Security Incidents mailing list archives
Re: How to cope with, uhm, "mentally challenged" abuse personnel?
From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Tue, 6 Mar 2001 12:15:22 +0100
On Sat, 03 Mar 2001 12:33:20 -0500 (EST), Travis Pugh wrote:
Hi Ralf. I think this begs the question: is a scan reportable / worthy of action by an upstream ISP?
[AUP:]
"Unauthorized access to or use of data, systems or networks, including any attempt to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without express authorization of the owner of the system or network." However, working at an ISP, I wonder how realistic this is. Scans seem to be "background noise" on the 'net as a whole, and taking action against every one of them would be unrealistic based on the number of staff available to deal with security. If all of the security staff are busy dealing with intrusions, DoS attacks, etc. I could see nobody having any time to cope with the process of verifying and shutting down (or warning) every source of a scan.
There is some truth in what you write, BUT distributed scans and, in consequence, attacks are a danger to the internet as a whole. Mostly they're being performed by cracked machines, and *this* is why admins should be concerned and act according to my reports. I don't want to start a legal discussion, but according to German law a security person who has been warned that a machine in their subnet might be cracked but doesn't take "suitable" action to investigate the incident and possibly take the machine from the net will be held accountable in court. I assume this is at least similar in US law, so it should be in UUnet's own interest to take reports like mine serious.
So I'll throw a question to the list: does anyone have a good definition of when a scan progresses past checking for unlocked doors and becomes a concerted effort to find *and* exploit a vulnerability. If such
Well, if it's just a "ping" sweep you probably don't have to take it as serious as when it comes to scans for running RPC portmappers. Thanks for your comments. -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/ The Choice /V\ of a GNU /( )\ Generation ^^-^^
Current thread:
- How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Utopian Admin (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Blake Frantz (Mar 03)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Gary Maltzen (Mar 04)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Nicholas Bachmann (Mar 06)
- <Possible follow-ups>
- FW: How to cope with, uhm, "mentally challenged" abuse personnel? Tyrannis Von Nettesheim (Mar 05)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Ralf G. R. Bergs (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Travis Pugh (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Justin Shore (Mar 06)
- Re: How to cope with, uhm, "mentally challenged" abuse personnel? Utopian Admin (Mar 03)