Re: auto-reporting to ISPs

[jlewis () LEWIS ORG (Jon Lewis)]

On Tue, 29 Feb 2000, Robert Graham wrote:

> Below is an e-mail from a customer who would like to see us add an
> auto-email feature to our product in order to notify the ISP of the
> offending hacker. This is pretty funny because we've already seen some
> complaints by ISPs from such a feature in other products appear on this list
> over the past couple of days.

There are a couple of issues with this.  First, we know.  Our systems are
scanned on a regular basis, both from hacked systems and from other ISP
(frequently in other countries) dialups, cable modems, etc.  There's not
much we can usually do about these...what are we supposed to do about our
dialup users being scanned?  We have alot more dialup users than servers,
so it seems reasonable to assume that there will be more incidents per
unit time with customers being scanned than our servers.  I doubt most
ISPs want to be bothered with the additional scan complaint load.

The other big issue I have with these sorts of products is that putting
such scan detection software in the hands of the clue impaired doesn't do
anyone any good.  We get bogus complaints that customer X was pinged by a
remote IP (oh no!) or that a connection on some port was requested when it
may actually be someone/something attempting to connect to a port that was
open on the previous user of that IP.  These people complain to us as if
we can reach out and stop someone who's port scanning from China.  Then
there's the attorney who recently canceled our service because he was
convinced hackers were trying to gain access to his computer.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________