Opinion on null0'ing entire

Is anyone getting hundreds of thousands of spasm a day from like I am? Has anyone actually considered null routing the whole block?

Is there actually any ‘users’ in APNIC space? Or is it all spam from korea?


null0 them - I guarantee if you do, you won't receive any complaints. :slight_smile:

Korea has one of the highest ratio of broadband connected households in
the world (if not the highest). They access korean content extensively,
but not as much english content, that's why you never see them in any
context you access.

Most of my spam is either from the US or from APNIC, that doesnt make me
want to null-route all of the non-RIPE networks.

That would explain the incredibly large number of open proxies in 218/8.

Drew, I don't think you're being spammed by Koreans...at least not
directly by the ones delivering the spam to you. You're more likely just
being spammed via open proxies that happen to be Korean.

It's your network...do what your customers will let you get away with.
How many Korean customers might you have that will be pissed when they
find they can't exchange email with family and friends in Korea? There's
one sure way to find out.

I hope the nanog mail list is an OK place to warn of this..........

As part of my clean up for clients who have had Blaster, I came across a
variant, sometimes called Blaster D. Its other name is welchia.

It seems to do the following:

Gets the Microsoft patch for regular blaster. Installs a file called
dllhost.exe in the C:\Windows\System32\Wins directory. Btw there is a
smaller dllhost.exe file in one of the other system directories.


It also copies the tftp server from one of the other windows locations.

They are both started by a startup service.

When connection is made to the internet, dllhost and the tftp server
start their dirty work.

The tftp server appears to be the mechanism by which the virus
propagates. The dllhost sends out a firestorm of requests (on various
ports) to try to find other victims.

This afternoon I patched a system and installed a personal firewall - in
the space of about 20 minutes there were 207 attacks some using ICMP
class 8, others simply using uDP against ports 135, 137 and 139.

This was all on a computer that had the Microsoft patches for Blaster
applied. I think it gets in prior to the blaster patch application and
then is not detected by the blaster removal and Microsoft fix.

Rather than go into all the gory details, I suggest that interested
parties go hunting for it at their usual anti-v places.

Chris Bird