Opinion on null0'ing entire 218.0.0.0?
Is anyone getting hundreds of thousands of spasm a day from 218.0.0.0 like I am? Has anyone actually considered null routing the whole block? Is there actually any 'users' in APNIC space? Or is it all spam from korea? -Drew
On Tue, 26 Aug 2003 10:47:22 EDT, Drew Weaver <drew.weaver@thenap.com> said:
Is anyone getting hundreds of thousands of spasm a day from 218.0.0.0 like I am? Has anyone actually considered null routing the whole block?
Is there actually any 'users' in APNIC space? Or is it all spam from korea?
null0 them - I guarantee if you do, you won't receive any complaints. :)
I hope the nanog mail list is an OK place to warn of this.......... As part of my clean up for clients who have had Blaster, I came across a variant, sometimes called Blaster D. Its other name is welchia. It seems to do the following: Gets the Microsoft patch for regular blaster. Installs a file called dllhost.exe in the C:\Windows\System32\Wins directory. Btw there is a smaller dllhost.exe file in one of the other system directories. http://www.pchell.com/virus/welchia.shtml It also copies the tftp server from one of the other windows locations. They are both started by a startup service. When connection is made to the internet, dllhost and the tftp server start their dirty work. The tftp server appears to be the mechanism by which the virus propagates. The dllhost sends out a firestorm of requests (on various ports) to try to find other victims. This afternoon I patched a system and installed a personal firewall - in the space of about 20 minutes there were 207 attacks some using ICMP class 8, others simply using uDP against ports 135, 137 and 139. This was all on a computer that had the Microsoft patches for Blaster applied. I think it gets in prior to the blaster patch application and then is not detected by the blaster removal and Microsoft fix. Rather than go into all the gory details, I suggest that interested parties go hunting for it at their usual anti-v places. Chris Bird
On Tue, 26 Aug 2003, Drew Weaver wrote:
Is anyone getting hundreds of thousands of spasm a day from 218.0.0.0 like I am? Has anyone actually considered null routing the whole block?
Is there actually any 'users' in APNIC space? Or is it all spam from korea?
Korea has one of the highest ratio of broadband connected households in the world (if not the highest). They access korean content extensively, but not as much english content, that's why you never see them in any context you access. Most of my spam is either from the US or from APNIC, that doesnt make me want to null-route all of the non-RIPE networks. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Tue, 26 Aug 2003, Mikael Abrahamsson wrote:
Is anyone getting hundreds of thousands of spasm a day from 218.0.0.0 like I am? Has anyone actually considered null routing the whole block?
Is there actually any 'users' in APNIC space? Or is it all spam from korea?
Korea has one of the highest ratio of broadband connected households in the world (if not the highest).
That would explain the incredibly large number of open proxies in 218/8. Drew, I don't think you're being spammed by Koreans...at least not directly by the ones delivering the spam to you. You're more likely just being spammed via open proxies that happen to be Korean. It's your network...do what your customers will let you get away with. How many Korean customers might you have that will be pissed when they find they can't exchange email with family and friends in Korea? There's one sure way to find out. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (5)
-
Christopher Bird
-
Drew Weaver
-
jlewis@lewis.org
-
Mikael Abrahamsson
-
Valdis.Kletnieks@vt.edu