ChinaNet Contacts

I know that this is a REALLY sore point, but has anyone ever established any good working relations with anyone in CHINANET or other China-based ISPs?

In recent weeks, over 80% of our port scans and various miscreant probes have originated from a very small number of IPs in China. Trying to contact the IP owner via email usually finds either the mailbox is full, the email address is invalid, or the mail server is not working.

Anyone had any success in this area?

THANKS!
Jon Kibler

better still, has anyone ever come up with a bgp-distributed list of prefixes that trace back to such addresses?

-Dan

asia-pacific regional network meetings described them as "clueless".
Unfortunately the same goes for kornet. :-/

-Dan

Yes, indeed. And been out to Beijing to have meetings with them.

Clueless?

Which is worse, ignorance or entropy?

Who knows? Who cares?

(and which is it, really?)

-Dan

:
: On Thu, 17 Feb 2005 12:13:07 -0500

As of this past Summer, this was no longer true for all of China Telecom. In fact they had started putting in enough effort that I am confused about the current round of problems being described.

Any chance of trying to get some granularity to this? As I understand their operation, there are enormous differences among the operations in different provinces.

d/

They do have people in an LA office, as I got a call
from one of them when I had a BGP session to them go
down due to a max-prefix which had been exceeded.

I guess if you have three times the population of the
US, you're going to have one or two "black hats".

Hi Jon,
there were two guys at nanog33.. if you didnt meet them then perhaps keep an
eye out at nanog34

http://www.nanog.org/mtg-0501/attendee.list.html

short answer is i see chinanet folks on a whole bunch of forums and lists,

Steve

Dave O'Shea wrote:

They do have people in an LA office, as I got a call
from one of them when I had a BGP session to them go
down due to a max-prefix which had been exceeded.

I guess if you have three times the population of the
US, you're going to have one or two "black hats".

Undoubtedly.

It would still be my guess there are more black hats in the US. The problem with China is a ton of compromised machines and close to no incident and abuse handling. Not to mention centralized coordination.

  Gadi.

yahoo and hotmail come close, but it will take some real balls to top
chinanet's official blackhat lying autoresponder:

"In your SPAM eMail,I can't find the IP or the IP is not by my
control.Please give me the correct IP.Thank you."

hats dont get any darker than that.

-Dan

Despite China playing a role in spam distribution, almost all hardcore
spammers are from US, in fact there is really no big spamhouse there.
Now, I'm sure they do have their own blackhats, but if anything I know
is true even if they are three times size of US, number of blackhats
there is probably 3-10 times smaller and I'd not be surprised if all
scans you see from China are really blackhats from US and other countries
who rented computer there.

So its not the blackhats that is a problem in China, its the corruption
which is always present in communist and similar seemingly state-controlled
totalitarian societies. Add to that, US & EU money has greater value in
China and you will understand how its possible that they pretend to not
have received reports and delay removing abusers.

Note that while corruption is worse when its present at or near the top,
that one is easier to deal with if you get to the right people, but its
the corruption at the bottom which has become rooted, that is most difficult
to get rid of. And with Chinanet being so large and largely organized so
that provinces and individual cities have more control then the center,
you can see why it may take some time until current efforts by spamhaus
and others have overall result.

If anybody here is attending APRICOT 2005 in Kyoto this week, and is
interested in this issue, there'll be a bunch of chinanet people and I
think at least one guy from the Chinese CERT around in the security
and antispam tracks on 2/24

That's in addition to Dave Crocker, Jim Fenton etc as speakers :slight_smile:

--srs

220.175 550 ChinaNet Jiangxi not wanted here see
SBL12656

Persistent email abuse that led to the email server being overwhelmed on
occaisons, we introduce these manually, and cross reference them against the
big block list databases to ensure it is a "persistent" issue. We use
blocking only to protect our own SMTP service not for filtering purposes.

Kornet

Whilst I can appreciate that Kornet may have issues with a lot of broadband
users, but the other big Korean company seems to have it solved. What I see
is what appear to be (using whois data!) US companies buying transit from
them. I'm no routing guru, but I assume it must be pretty obvious to Kornet
if some small US company starts buying transit from them (rather than say
some local US telecom provider) that they want it for nefarious purposes?!

Or is there something going on here that makes Kornet look unduely bad. Anyone
got a handle on what is going on in that regard.

How are US companies with Korean offices meant to take connectivity
then?

Alex

I think what Simon has been seeing is the Wholesalebandwidth AS