Security Incidents mailing list archives

Re: How to cope with, uhm, "mentally challenged" abuse personnel?

From: Blake Frantz <blake () MC NET>
Date: Sat, 3 Mar 2001 15:07:43 -0600

Hello,

I have experienced a similar situation with UU.net.  A UU.net *router* was
trying to communicate with one of our core routers via TCP on a wide range
of arbitraty ports.  When asked, UU.net responded with "The type of
internet traffic you describe appears to be of normal origin." and
referred me to RFC 792 (ICMP) - I almost fell off my chair.  None the
less, after we recieved their response the activity stopped.  Purhaps this
is the same in your case, a first level abuse manager sends out a generic
email to passify wouldbe admins and escalates the incident.  Just a
thought.

Blake

=================================================================
The Government, like diapers, should be replaced regularly, and
often for the same reasons.

On Sat, 3 Mar 2001, Ralf G. R. Bergs wrote:

Hi there,

I have to report about 1 incident per day that is caused by ip addresses
assigned to UUnet. Mostly it's sweeps across our whole class C, sometimes
ICMP, sometimes even scans for 111/UDP. NONE of our LAN IPs EVER leave our
LAN, since altho they're IPs officially assigned to us I masquerade (NAT) them
at our router.

The usual answer I receive from UUnet is the following:

    "The type of internet traffic you describe appears to be of normal
origin."

As I explained above NONE of our LAN IPs ever can be seen outside of our LAN,
so HOW ON EARTH should this be "of normal origin???"

Frankly I'm fed up with this kind of replies. I don't know whether it's just
that the abuse personnel simply is underqualified for their job, or whether
it's they simply can't cope with the growing number of incidents caused by
their customers, but I don't feel like accepting this kind of ignorance.

Any suggestions what I should do? If UUnet's personnel doesn't get their act
together I could be forced to completely black-hole their respective subnets
in our router.

Thanks,

Ralf


--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^

Current thread:

How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Utopian Admin (Mar 03)
  - Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Blake Frantz (Mar 03)
  - Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Gary Maltzen (Mar 04)
  - Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Nicholas Bachmann (Mar 06)
- <Possible follow-ups>
- FW: How to cope with, uhm, "mentally challenged" abuse personnel? Tyrannis Von Nettesheim (Mar 05)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
  - Re: How to cope with, uhm, "mentally challenged" abuse personnel? Travis Pugh (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Justin Shore (Mar 06)