Re: @home: Is *anyone* really home there???

[viha () CRYPTLINK NET (Ville)]

On Thu, 2 Mar 2000, Greg A. Woods wrote:

> My own experience with trying to contact such people has been generally
> frustrating and fruitless.

Ditto.

In the past I ran a script to automatically check for open SOCKS proxies
on all the hosts connecting to my servers and to notify the administrators
of the boxes accordingly.

Nowadays such checks already seem quite every-day when it comes to trivial
host-identification (not in any security-sensitive sense, though).

As for the mails, this is what I got in return:

        (i) ~60-70% no reply/ticket# [or any visible improvement]

                ie. Mails were possibly not read, I got some replies less
                than a year later telling me there had been no coverage
                at that time or that the mailbox had been unintentionally
                left unmonitored.

        (ii) ~25% broken postmaster@ addresses.

                In at least one case the target's mail-server looped the
                mails infinitely back to us. 'ipfw' is not much use when
                it comes to blocking mail when you have an extensive list
                of MX'es all around the place.

                Procmail was the fix, though, not completely without
                loads.

                The rest were mostly about the pm@ alias missing or the
                mailbox being write-protected.

        (iii) >5% "broken" domains.

                The errors seemed generic, mostly about insufficient disk-
                space or the 'Unknown error' kind. Some didn't have any
                working mail-servers.

        (iv) ~2% replies with requests for help

                Running a service such as this one is English for 'I am
                willing to give you free consultation on this matter, even
                if I already provided you with the instructions but you
                still were unable to carry them out'...

        (v) ~0.5-1% succesful replies ['Thanks, fixed now.']

                Yep, a few companies were unaware open SOCKS were a bad
                thing and, as they were informed, they blocked it at
                their borders for dialups/customer-sites.

                Some simply had set their proxies open unintentionally.

        (vi) ~0.5% language trouble.

                A reply with a foreign character-set and no familiar
                looking words is always a good way of causing a little
                confusion.

Mailing undoubtedly may sound like a working approach to anybody new
with the issues. The above should outline why it is so broken a way
of dealing with minor abuse-issues such as this.

Let's face it, it's the net, there's always an open door somewhere.

There is no single way of ripping all the broken hosts or networks off
the net or of having them easily fixed. There is no single way of
applying a LART on everybody who is a little bit bad. Just remember to
keep your own doors closed [and (hope) they will go elsewhere]...

> cracked then you should consider yourself extremely lucky if you get one
> or two neigbourly notifications that might alert you to this fact.  You
> should hope like hell you don't get a million such notifications though.

This is also true. It's always to be judged whether you would *yourself*
like to be notified of the scans if you were yourself responsible for
the security at company <x> of size <y>.

Every day I see a bunch of 'Unauthorized probe of...' mails in which I'm
told we scanned the subject, while s/he was in fact connecting to us first
and the server performed a routine auth/socks check on his IP... or
possibly on the host he was masquerading as.

And if you don't answer their mails they may end up spreading nasty
rumours about the company's security-policies (and|or) pester you about
the non-replied mails later.

*sigh*

A forced 'read this' notification could be in order before letting the
users send out any auto-formatted e-mails.

> As a side note I should mention that I find it quite interesting that
> it's almost never the case that all of my hosts receive portmap requests
> from the same source.  Either such tools are randomising the source
> address and using some other means of reply detection; or they are
> distributing the scanning [...]

The scripts I have seen used fetch a complete list of hosts in a TLD or
domain.

Some assumably sort them alphabetically, some by IP, some only pick one
host per block or some just have a truly random go at it.

It is not only to make detection of massprobes harder, but also to
maximize the number of sites hit. Especially if the invader is looking
forward to launching DDoS attacks. He'll want the biggest number of
separate sites as this will also mean more routed b/w, a bigger # of
ip-blocks and very much longer times for the administrators to do a
complete removal.

>                                                       Greg A. Woods

--
        Ville(viha () cryptlink net, 'Cryptlink Networking');