Re: How to cope with, uhm, "mentally challenged" abuse personnel?

[Travis Pugh <tpugh () SHORE NET>]

On Tue, 6 Mar 2001, Ralf G. R. Bergs wrote:

> There is some truth in what you write, BUT distributed scans and, in
> consequence, attacks are a danger to the internet as a whole. Mostly they're
> being performed by cracked machines, and *this* is why admins should be
> concerned and act according to my reports.
>
> I don't want to start a legal discussion, but according to German law a
> security person who has been warned that a machine in their subnet might be
> cracked but doesn't take "suitable" action to investigate the incident and
> possibly take the machine from the net will be held accountable in court. I
> assume this is at least similar in US law, so it should be in UUnet's own
> interest to take reports like mine serious.
>
> > So I'll throw a question to the list: does anyone have a good definition
> > of when a scan progresses past checking for unlocked doors and
> > becomes a concerted effort to find *and* exploit a vulnerability.  If such
>
> Well, if it's just a "ping" sweep you probably don't have to take it as
> serious as when it comes to scans for running RPC portmappers.
>
> Thanks for your comments.

You are entirely correct. The ping sweep is pretty ignorable, and RPC
scans are a little more dangerous.  The thing I think needs to happen,
from an ISP standpoint, is that abuse staff need to be trained to
recognize the difference between an "i'll blow it off" incident report and
a true incident.  A problem with this is that a typical ISP's user
base makes identifying real incidents difficult.

It might also help to try to clarify the seriousness of the problem when
it is reported to the ISP.  An abuse department like UUNet's is going to
see hundreds of these things daily.  As a result, the abuse staff is going
to have a very high threshold before they take something seriously.  I
literally could not count the number of idiot reports our abuse staff has
gotten from less competent users running windows IDS software like black
ice.  Applications they run trigger the (misconfigured) software, and they
think they're being hacked, and send mail off to abuse to figure it
out.  This costs the rest of us, since it causes people to ignore what
might be a legitimate incident.

Just as you try to separate legitimate security incidents from the white
noise of the Internet, abuse departments have to separate legitimate
reports from the volume of email they recieve.  It becomes a real
challenge to try to work around an abuse department's idiot filters to
convince someone that your problem is real.

The only way I've been able to convince some abuse departments that they
need to pay attention is to provide excruciating detail, and provide it
over and over again until someone notices.  This is not particularly
efficient, but it works.  It requires a lot of work to report this
well.  Data has to include:

- all hosts / ports being scanned (with logs), OS type, and any details
that may show that the host is being targeted for a particular reason

- all source IP addresses of the scans (with logs)
*this has to be done keeping in mind that any intelligent scanner is going
to be able to put multiple fake source IP addresses in it's packet stream
to disguise the host where the scan actually comes from.  It probably
helps to point that out to the abuse department, too.  This opens the
possibility that the IP you are reporting is spoofed and is not the real
problem.  It is much easier if the scanner is not too bright and only uses
the real IP of the machine the scan is run from.

- duration of scans (provided by logs, but it helps to point it out).  "I
was scanned for 30 minutes over this range of ports" carries a little more
weight than "I was scanned".

- number of scans -- this means providing multiple sets of logs, trying to
prove a real effort to find a compromise.

- explanations of vulnerabilities being scanned for. This one really
catches people's attention.  The difference between "i'm being
scanned" and "i'm being scanned for ttdb exploit and these other ones" is
noticable.  Of course, that assumes that the scan is targeted at
something.  The other thing would be to determine which tool is scanning
you, and report that you are being scanned with x for it's standard set of
vulnerabilities.

- depending on how you feel about it ethically, a scan of the host which
is scanning you, but probably only if it has some well known exploit ports
open on it which would prove that it has been cracked.

- most importantly, a *very* clear email which reports all this.

This email is alredy approaching novel length.  Sorry.  I do want to say
that it has gotten to a point at most large ISPs where sending in logs
of a scan and asking that the user be shut off is not realistic.  It is
even more difficult to get action taken if the scans are coming from a
leased line customer instead of a dial-up or DSL customer, since that
customer represents a lot more revenue for the service provider.  Nobody's
going to turn off a customer's T1, and risk losing the customer, unless it
is *really* obvious that they're doing something criminal.  It becomes a
question of how much time you are willing to devote to getting the source
of the scans shut off.

Cheers.

-travis