Home page logo

nanog logo nanog mailing list archives

Re: Scanning (was Re: Stealth Blocking)
From: "Christopher A. Woodfield" <rekoil () semihuman com>
Date: Sun, 27 May 2001 12:40:14 -0400

On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote:
[ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
Subject: Re: Scanning (was Re: Stealth Blocking)

About two years ago the <vijay> promising local ISP </vijay> I worked 
for saw the number or ORBS-listed hosts withing its netspace go from ~400 
to over 3,000 in one week.

Hmmmm....  you don't say exactly, but two years ago you were probably
seeing the results of manual list entries (perhaps even entered as
netblocks).  Back then you had to be really smart and look at the value
of the A RR returned from a DNS query into the database to be able to
tell the difference between a proper ORBS entry and one of the
supplemental manual entries.  These days it's much more difficult to
confuse the mechanical part of ORBS with the ego part.

Nah, there was a relay test on the ORBS site for each IP...it was a 
customer who had put all 254 usable IPs in one of his blocks on a few 
similarly misconfigured servers. Each IP was tested and listed by ORBS. 
There were other patterns in the listings, as well as logged relay tests 
on non-open relays, that suggested wholesale scanning, but the one quotesd 
was the most egregious. We had one other large web-hosting customer that 
had accounted for about 500 of the listings tell us later that they 
proactively scanned their network after the fact and found that ORBS had 
caught /every/ open relay in their netspace. How you manage to do that 
without wholesale scanning, you tell me.

Among the listings was a class C where EVERY HOST, 
254 IPs, in the block was listed. Granted, each one was an open relay, but the 
point is that each IP was individually relay tested. When questioned about 
this, Alan Brown reponded that he had "received an unusually large number 
of nominations" for hosts in our netspace. Uh huh. Sure.

Do you have the mailer logs from those hosts?

Can you prove that there was no other unauthorised use of them during
the time *before* they were tested by ORBS?

I don't have logs, as these were not our servers, but our customers', nor 
can I prove that none of them had been abused, although we had a pretty 
good record of shutting down the open relays that we got wind of via ORBS' 
weekly reports and our own abuse mailbox.


                                                      Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>     <woods () robohack ca>
Planix, Inc. <woods () planix com>;   Secrets of the Weird <woods () weird com>

Christopher A. Woodfield                rekoil () semihuman com

PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]