Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Blocking IP's / e-com fraud

from [Stian Øvrevåge] Network Security [Permanent Link]
Subject: Re: Blocking IP's / e-com fraud
Date: Thu, 30 Dec 2004 20:37:02 +0100 
Hello,

I would advise you to look up the ip-addresses in question in the
respective Whois databases, such as ARIN, RIPE, APNIC, etc.
The databases usually tells you who "owns" the entire subnet, and
there is also likely contact information on who to contact in case of
abuse, which fraud attempts most certainly are!

For example, I ran a whois on microsoft.com at ARIN and the database showed:
OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse 
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@hotmail.com

It also told me what range of ip-s they are assigned:
NetRange:   207.46.0.0 - 207.46.255.255 

I cannot give a detailed guide of IIS but the subnet masks of 10.0.*.*
is 255.255.0.0, it is a certain chance you can block several subnets
in one go, but this does require some binary math. So unless it is 30+
different nets I would think "classfull" blocking is easiest.

Note: If IIS supports CIDR notation in network/subnet specification
you might want to use a /16 instead of 255.255.0.0.

Good Luck, Stian


On Wed, 29 Dec 2004 19:44:38 -0600, Dan Tesch <dan.tesch@comcast.net> wrote:

Hello, I am working with an e-commerce company.
They get a fair amount of attempted fraud but do a
decent job at ferreting this out during order processing.

There are several persons who attempt orders over
and over again - we can track their IP and the e-mail
address they attempt to use - we have blocked single
IP's in IIS before but one person in particular keeps
coming back placing small orders (like $40), our
suspicion is they are probing.

I have several questions:

Is there a resource anyone knows of to search for IP's
like this and/or e-mails people consistently use for fraud?
(Google hasn't been any help at all)

The person I referenced before keeps coming from different
IP's but all from the same range (home user with DHCP?)

In IIS if I want to block an entire range like:

XXX.78.0.0 - XXX.83.255.255

how should that look in the IIS Mgr?

do I need to make multiple entries like:
XXX.78.0.0
XXX.79.0.0
XXX.80.0.0, etc.?

and what should the subnet masks look like?

Thanks for any help or reference.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  N00b Question, Harshal Dedhia
Next by Date:  RE: Firewall for restricting ips based on dynamic acls, Ajay.Mitra
Previous by Thread:  Re: Blocking IP's / e-com fraud, Stian Øvrevåge
Next by Thread:  N00b Question, Harshal Dedhia
Indexes:  [Date] [Thread] [Top] [All Lists]