The origin of breakin attempts

Like most people who have their computers permanently connected to the
internet, I frequently am the target of rather crude attacks, presumably
launched by script kiddies. What I find interesting is that whenever I
look into the origin of such attacks, based on the IP address that they
are coming from, the attacks always come, so far without exception, from
one of three countries: China, Taiwan and Korea.

What's wrong with them?

Re: The origin of breakin attempts

7h3y 4r3 317h3r p00r 0r p3r53cu73d

Re: The origin of breakin attempts

Howard Bryce writes:

> Like most people who have their computers permanently connected to the
>internet, I frequently am the target of rather crude attacks, presumably
>launched by script kiddies. What I find interesting is that whenever I
>look into the origin of such attacks, based on the IP address that they
>are coming from, the attacks always come, so far without exception, from
>one of three countries: China, Taiwan and Korea.

> What's wrong with them?

?? And I have gotten brazil, russia, czech, UK,....

Re: The origin of breakin attempts

On Fri, 19 May 2006 23:35:46 +0000, Unruh wrote:

> Howard Bryce writes:
>
>> Like most people who have their computers permanently connected to the
>>internet, I frequently am the target of rather crude attacks, presumably
>>launched by script kiddies. What I find interesting is that whenever I
>>look into the origin of such attacks, based on the IP address that they
>>are coming from, the attacks always come, so far without exception, from
>>one of three countries: China, Taiwan and Korea.
>
>> What's wrong with them?
>
> ?? And I have gotten brazil, russia, czech, UK,....

Interesting. I have yet to be attacked from IP addresses from those
countries.

Re: The origin of breakin attempts

Howard Bryce writes:

> Like most people who have their computers permanently connected to the
>internet, I frequently am the target of rather crude attacks, presumably
>launched by script kiddies. What I find interesting is that whenever I
>look into the origin of such attacks, based on the IP address that they
>are coming from, the attacks always come, so far without exception, from
>one of three countries: China, Taiwan and Korea.

> What's wrong with them?

The same that was wrong with the US, until they were outnumbered
on the Internet by China et al: lots of bored students getting
net access, without familiar or other organizational behaviour
control in place...

The more interesting question, probably, would be in which coutries
the introduction of the Internet to the younger population was not
accompanied by such behaviour. You could learn something _there_.

best regards
Patrick

Re: The origin of breakin attempts

Howard Bryce said:
> Like most people who have their computers permanently connected to the
>internet, I frequently am the target of rather crude attacks, presumably
>launched by script kiddies. What I find interesting is that whenever I
>look into the origin of such attacks, based on the IP address that they
>are coming from, the attacks always come, so far without exception, from
>one of three countries: China, Taiwan and Korea.
>
> What's wrong with them?

I guess that in one part, they're new enough to the net that they've
not yet learned to protect their machines against script-kiddies of
the western countries. Of course, this is not to say that they wouldn't
have their own share of wannabe crackers as well.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Re: The origin of breakin attempts

On 20 May 2006, in the Usenet newsgroup comp.security.misc, in article
<446eb59c$0$14260$9b622d9e@news.freenet.de>, Patrick Schaaf wrote:

>Howard Bryce writes:

>> What I find interesting is that whenever I look into the origin of such
>> attacks, based on the IP address that they are coming from, the attacks
>> always come, so far without exception, from one of three countries:
>> China, Taiwan and Korea.

>>NNTP-Posting-Host: 67.122.246.158

67.112.0.0 - 67.127.255.255 Pac Bell Internet Services NET-67-112-0-0-1

It varies - actually for me, SBC (PacBell, SWBell, Ameritech, SNET) is
right up there behind comcast and roadrunner. Stats for the April:

2780 US 38% 448 KR 6% 430 BR 6% 173 DE 2% 142 UK 2%
802 CN 11% 434 CA 6% 198 FR 3% 159 MX 2% 137 NL 2%

>The same that was wrong with the US, until they were outnumbered
>on the Internet by China et al: lots of bored students getting
>net access, without familiar or other organizational behaviour
>control in place...

I have _NO_ idea where you got that concept.

[compton ~]$ grep -h ipv4 IP.ADDR/stats/delegated* | grep -v summary | cut
-d'|' -f2 | sort | uniq -c | sort -n | tail | column
1137 NZ 1414 RU 1759 DE 4621 EU 5209 AU
1296 FR 1604 JP 1952 GB 4984 CA 31574 US
[compton ~]$ ^v4^v6
grep -h ipv6 IP.ADDR/stats/delegated* | grep -v summary | cut-d'|' -f2 | sort
| uniq -c | sort -n | tail | column
31 TW 43 IT 65 NL 87 GB 193 JP
36 SE 48 FR 76 KR 122 DE 217 US
[compton ~]$

That's the number of network assignments from the five RIRs. (There are
72967 assignments as of Tuesday.) If you want to compare it to host numbers,

1343133952 US 91404536 GB
80670208 CN 6414592 IN
46154240 KR 55255712 FR
16499200 TW 54031984 DE

Comcast _alone_ has more than half as many IP addresses as all of Korea. Then
you need to add SBC, RR, QWorst, Verizon, etc. There are 2307268440 IPv4
addresses assigned/allocated world wide.

>The more interesting question, probably, would be in which coutries
>the introduction of the Internet to the younger population was not
>accompanied by such behaviour. You could learn something _there_.

And that is? (Hopefully, you can back that up with figures from an
accredited source.) As near as I can tell, the problem with China (as
well as in Korean, Taiwan, and many other countries) is that the
providers there are totally clueless, and the wide-bandwidth connected
hosts are unsecured because (like everywhere else) they are being run
by wankers whose computer knowledge is taxed by figuring out where the
on/off switch is. Consequently, there are a lot of r00ted/0wn3d boxes
being used as zombies. Another thing to think about is that the native
languages in CN, TW and KR are not using ISO8859 or ANSI character sets,
or do you believe that there are huge numbers of students in those
countries who are also learning "Western" languages and practicing
their skills by sending spam, plishing attempts, and trying to guess SSH
usernames/passwords.

Old guy

Re: The origin of breakin attempts

In article ,
ibuprofin@painkiller.example.tld (Moe Trin) wrote:

> And that is? (Hopefully, you can back that up with figures from an
> accredited source.) As near as I can tell, the problem with China (as
> well as in Korean, Taiwan, and many other countries) is that the
> providers there are totally clueless, and the wide-bandwidth connected
> hosts are unsecured because (like everywhere else) they are being run
> by wankers whose computer knowledge is taxed by figuring out where the
> on/off switch is.

The problem, IMHO, is that despite having made great strides in the the
past decade or so, these are still essentially third-world countries.
Corruption and disregard for the law and personal property run rampant.
I don't think it's so much that the providers are clueless, but they
just don't care. It's not part of their culture. Before computer
hacking, these areas were hotbeds of software, music, and video piracy.

Part of it may be their communist history. In a communist society,
where individuals don't own their property, you don't give much
consideration to other people.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: The origin of breakin attempts

On Sat, 20 May 2006, in the Usenet newsgroup comp.security.misc, in article
, Barry Margolin wrote:

>ibuprofin@painkiller.example.tld (Moe Trin) wrote:

>> As near as I can tell, the problem with China (as well as in Korean,

My, these fingers are fumbling a lot today - try 'as well as in Korea,'

>> Taiwan, and many other countries) is that the providers there are
>> totally clueless, and the wide-bandwidth connected hosts are unsecured
>> because (like everywhere else) they are being run by wankers whose
>> computer knowledge is taxed by figuring out where the on/off switch is.
>
>The problem, IMHO, is that despite having made great strides in the the
>past decade or so, these are still essentially third-world countries.
>Corruption and disregard for the law and personal property run rampant.

That point has considerable merit. I'd have to agree with it.

>I don't think it's so much that the providers are clueless, but they
>just don't care.

How do you explain the disaster when Korea decided to put broadband into
every school, and then left the systems in unpatched, wide open states
that got exploited by every spammer in the world, and every skript kiddie
running his 'ph34r-/\/\3' tool-kit.?

>It's not part of their culture.

In the case of Korea, the problem was more the resistance to criticism from
outsiders. When admins all over the world started blackholing all packets
from Korean addresses (because ALL abuse complaints were ignored), we
started to see some changes. The Korean manufacturers were seeing the
result of blackholes on their bottom lines, and put the word out to the
Korean Ministry of Education, and to the various Korean ISPs. It's still
far from perfect, and I'm sure there are millions of firewall rules and
ACLs on private and corporate firewalls around the world that may remain
in place until the heat-death of the solar system. But as noted in my
April stats, _for_me_ Korea is barely in third place, just edging out
Canada and Brazil.

>Part of it may be their communist history. In a communist society,
>where individuals don't own their property, you don't give much
>consideration to other people.

On the other hand, "I have heard"(tm) that the Chinese government is
slapping lusers in jail, or executing them for "dishonoring the country"
or some such "crime".

None the less, the communists are but a brief phase - and you need only
look at the traffic on the streets of Guangzhou (was Canton), Senzhen,
Yulin, or even Shanghai. Those Merc's and BMW's aren't owned by the state.

Old guy

Re: The origin of breakin attempts

ibuprofin@painkiller.example.tld (Moe Trin) writes:

>>The same that was wrong with the US, until they were outnumbered
>>on the Internet by China et al: lots of bored students getting
>>net access, without familiar or other organizational behaviour
>>control in place...

>I have _NO_ idea where you got that concept.

Oh, easy. Remember the old Usenet saying, after AOL got in board,
that it's now perpetual September?

That's where I got that concept.

Note that I wouldn't try to defend it. To the OP, who obviously
did not do any research, just wanting to vent an often seen xenophobic
opinion, I chose the above reply explicitly for its antixenophobic
message.

In reality, I'm convinced that most such attacks are low level
criminal fishing expeditions, and any by-country activity peak
most likely corresponds to a missing habit of security patching
all those new computers that nobody even had five years ago.
And this happens in Germany as well as in Korea.

best regards, and a nice life on global earth
Patrick

Re: The origin of breakin attempts

In article ,
ibuprofin@painkiller.example.tld (Moe Trin) wrote:

> On Sat, 20 May 2006, in the Usenet newsgroup comp.security.misc, in article
> , Barry Margolin wrote:
>
> >ibuprofin@painkiller.example.tld (Moe Trin) wrote:
>
> >> As near as I can tell, the problem with China (as well as in Korean,
>
> My, these fingers are fumbling a lot today - try 'as well as in Korea,'
>
> >> Taiwan, and many other countries) is that the providers there are
> >> totally clueless, and the wide-bandwidth connected hosts are unsecured
> >> because (like everywhere else) they are being run by wankers whose
> >> computer knowledge is taxed by figuring out where the on/off switch is.
> >
> >The problem, IMHO, is that despite having made great strides in the the
> >past decade or so, these are still essentially third-world countries.
> >Corruption and disregard for the law and personal property run rampant.
>
> That point has considerable merit. I'd have to agree with it.
>
> >I don't think it's so much that the providers are clueless, but they
> >just don't care.
>
> How do you explain the disaster when Korea decided to put broadband into
> every school, and then left the systems in unpatched, wide open states
> that got exploited by every spammer in the world, and every skript kiddie
> running his 'ph34r-/\/\3' tool-kit.?

I don't explain it because I was totally unaware of it. I'm not
disputing it, I just haven't followed the details of far eastern
technology transfer that closely.

But I guess the crux of the question is: are the attacks originating in
the far east, or are the attackers over here and they're exploiting lots
of vulnerable computers over there because the Chinese, Koreans, etc.
don't know how to protect themselves from becoming zombies.

>
> >It's not part of their culture.
>
> In the case of Korea, the problem was more the resistance to criticism from
> outsiders. When admins all over the world started blackholing all packets
> from Korean addresses (because ALL abuse complaints were ignored), we
> started to see some changes. The Korean manufacturers were seeing the
> result of blackholes on their bottom lines, and put the word out to the
> Korean Ministry of Education, and to the various Korean ISPs. It's still
> far from perfect, and I'm sure there are millions of firewall rules and
> ACLs on private and corporate firewalls around the world that may remain
> in place until the heat-death of the solar system. But as noted in my
> April stats, _for_me_ Korea is barely in third place, just edging out
> Canada and Brazil.
>
> >Part of it may be their communist history. In a communist society,
> >where individuals don't own their property, you don't give much
> >consideration to other people.
>
> On the other hand, "I have heard"(tm) that the Chinese government is
> slapping lusers in jail, or executing them for "dishonoring the country"
> or some such "crime".
>
> None the less, the communists are but a brief phase - and you need only
> look at the traffic on the streets of Guangzhou (was Canton), Senzhen,
> Yulin, or even Shanghai. Those Merc's and BMW's aren't owned by the state.

They're not owned by most Chinese citizens, either. Yes, China has an
upper class, and city dwellers live a relatively modern lifestyle. But
the majority of their population still live in backward villages where
chiefs run the town, black markets are a way of life, and bribing
officials is the only way to get anything done.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: The origin of breakin attempts

On 21 May 2006, in the Usenet newsgroup comp.security.misc, in article
<4470016f$0$14190$9b622d9e@news.freenet.de>, Patrick Schaaf wrote:

>ibuprofin@painkiller.example.tld (Moe Trin) writes:

>>I have _NO_ idea where you got that concept.
>
>Oh, easy. Remember the old Usenet saying, after AOL got in board,
>that it's now perpetual September?

[compton ~]$ sep_date
Today is 4646 September, 1993 UTC
[compton ~]$

>That's where I got that concept.

The problem changed last year when AOL dropped Usenet. Now, we see them
posting from google.groups. If you parse the bang-path in news aricles
and count news servers, you'll find that google seems to rank near the
top in the number of posts. (For me, they're in second place behind
t-online.de - YMMV.) Regrettably, even though those using it are
posting from a search engine, they can't be bothered _using_ that search
engine to find the answer to their mindless questions.

>Note that I wouldn't try to defend it. To the OP, who obviously
>did not do any research, just wanting to vent an often seen xenophobic
>opinion, I chose the above reply explicitly for its antixenophobic
>message.

I think that anyone wanting to waste the time looking at stats of where
the abuse comes from knows very well. It's always "that other group over
there". I don't even bother logging on the firewall protecting my home,
and email gets dropped unless it's from white-listed addresses. There is
nothing running on the port someone tried to connect to, or the firewall
stopped it, as did the mail filter - that's all I need to know.

Old guy

Re: The origin of breakin attempts

On Sun, 21 May 2006, in the Usenet newsgroup comp.security.misc, in article
, Barry Margolin wrote:

>ibuprofin@painkiller.example.tld (Moe Trin) wrote:

>> How do you explain the disaster when Korea decided to put broadband into
>> every school, and then left the systems in unpatched, wide open states
>> that got exploited by every spammer in the world, and every skript kiddie
>> running his 'ph34r-/\/\3' tool-kit.?

>I don't explain it because I was totally unaware of it. I'm not
>disputing it, I just haven't followed the details of far eastern
>technology transfer that closely.

If you ranked the apparent sources of spam, cracking attempts, and
spam support (web servers, drop boxes, etc.), Korea was pretty bad
for a while. Korea has a lot of bandwidth - it was unsecured, and it
was massively exploited.

>But I guess the crux of the question is: are the attacks originating in
>the far east, or are the attackers over here and they're exploiting lots
>of vulnerable computers over there because the Chinese, Koreans, etc.
>don't know how to protect themselves from becoming zombies.

My point up-thread. "Follow the money". The spam from "over there" is rarely
from there. Relatively few "over here" are able to read the native text
(most often even lacking the character set support). While the cost of
delivering the message is minimal, spewing to a 1e-5 chance of a sale
makes more sense than spewing to a 1e-9 chance. Even though the cost is
minimal, it's not zero.

Old guy

Re: The origin of breakin attempts

In article ,
ibuprofin@painkiller.example.tld (Moe Trin) wrote:

> On Sun, 21 May 2006, in the Usenet newsgroup comp.security.misc, in article
> , Barry Margolin wrote:
>
> >ibuprofin@painkiller.example.tld (Moe Trin) wrote:
>
> >> How do you explain the disaster when Korea decided to put broadband into
> >> every school, and then left the systems in unpatched, wide open states
> >> that got exploited by every spammer in the world, and every skript kiddie
> >> running his 'ph34r-/\/\3' tool-kit.?
>
> >I don't explain it because I was totally unaware of it. I'm not
> >disputing it, I just haven't followed the details of far eastern
> >technology transfer that closely.
>
> If you ranked the apparent sources of spam, cracking attempts, and
> spam support (web servers, drop boxes, etc.), Korea was pretty bad
> for a while. Korea has a lot of bandwidth - it was unsecured, and it
> was massively exploited.
>
> >But I guess the crux of the question is: are the attacks originating in
> >the far east, or are the attackers over here and they're exploiting lots
> >of vulnerable computers over there because the Chinese, Koreans, etc.
> >don't know how to protect themselves from becoming zombies.
>
> My point up-thread. "Follow the money". The spam from "over there" is rarely
> from there. Relatively few "over here" are able to read the native text
> (most often even lacking the character set support). While the cost of
> delivering the message is minimal, spewing to a 1e-5 chance of a sale
> makes more sense than spewing to a 1e-9 chance. Even though the cost is
> minimal, it's not zero.

That's true for spam. But the original post was about "breakin
attempts", not spam. Are the script kiddiez here or there?

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***