[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Infiltration of ISP providers by crackers.



>
> On Wed, Aug 27, 2008 at 4:41 AM, Burke, Thomas G. <tg burke ngc com>wrote:
>> Personally, I just blocked all of apnic...  They're the source of over 90%
>> of my issues, and I don't really care if I make them mad.
>>
>
On Wed, Aug 27, 2008 at 4:52 AM, George Magklaras <georgios biotek uio no>wrote:

> I do not normally bother following up on reports on all attacks. Most of
> them are scripted and there are too many. So, my IPS/IDS has a good list of
> 'not-to-block' IP addresses and whatever else outside this IP list attacks
> any service is blocked. Most good IPS/IDS vendors also provide near
> real-time lists of network blocks, especially from countries with large ISP
> segments that typically consist of various classes of IP blocks for home
> DSL/dialup customers, where most of the compromised PCs serve botnets and
> malicious scripters. This keeps the number of IPTABLES rules down and can
> block most of these annoying attacks.
>
> GEO-IP blocking may also help if you definitely know that you should not be
> expecting traffic from any part of the world. Problem is you need to update
> the ip list regularly and be ready to accept some false positives from IPs
> that suddenly are legit.
>
> For other types of more persistent and unusual attacks, you need to get in
> touch with the CERT team of a major telco provider. They are keen to know of
> these issues and if they provide the backbone of your connectivity, maybe
> there is part of your SLA that covers these sort of things, generally
> speaking.
>

Your insights and suggestions are appreciated, thank you.

Jose R R
http://www.metztli-it.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]