NOTE: Check your logs

Karnaugh

Banned
Joined
Jul 23, 2003
Messages
1,575
I can suggest everyone watch for excessive connections from the 213.180.192.0 IP range.

I seriously suggest firewalling that range.

If you do get hit by this thing, you're screwed. Fortunatly I was able to contact IS and they firewalled the IP from their side (firewalling doesnt stop the 300 packets/sec from hitting your line and disabling it)

(Sorry for all the posts, but this is important.)

- Colin Alston
colin@slipgate.za.net

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett
 

JacoD

Member
Joined
May 9, 2004
Messages
27
Nothing special from that range... got stuff trying to come in from all over the show, which is normal. Most of it appears to be port scans. I guess it's still worms trying to find vulnerable hosts.

What activity did you pick up from that Class C?
 

Karnaugh

Banned
Joined
Jul 23, 2003
Messages
1,575
A 300 packet per second flood which killed my lines and ended in me having to get hold of IS admins who firewalled the IP on their side.

The scary part is their reply to me (to the abuse report I sent before I realised the magnitude of the attack)

<blockquote id="quote"><font size="1" face="Verdana, Arial, Helvetica" id="quote">quote:<hr height="1" noshade id="quote">Dear sir,
Your've detected activity of our corporate open proxy checker. It is being used to submit and validate entries to our corporate block list (insecure hosts part).
Somebody of our users has sent spam complain related to affected hosts I guess. It's a reason to schedule automatic proxycheck. Pls note that further rechecks will be suppressed for a significant time.
Though full portscan is a little bit noisy (sorry), unfortunatly it is the only method to detect several modern kinds of open proxy spam sources (mainly trojaned and infected hosts).
PS: Yandex LLC is a major russian internet content provider. Spam is a real problem for millions users of our services. That's why we use any chance to detect and block spamsources.
Sincerely, Yandex customer support <hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">

They are doing this **** to the whole bloody internet it seems.

- Colin Alston
colin@slipgate.za.net

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett
 

JacoD

Member
Joined
May 9, 2004
Messages
27
Spam? I'm assuming SMTP here... why the hell do they do port scans? LOL You're going to find lots of open port 25s =)

Why don't they just make use of the freely available DNS blacklists available on the Internet for host validation?

www.spamcop.net and www.spamhaus.org comes to mind...

Of course having anti-virus on the email gateway will prevent most of the spoofed infected emails from getting to the users in the first place.
 

Karnaugh

Banned
Joined
Jul 23, 2003
Messages
1,575
RBL's are the spawn of satan. Responsible people use scanning like SpamAssasin and Clamav to tag and discard mail, rather than killing it at the connection. Blacklists are lazy and irresponsibly. Any stupid little kid can add your server to a blacklist these days.

- Colin Alston
colin@slipgate.za.net

"Getting traffic shaping right is easy and can be summed up in one word: Dont." -- George Barnett
 
Top