Scanning (was Re: Stealth Blocking)
Christopher A. Woodfield
rekoil at semihuman.com
Sun May 27 16:40:14 UTC 2001
On Sat, May 26, 2001 at 12:41:16PM -0400, Greg A. Woods wrote:
> [ On Saturday, May 26, 2001 at 10:35:47 (-0400), Christopher A. Woodfield wrote: ]
> > Subject: Re: Scanning (was Re: Stealth Blocking)
> > About two years ago the <vijay> promising local ISP </vijay> I worked
> > for saw the number or ORBS-listed hosts withing its netspace go from ~400
> > to over 3,000 in one week.
> Hmmmm.... you don't say exactly, but two years ago you were probably
> seeing the results of manual list entries (perhaps even entered as
> netblocks). Back then you had to be really smart and look at the value
> of the A RR returned from a DNS query into the database to be able to
> tell the difference between a proper ORBS entry and one of the
> supplemental manual entries. These days it's much more difficult to
> confuse the mechanical part of ORBS with the ego part.
Nah, there was a relay test on the ORBS site for each IP...it was a
customer who had put all 254 usable IPs in one of his blocks on a few
similarly misconfigured servers. Each IP was tested and listed by ORBS.
There were other patterns in the listings, as well as logged relay tests
on non-open relays, that suggested wholesale scanning, but the one quotesd
was the most egregious. We had one other large web-hosting customer that
had accounted for about 500 of the listings tell us later that they
proactively scanned their network after the fact and found that ORBS had
caught /every/ open relay in their netspace. How you manage to do that
without wholesale scanning, you tell me.
> > Among the listings was a class C where EVERY HOST,
> > 254 IPs, in the block was listed. Granted, each one was an open relay, but the
> > point is that each IP was individually relay tested. When questioned about
> > this, Alan Brown reponded that he had "received an unusually large number
> > of nominations" for hosts in our netspace. Uh huh. Sure.
> Do you have the mailer logs from those hosts?
> Can you prove that there was no other unauthorised use of them during
> the time *before* they were tested by ORBS?
I don't have logs, as these were not our servers, but our customers', nor
can I prove that none of them had been abused, although we had a pretty
good record of shutting down the open relays that we got wind of via ORBS'
weekly reports and our own abuse mailbox.
> Greg A. Woods
> +1 416 218-0098 VE3TCP <gwoods at acm.org> <woods at robohack.ca>
> Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>
Christopher A. Woodfield rekoil at semihuman.com
PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
More information about the NANOG