I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs? In recent weeks, over 80% of our port scans and various miscreant probes have originated from a very small number of IPs in China. Trying to contact the IP owner via email usually finds either the mailbox is full, the email address is invalid, or the mail server is not working. Anyone had any success in this area? THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
On Thu, 17 Feb 2005, Jon R. Kibler wrote: better still, has anyone ever come up with a bgp-distributed list of prefixes that trace back to such addresses? -Dan -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
On Thu, 17 Feb 2005, Jon R. Kibler wrote:
I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs?
From what I understand the answer is no. People I know who have attended asia-pacific regional network meetings described them as "clueless". Unfortunately the same goes for kornet. :-/
-Dan
On Thu, 17 Feb 2005, Dan Hollis wrote:
From what I understand the answer is no. People I know who have attended asia-pacific regional network meetings described them as "clueless". Unfortunately the same goes for kornet. :-/
Clueless? Which is worse, ignorance or entropy? Who knows? Who cares? (and which is it, really?) -Dan -- "It doesn't matter where I live, because I live in dataspace. That's my hometown." -Steve Roberts, Builder of BEHEMOTH --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
On Thu, 17 Feb 2005 10:48:40 -0800 (PST), Dan Hollis wrote:
>From what I understand the answer is no. People I know who have attended asia-pacific regional network meetings described them as "clueless".
As of this past Summer, this was no longer true for all of China Telecom. In fact they had started putting in enough effort that I am confused about the current round of problems being described. Any chance of trying to get some granularity to this? As I understand their operation, there are enormous differences among the operations in different provinces. d/ -- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net
They do have people in an LA office, as I got a call from one of them when I had a BGP session to them go down due to a max-prefix which had been exceeded. I guess if you have three times the population of the US, you're going to have one or two "black hats". --- Dave Crocker <dhc2@dcrocker.net> wrote:
From what I understand the answer is no. People I know who have attended asia-pacific regional network meetings described
On Thu, 17 Feb 2005 10:48:40 -0800 (PST), Dan Hollis wrote: them as "clueless".
As of this past Summer, this was no longer true for all of China Telecom. In fact they had started putting in enough effort that I am confused about the current round of problems being described.
Any chance of trying to get some granularity to this? As I understand their operation, there are enormous differences among the operations in different provinces.
d/ -- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net
Dave O'Shea wrote:
They do have people in an LA office, as I got a call from one of them when I had a BGP session to them go down due to a max-prefix which had been exceeded.
I guess if you have three times the population of the US, you're going to have one or two "black hats".
Undoubtedly. It would still be my guess there are more black hats in the US. The problem with China is a ton of compromised machines and close to no incident and abuse handling. Not to mention centralized coordination. Gadi.
On Thu, 17 Feb 2005, Gadi Evron wrote:
It would still be my guess there are more black hats in the US.
yahoo and hotmail come close, but it will take some real balls to top chinanet's official blackhat lying autoresponder: "In your SPAM eMail,I can't find the IP or the IP is not by my control.Please give me the correct IP.Thank you." hats dont get any darker than that. -Dan
On Thu, 17 Feb 2005, Dave O'Shea wrote:
They do have people in an LA office, as I got a call from one of them when I had a BGP session to them go down due to a max-prefix which had been exceeded.
I guess if you have three times the population of the US, you're going to have one or two "black hats".
Despite China playing a role in spam distribution, almost all hardcore spammers are from US, in fact there is really no big spamhouse there. Now, I'm sure they do have their own blackhats, but if anything I know is true even if they are three times size of US, number of blackhats there is probably 3-10 times smaller and I'd not be surprised if all scans you see from China are really blackhats from US and other countries who rented computer there. So its not the blackhats that is a problem in China, its the corruption which is always present in communist and similar seemingly state-controlled totalitarian societies. Add to that, US & EU money has greater value in China and you will understand how its possible that they pretend to not have received reports and delay removing abusers. Note that while corruption is worse when its present at or near the top, that one is easier to deal with if you get to the right people, but its the corruption at the bottom which has become rooted, that is most difficult to get rid of. And with Chinanet being so large and largely organized so that provinces and individual cities have more control then the center, you can see why it may take some time until current efforts by spamhaus and others have overall result. -- William Leibzon Elan Networks william@elan.net
On Thursday 17 Feb 2005 8:11 pm, Dave Crocker wrote:
Any chance of trying to get some granularity to this? As I understand their operation, there are enormous differences among the operations in different provinces.
220.175 550 ChinaNet Jiangxi not wanted here see SBL12656 Persistent email abuse that led to the email server being overwhelmed on occaisons, we introduce these manually, and cross reference them against the big block list databases to ensure it is a "persistent" issue. We use blocking only to protect our own SMTP service not for filtering purposes. Kornet Whilst I can appreciate that Kornet may have issues with a lot of broadband users, but the other big Korean company seems to have it solved. What I see is what appear to be (using whois data!) US companies buying transit from them. I'm no routing guru, but I assume it must be pretty obvious to Kornet if some small US company starts buying transit from them (rather than say some local US telecom provider) that they want it for nefarious purposes?! Or is there something going on here that makes Kornet look unduely bad. Anyone got a handle on what is going on in that regard.
--On 18 February 2005 08:32 +0000 Simon Waters <simonw@zynet.net> wrote:
Whilst I can appreciate that Kornet may have issues with a lot of broadband users, but the other big Korean company seems to have it solved. What I see is what appear to be (using whois data!) US companies buying transit from them.
How are US companies with Korean offices meant to take connectivity then? Alex
On Thu, 17 Feb 2005 10:48:40 -0800 (PST), Dan Hollis <goemon@anime.net> wrote:
From what I understand the answer is no. People I know who have attended asia-pacific regional network meetings described them as "clueless". Unfortunately the same goes for kornet. :-/
If anybody here is attending APRICOT 2005 in Kyoto this week, and is interested in this issue, there'll be a bunch of chinanet people and I think at least one guy from the Chinese CERT around in the security and antispam tracks on 2/24 That's in addition to Dave Crocker, Jim Fenton etc as speakers :) --srs -- Suresh Ramasubramanian (ops.lists@gmail.com)
On Thu, 17 Feb 2005 12:13:07 -0500 "Jon R. Kibler" <Jon.Kibler@aset.com> wrote:
I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs?
Yes, indeed. And been out to Beijing to have meetings with them. -- Richard Cox
On Thu, 17 Feb 2005, Richard Cox wrote: : : On Thu, 17 Feb 2005 12:13:07 -0500 : "Jon R. Kibler" <Jon.Kibler@aset.com> wrote: : : > I know that this is a REALLY sore point, but has anyone ever : > established any good working relations with anyone in CHINANET : > or other China-based ISPs? : : Yes, indeed. And been out to Beijing to have meetings with them. Heh, you shoulda tried getting in there in the mid 90s. The only clue was in the universities. They were mostly are worried about VoIP taking money from the government telco and the unwashed western ideas brainwashing the masses. I doubt things have changed. Be prepared for outages. Get more than one link to the country if you want high quality cold potato. scott
Hi Jon, there were two guys at nanog33.. if you didnt meet them then perhaps keep an eye out at nanog34 http://www.nanog.org/mtg-0501/attendee.list.html short answer is i see chinanet folks on a whole bunch of forums and lists, Steve On Thu, 17 Feb 2005, Jon R. Kibler wrote:
I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs?
In recent weeks, over 80% of our port scans and various miscreant probes have originated from a very small number of IPs in China. Trying to contact the IP owner via email usually finds either the mailbox is full, the email address is invalid, or the mail server is not working.
Anyone had any success in this area?
THANKS! Jon Kibler
participants (13)
-
Alex Bligh
-
Dan Hollis
-
Dan Mahoney, System Admin
-
Dave Crocker
-
Dave O'Shea
-
Gadi Evron
-
Jon R. Kibler
-
Richard Cox
-
Scott Weeks
-
Simon Waters
-
Stephen J. Wilcox
-
Suresh Ramasubramanian
-
william(at)elan.net