Security Incidents mailing list archives
Re: @home: Is *anyone* really home there???
From: viha () CRYPTLINK NET (Ville)
Date: Sat, 4 Mar 2000 03:27:32 +0200
On Thu, 2 Mar 2000, Greg A. Woods wrote:
My own experience with trying to contact such people has been generally frustrating and fruitless.
Ditto. In the past I ran a script to automatically check for open SOCKS proxies on all the hosts connecting to my servers and to notify the administrators of the boxes accordingly. Nowadays such checks already seem quite every-day when it comes to trivial host-identification (not in any security-sensitive sense, though). As for the mails, this is what I got in return: (i) ~60-70% no reply/ticket# [or any visible improvement] ie. Mails were possibly not read, I got some replies less than a year later telling me there had been no coverage at that time or that the mailbox had been unintentionally left unmonitored. (ii) ~25% broken postmaster@ addresses. In at least one case the target's mail-server looped the mails infinitely back to us. 'ipfw' is not much use when it comes to blocking mail when you have an extensive list of MX'es all around the place. Procmail was the fix, though, not completely without loads. The rest were mostly about the pm@ alias missing or the mailbox being write-protected. (iii) >5% "broken" domains. The errors seemed generic, mostly about insufficient disk- space or the 'Unknown error' kind. Some didn't have any working mail-servers. (iv) ~2% replies with requests for help Running a service such as this one is English for 'I am willing to give you free consultation on this matter, even if I already provided you with the instructions but you still were unable to carry them out'... (v) ~0.5-1% succesful replies ['Thanks, fixed now.'] Yep, a few companies were unaware open SOCKS were a bad thing and, as they were informed, they blocked it at their borders for dialups/customer-sites. Some simply had set their proxies open unintentionally. (vi) ~0.5% language trouble. A reply with a foreign character-set and no familiar looking words is always a good way of causing a little confusion. Mailing undoubtedly may sound like a working approach to anybody new with the issues. The above should outline why it is so broken a way of dealing with minor abuse-issues such as this. Let's face it, it's the net, there's always an open door somewhere. There is no single way of ripping all the broken hosts or networks off the net or of having them easily fixed. There is no single way of applying a LART on everybody who is a little bit bad. Just remember to keep your own doors closed [and (hope) they will go elsewhere]...
cracked then you should consider yourself extremely lucky if you get one or two neigbourly notifications that might alert you to this fact. You should hope like hell you don't get a million such notifications though.
This is also true. It's always to be judged whether you would *yourself* like to be notified of the scans if you were yourself responsible for the security at company <x> of size <y>. Every day I see a bunch of 'Unauthorized probe of...' mails in which I'm told we scanned the subject, while s/he was in fact connecting to us first and the server performed a routine auth/socks check on his IP... or possibly on the host he was masquerading as. And if you don't answer their mails they may end up spreading nasty rumours about the company's security-policies (and|or) pester you about the non-replied mails later. *sigh* A forced 'read this' notification could be in order before letting the users send out any auto-formatted e-mails.
As a side note I should mention that I find it quite interesting that it's almost never the case that all of my hosts receive portmap requests from the same source. Either such tools are randomising the source address and using some other means of reply detection; or they are distributing the scanning [...]
The scripts I have seen used fetch a complete list of hosts in a TLD or domain. Some assumably sort them alphabetically, some by IP, some only pick one host per block or some just have a truly random go at it. It is not only to make detection of massprobes harder, but also to maximize the number of sites hit. Especially if the invader is looking forward to launching DDoS attacks. He'll want the biggest number of separate sites as this will also mean more routed b/w, a bigger # of ip-blocks and very much longer times for the administrators to do a complete removal.
Greg A. Woods
-- Ville(viha () cryptlink net, 'Cryptlink Networking');
Current thread:
- Re: auto-reporting to ISPs, (continued)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
- Re: @home: Is *anyone* really home there??? Wozz (Feb 29)
- Re: @home: Is *anyone* really home there??? Erick Brockway (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Rob Quinn (Mar 01)
- Re: @home: Is *anyone* really home there??? Jon Burdge (Mar 02)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
- scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)
- Re: @home: Is *anyone* really home there??? Ville (Mar 03)
- ingreslock message Dino Amato (Mar 05)
- Re: ingreslock message Graeme Fowler (Mar 07)
- Re: ingreslock message Dino Amato (Mar 07)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: ingreslock message Robert Graham (Mar 07)
- firewall abusing Przemyslaw Frasunek (Mar 07)
- Re: ingreslock message H D Moore (Mar 07)
- Re: ingreslock message Eric Maiwald (Mar 07)
- Re: auto-reporting to ISPs John Nemeth (Mar 07)
- UDP flood 28001-28003 George (Mar 07)
- Re: ingreslock message Jens Hektor (Mar 09)