Security Incidents mailing list archives
Re: auto-reporting to ISPs
From: woods () MOST WEIRD COM (Greg A. Woods)
Date: Thu, 2 Mar 2000 11:54:17 -0500
[ On Tuesday, February 29, 2000 at 16:47:44 (-0800), Robert Graham wrote: ]
Subject: auto-reporting to ISPs Below is an e-mail from a customer who would like to see us add an auto-email feature to our product in order to notify the ISP of the offending hacker. This is pretty funny because we've already seen some complaints by ISPs from such a feature in other products appear on this list over the past couple of days.
Actually I'd much rather see the complaints from my own users about incidents they've suffered from remote users than complaints from random remote users who might have suffered some sort of incident perpetrated by one of my users. If I were able to mediate such complaints then I could council my users on what network security really is and how they should be handling their systems and I'd only have to ask the ISP at the apparent source of the "attack" for help and verification if indeed it was an attack. As I said I only want to see good hard evidence from other people when ongoing recurring incidents occur, or indeed when actual penetrations occur. One-off events are almost always meaningless unless they are indeed evidence of known attacks and arrive almost simultaneously from many different sources (though in that case I think most of my clients would only issue a warning, and of course usually to the parent who pays for the account).
Could abuse@isp people please send me e-mail: * what is the proper way a product like BlackICE Defender should assist the user in reporting such events?
Unless the event matches a signature of a known attack then any firewall should simply log it for statistical analysis. If the incoming event does match a known attack, and if it is one where the source address is known to be accurate then a higher priority log message is perhaps called for. If your product were to include a log analysis tool in order to spot recurring "attacks" then perhaps those could be reported to the user directly, but doing so assumes the user has some expertise and will know when to file a formal complaint and when to write the events off as silly kids playing tricks. Given that most users of products such as yours are unlikely to have any expertise at all in these matters I would indeed really prefer if such reports directed them to seek local help from their own ISP (or their local network admin if they're on an office LAN or whatever). The point of a firewall is to block attacks and prevent penetrations, not to ring the alarm bells and call 911 every time some shady character looks at it from the other side of the street! All of the BlackIce reports I've received were all 100% totally useless -- they were simply single attempts to connect to the telnet port (23). They all came from probably well meaning people who had been scared by a threat being blown out of all proportion.
* what should I tell this user about why we haven't put such a simple feature into the product?
That's up to you! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: @home: Is *anyone* really home there??? Robert G. Ferrell (Feb 29)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)