Firewall Wizards mailing list archives
Re: "Who else picked this one up?"
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sat, 1 May 1999 18:27:08 -0500 (CDT)
On Sat, 1 May 1999, Paul D. Robertson wrote:
On Sat, 1 May 1999, R. DuFresne wrote:host and or allow IRC to their users will be excluded? And you will filter out those testing new security scanners, so as to not put their names on a potential future 'blacklist' also. And those just testingNobody should be "testing" a scanner against a network I administer without my express permission. The idea that scanning a foreign network for potential vulnerabilities without permission is valid behaviour is just plain wrong.
In theory, yes, I agree. Yet, I have watched over the years and learned that it is merely a theory, practice, capability, and legalities show this to be something that at this point is merely theory.
scanners, to get a feel for the SW just brought up, those door knockers just testing, they will not muddie up the waters too much, will they? The NFR SW also, knows how to track down spoofed scans, so as to not logs theSpoofing is a fact of life on a packet switched network. Guess what? It's a solvable problem if upstreams did source filtering on their downstreams and providers did the same. There's absolutely no impetus for anyone to do that at the moment. So instead of trying to solve the problem, we should all just decide that business as usual is ok? I think not.
Ahh, I see, so, since things are the way they now are, and since those responsible for enacting legislation that would make it a federal misdemeanor for such door knocking and window rattling have not reacted in a mannner enforcable, *another* small mob of internet vigilanties will?
database with false info <I have not looked at it here yet>? No one is going to be logging other ports scanned, so, that eliminates those knocking doors to locate and document broken networks, right?In most of the world, the current situation in Singapore withstanding, the only people scanning to "document broken networks" should be the network operators of those networks. This means that they need to know they're being abused so that they can start the process of fixing them. Notification of apparent sources of packets fulfills that. If the packets are spoofed, then a network operator can filter packets at their ingress point to ensure that they're only sourced at legitimate addresses. You don't get that in the current environment.
Again, a nice theory, but, not a fact at all, considering the legalities, the capabilities and prcatice...But, I recall there being a database, built by outsiders not too long ago, that documented broken networks that can be usde to amplify smurfs and such, and the goal of that database<s?> was to let those folks know that they in fact had broken networks, how well did that effort workout? Exposure has forced all those networks to be fixed, yes? The fact remains, that the capbility is there and the legailties do *not* make this tweaking a crime with true potential of redress. Even legit operators use this. Many networks I work and play in see telnet probes launched by IRC admins per client connections to their servers <we have also seen ftp sites do similar, defending thier actions on the fact that if you like it not, no not use their service, what they are truely seeking in these actions, one can only guess. Hell, I recall being probed by sites because I sent e-mail to a user there, same justification>. Does this consistute *abuse* or "misuse" of current capabilities and legailities, and their own sense of 'protection' is weighted against this?
What I'm saying here is that there are a few large problems that have been touched on; 1) Data, what is being measured, and what is the true validity of what is being measured.Like anything else, the data measured is what's hitting the networks of people wishing to share that information. In the case of BO, there's no legitimate reason for that traffic to hit my networks, so it's either an attempt to locate a compromised machine, or it's a spoofed attempt to discredit another network. In either case, the aggragation of my data with other people's data means that we can start at the apparent source and make some progress. Right now we have zero progress.2) The large tendency for abuse, of the collected 'data', and the abuse of flooding and loading the database once it is made public that it exists.How can data be abused? It's real packets hitting a real network. Fortunately, networks aren't transient like customers, so a known quantity can be established and metrics given to providers of the data. Given logs, a network operator can be responsible about cleaning up abuse. It's the same issue that ISP's abuse departments face every day with USENET and SMTP reports. Spoofing is possible, and network operators can mostly determine the validity of a report. If networks are overly abusive, then the rest of the world can agree not to peer with them until they solve their problems. It's the same principle that governs USENET, USENET II, and RBL. Without data there's no way to start the process of accountability.
The potential of abuse is easy to comprehend here, very easy to see, once a network makes the list, the site in question, on the posted database are blacklisted, or for our purposes, blackholed, by those 'reading' the database. Nevermind how obvious the disclamers posted concerning this data, we all know how much attention folks pay to disclaimers and documentation. Once listed, those 'offenders' have what recourse to be removed from such a list? How does a network go about getting themselves unlisted should they be misrepresented in this database? To what body do those 'offender' seek redress? Are we now, not talking about the creation of another arbitrary body of database maintainers that sit as judge and jury, adding and removing networks and addresses based upon an as yet unwritten set of criteria that will gain the 'offenders' a *pardon* or a *probation*? How many scans document a network as being particularly abusive? One scan a day to one outside network per, what, 100, 1,000 users? Two scans? 10? How many ports do they need to hit, 1, 2, 10, 100? Hell, let's just do it like the leet scripts in IRC, set all the routers ACL's to block *@*.home.com *@*.aol.com and such right now. Of course, that in itself will have some ramifications for this list itself and some of it's users.
Even if #1 is surmounted, do we trust even the 'whitehats' to handle a list such as this and use the information only for reporting and to support the 'security of their own positions'. Once the data is abused, and others are suffering from it's existance, then those guarding and distributing the information will be charged with establishing an *internet court* so to speak, so the 'offenders' can show that they have paid for their 'crimes' and closed the holes, so that they can again become good netizens again?RBL works, UDP works, to some extent UCE reporting works. Anarchy doesn't work because there are too many people willing to victimize others.
As concerns RBL, once listed there, who does one see and who does one go about getting their site removed from the listing? Assuming that spamming has been curtailed from the abuing site and all...
I must be missing something, I have been busy, so, perhaps I have missed the real meat of this thread...The meat of this thread is that it's about time that network operators started sharing information to prevent attacks and give those responsible for going after attackers the data necessary to do so. They also need data to support their positions for deploying defensive systems, and in some cases tools to monitor for misbehaviour by their users. I'd rather focus on abuse of my networks by third parties than abuse of any reports of that abuse that I forward. The truth is that abuse in reports can be corroborated once there's an infrastructure in place and a reporting mechanism. Right now, abuse of my network is a stand-alone item. Ask the folks running the networks that got compromised on Easter if they think coordinated reporting could have helped them. Coordinated attacks happen, coordinated defense needs to as well. Reporting and getting a baseline is the start of that process. There's no technological reason not to. Figuring out margins of error seems to be the only thing that isn't exact. It never will be, that's true of any abuse situation.
Being that the sites I work and play in are probed multiple time daily, yes, I'm well aware that their is a problem out here <yes, I log it, and use that information, but, it's not available publically, it's an arbitrary decision to assess the risk, and an abitrary decision is used to place actual *value* on the *assests* I feel I'm in possesion of and protecting (keep your gigo away from *my* gigo)>. This might well be the last frontier on this planet. But, I'm not so sure that the way to tame it is via another *mob of internet vigilanties* promoting their own agenda is the way to go. Thanks, Ron DuFresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Re: "Who else picked this one up?" Lance Spitzner (May 01)
- Re: "Who else picked this one up?" dreamwvr (May 03)
- <Possible follow-ups>
- Re: "Who else picked this one up?" Craig H. Rowland (May 01)
- Re: "Who else picked this one up?" R. DuFresne (May 01)
- Re: "Who else picked this one up?" Paul D. Robertson (May 03)
- Re: "Who else picked this one up?" R. DuFresne (May 03)
- Re: "Who else picked this one up?" David Lang (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" R. DuFresne (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" Joseph S D Yao (May 05)
- Re: "Who else picked this one up?" David Gillett (May 07)
- Re: "Who else picked this one up?" Paul D. Robertson (May 03)
- Re: "Who else picked this one up?" R. DuFresne (May 04)
- Re: "Who else picked this one up?" Paul D. Robertson (May 04)
- Re: "Who else picked this one up?" carson (May 05)
- Re: "Who else picked this one up?" Eric Budke (May 05)