their network after the fact and found that ORBS had caught /every/ open relay in their netspace. How you manage to do that without wholesale scanning, you tell me. > > > Among the listings was a class C where EVERY HOST, > > 254 IPs, in the block was listed. Granted, each one was an open relay, but the > > point is that each IP was individually relay tested. When questioned about > > this, Alan Brown reponded that he had "received an unusually large number > > of nominations" for hosts in our netspace. Uh huh. Sure. > > Do you have the mailer logs from those hosts? > > Can you prove that there was no other unauthorised use of them during > the time *before* they were tested by ORBS? I don't have logs, as these were not our servers, but our customers', nor can I prove that none of them had been abused, although we had a pretty good record of shutting down the open relays that we got wind of via ORBS' weekly reports and our own abuse mailbox. -C > > -- > Greg A. Woods > > +1 416 218-0098 VE3TCP <[email protected]> <[email protected]> > Planix, Inc. <[email protected]>; Secrets of the Weird <[email protected]> -- --------------------------- Christopher A. Woodfield [email protected] PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
|