Infiltration of ISP providers by crackers.
Jose R R
jose.r.r at metztli.com
Thu Aug 28 03:05:28 UTC 2008
>
> On Wed, Aug 27, 2008 at 4:41 AM, Burke, Thomas G. <tg.burke at ngc.com>wrote:
>> Personally, I just blocked all of apnic... They're the source of over 90%
>> of my issues, and I don't really care if I make them mad.
>>
>
On Wed, Aug 27, 2008 at 4:52 AM, George Magklaras <georgios at biotek.uio.no>wrote:
> I do not normally bother following up on reports on all attacks. Most of
> them are scripted and there are too many. So, my IPS/IDS has a good list of
> 'not-to-block' IP addresses and whatever else outside this IP list attacks
> any service is blocked. Most good IPS/IDS vendors also provide near
> real-time lists of network blocks, especially from countries with large ISP
> segments that typically consist of various classes of IP blocks for home
> DSL/dialup customers, where most of the compromised PCs serve botnets and
> malicious scripters. This keeps the number of IPTABLES rules down and can
> block most of these annoying attacks.
>
> GEO-IP blocking may also help if you definitely know that you should not be
> expecting traffic from any part of the world. Problem is you need to update
> the ip list regularly and be ready to accept some false positives from IPs
> that suddenly are legit.
>
> For other types of more persistent and unusual attacks, you need to get in
> touch with the CERT team of a major telco provider. They are keen to know of
> these issues and if they provide the backbone of your connectivity, maybe
> there is part of your SLA that covers these sort of things, generally
> speaking.
>
Your insights and suggestions are appreciated, thank you.
Jose R R
http://www.metztli-it.com
More information about the redhat-list
mailing list