Re: Template Admin Notification

[Glenn Forbes Fleming Larratt <glratt () IO COM>]

I respectfully disagree - if such attacks were an exception case, I'd
happily devote the time and resources to such an approach, but we get
portscanned two to six times every single day.

Point by point:

        1. I agree - but such compromise is affecting the security
        of my network.

        I will exercise due diligence in reporting, but I'm going
        to protect my network as well as I can first. Our SOP calls
        for blocking as little as possible, and for keeping admin
        e-mail flowing if possible, but if you're scanning my
        network for vulnerabilities, I'm going to block you.

        2. Agreed, but we do make a concerted e-mail effort to report
        far anough across the board that at least one white hat hears
        of it. Furthermore, if they're using a brute force scan,
        chances are they don't care if you complain, because they're
        "drive-by" attacking.

        3. ...if they're in the U.S., which most of them are not.
        Why ought I to spend my budget making long distance (or
        international) phone calls when I have Internet e-mail in
        front of me, and it's already paid for? This goes hand in
        hand with the tenet about keeping admin e-mail flowing.
        Further, the sort of necessary data is much more efficiently
        and correctly communicated via e-mail.

        4. The fact that we blocked the offending traffic soon
        after we detected it should be message enough. If I tell
        you that I'm not accepting your traffic, and you do nothing,
        then I continue to not accept your packets. The onus of
        doing nothing is borne by those who will not respond to
        complaints.

        If, on the other hand, you secure the machine and tell me
        so, I will without hesitation reinstate you. That too is
        part of our SOP.

It is my experience that fewer than 10% of the complaints we send
elicit a response. Further, I've tried the phone call route - I got
told by some numbnuts that "scanning isn't against the law". I
frankly find it less wasteful of my time to block offending networks
and deal from a position of strength, rather than talk to people on
the phone who simply don't grok, or don't care.

        -g

On Thu, 25 Jan 2001, Tim wrote:

> IMHO, If you're really serious about helping stop whoever is attacking
> you, rather than ckecking the "I tried to contact them" box, you should be
> using other than e-mail to contact someone who's host sends malicious
> traffic at your site.
>
> 1.  You are most likely seeing traffic from a compromised system.
>
> 2.  If you suspect that the system is compromised, whoever compromised the
> system may see or intercept your email message giving them ample
> opportunity to clean up after themselves.
>
> 3.  Even if whois doesn't have a phone number, it only takes about 2 more
> minutes to find one.
>
> 4.  The fact that you took the time to call sends the message that this
> matters to you, and that you care about your system's security far more
> strongly than a form letter.
>
> Tim
>
> -----Original Message-----
> From: Alfred Huger [mailto:ah () SECURITYFOCUS COM]
> Sent: Wednesday, January 24, 2001 8:10 AM
> Subject: Template Admin Notification
>
>
> Does anyone on the list have a default template email they use to notify
> admins of attacks from their networks?
>
> I would be interested in seeing them posted to the list (or to myself
> directly if that's not possible).
>
> Cheers,
> -al
>
> "Vae Victis"
> SecurityFocus.com
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - Buy the things you want at great prices.
> http://auctions.yahoo.com/

--
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.