Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to cope with, uhm, "mentally challenged" abuse personnel?

From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Tue, 6 Mar 2001 12:18:19 +0100
On Sat, 3 Mar 2001 15:07:43 -0600, Blake Frantz wrote:


A UU.net *router* was
trying to communicate with one of our core routers via TCP on a wide range
of arbitraty ports.  When asked, UU.net responded with "The type of
internet traffic you describe appears to be of normal origin." and
referred me to RFC 792 (ICMP) - I almost fell off my chair.  None the


This is the same thing they *always* do to me, and most scans I need to report
are RPC and FTP scans.


less, after we recieved their response the activity stopped.  Purhaps this
is the same in your case, a first level abuse manager sends out a generic
email to passify wouldbe admins and escalates the incident.  Just a
thought.


*Sometimes* the activity stopped, but I had some cases where the activity went
on for days, so I had to black-hole that subnet. But that can't be an optimal
solution, don't you agree? I can't start to blackhole everyone, because some day
I hamper my users in their work... :-(


--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^
Previous By Date Next
Previous By Thread Next

Current thread: