Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Connectivity problems with the US Army
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Fri, 19 Jan 2007 12:48:36 -0600

-----Original Message-----
From: Brock, Anthony - NET [mailto:Anthony.Brock () OREGONSTATE EDU]
Sent: Friday, January 19, 2007 11:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Connectivity problems with the US Army

-----Original Message-----
Maybe they meant 29 IPs were probing.  We saw around 35 of
your IPs either
scanning port 2967 or actively attempting to exploit the Symantec
vulnerability against systems here.

Very possible. However, this still seems a bit extreme for
implementing
a "permanent block" of this scale. Also, there should be some method
for
notifying the affected site and correcting the issue.

I both agree and disagree.  In my case I was watching for SSH brute
force scans.  Each time I saw a scan I would contact the abuse,
security, or NOC contact and send logs.  Rarely did I receive a
response.  If there were 3 or more occurrences (i.e. three or more days
of any host scanning) then I would block the organizations entire
address space.

Once when I did that I caused a lot of websites to quit loading because
the organization was a large NOC.  I began to add exclusions so that the
pages would load.  The admin thought I was going overboard because I
blocked their entire range because of 4 occurrences.  I'm sorry, but the
student information I am protecting is much more important than being
able to access those websites.  My Vice-President and Dean agree.  If a
website is important enough, then we make an exception.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]