[38028] in North American Network Operators' Group
Re: Scanning (was Re: Stealth Blocking)
daemon@ATHENA.MIT.EDU (Christopher A. Woodfield)
Sun May 27 12:42:26 2001
Date: Sun, 27 May 2001 12:40:14 -0400
From: "Christopher A. Woodfield" <rekoil@semihuman.com>
To: "Greg A. Woods" <woods@weird.com>
Cc: William Allen Simpson <wsimpson@greendragon.com>, nanog@merit.edu
Message-ID: <20010527124014.A24772@semihuman.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010526164116.1518CF9@proven.weird.com>; from woods@weird.com on Sat, May 26, 2001 at 12:41:16PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote:
> [ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
> > Subject: Re: Scanning (was Re: Stealth Blocking)
> >
> > About two years ago the <vijay> promising local ISP </vijay> I worked
> > for saw the number or ORBS-listed hosts withing its netspace go from ~400
> > to over 3,000 in one week.
>
> Hmmmm.... you don't say exactly, but two years ago you were probably
> seeing the results of manual list entries (perhaps even entered as
> netblocks). Back then you had to be really smart and look at the value
> of the A RR returned from a DNS query into the database to be able to
> tell the difference between a proper ORBS entry and one of the
> supplemental manual entries. These days it's much more difficult to
> confuse the mechanical part of ORBS with the ego part.
Nah, there was a relay test on the ORBS site for each IP...it was a
customer who had put all 254 usable IPs in one of his blocks on a few
similarly misconfigured servers. Each IP was tested and listed by ORBS.
There were other patterns in the listings, as well as logged relay tests
on non-open relays, that suggested wholesale scanning, but the one quotesd
was the most egregious. We had one other large web-hosting customer that
had accounted for about 500 of the listings tell us later that they
proactively scanned their network after the fact and found that ORBS had
caught /every/ open relay in their netspace. How you manage to do that
without wholesale scanning, you tell me.
>
> > Among the listings was a class C where EVERY HOST,
> > 254 IPs, in the block was listed. Granted, each one was an open relay, but the
> > point is that each IP was individually relay tested. When questioned about
> > this, Alan Brown reponded that he had "received an unusually large number
> > of nominations" for hosts in our netspace. Uh huh. Sure.
>
> Do you have the mailer logs from those hosts?
>
> Can you prove that there was no other unauthorised use of them during
> the time *before* they were tested by ORBS?
I don't have logs, as these were not our servers, but our customers', nor
can I prove that none of them had been abused, although we had a pretty
good record of shutting down the open relays that we got wind of via ORBS'
weekly reports and our own abuse mailbox.
-C
>
> --
> Greg A. Woods
>
> +1 416 218-0098 VE3TCP <gwoods@acm.org> <woods@robohack.ca>
> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
--
---------------------------
Christopher A. Woodfield rekoil@semihuman.com
PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
