Security Incidents mailing list archives
Re: auto-reporting to ISPs
From: jlewis () LEWIS ORG (Jon Lewis)
Date: Thu, 2 Mar 2000 02:34:58 -0500
On Tue, 29 Feb 2000, Robert Graham wrote:
Below is an e-mail from a customer who would like to see us add an auto-email feature to our product in order to notify the ISP of the offending hacker. This is pretty funny because we've already seen some complaints by ISPs from such a feature in other products appear on this list over the past couple of days.
There are a couple of issues with this. First, we know. Our systems are scanned on a regular basis, both from hacked systems and from other ISP (frequently in other countries) dialups, cable modems, etc. There's not much we can usually do about these...what are we supposed to do about our dialup users being scanned? We have alot more dialup users than servers, so it seems reasonable to assume that there will be more incidents per unit time with customers being scanned than our servers. I doubt most ISPs want to be bothered with the additional scan complaint load. The other big issue I have with these sorts of products is that putting such scan detection software in the hands of the clue impaired doesn't do anyone any good. We get bogus complaints that customer X was pinged by a remote IP (oh no!) or that a connection on some port was requested when it may actually be someone/something attempting to connect to a port that was open on the previous user of that IP. These people complain to us as if we can reach out and stop someone who's port scanning from China. Then there's the attorney who recently canceled our service because he was convinced hackers were trying to gain access to his computer. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| Spammers will be winnuked or System Administrator | nestea'd...whatever it takes Atlantic Net | to get the job done. _________http://www.lewis.org/~jlewis/pgp for PGP public key__________
Current thread:
- Re: @home: Is *anyone* really home there??? Robert G. Ferrell (Feb 29)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)