Security Incidents mailing list archives
Re: RPAT - Realtime Proxy Abuse Triangulation
From: Stephen Friedl <steve () unixwiz net>
Date: Tue, 24 Dec 2002 10:33:19 -0800
I would be very nervous about running this, remote SNMP queries of someone elses system (say a .gov or .mil proxy) may be considered illegal activity in some jurisdictions.
People would be out of their minds to run RPAT without /really/ understanding what they were doing, for exactly this reason. You have to be pretty confident in your approach to pull this off, and a number of organizations who say they could have benefited from it won't run it. But in practice this has not been an issue for me. Since the hostile attacks of interest were *clearly* distinguishable from regular traffic prior research had shown us that these were always from open proxies. Open proxies are almost by definition "insecure machines", so they are not likely to be associated with cluefull security staff for monitoring. People with their act together generally don't run open proxies. Second, the RPAT daemon makes at most three tries to fetch the SNMP data, and if it times out, it never asks that IP again even if more attacks are seen. Three SNMP packets may well be considered "below the radar" in terms of characterizing hostile activity. But this is a very valid point, and if you make a mistake in characterizing your "hostile" attacks in order to query SNMP, you'll be banging on doors where somebody unfriendly might answer. Be careful. Steve --- Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steve () unixwiz net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RPAT - Realtime Proxy Abuse Triangulation Stephen Friedl (Dec 20)
- Re: RPAT - Realtime Proxy Abuse Triangulation Kurt Seifried (Dec 24)
- Re: RPAT - Realtime Proxy Abuse Triangulation Mathias Wegner (Dec 27)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 27)
- Re: RPAT - Realtime Proxy Abuse Triangulation Kevin Reardon (Dec 27)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Mathias Wegner (Dec 27)
- Re: RPAT - Realtime Proxy Abuse Triangulation Kurt Seifried (Dec 24)
- Re: RPAT - Realtime Proxy Abuse Triangulation Gary Flynn (Dec 30)
- RE: RPAT - Realtime Proxy Abuse Triangulation Rob Shein (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Syzop (Dec 30)
- <Possible follow-ups>
- Re: RPAT - Realtime Proxy Abuse Triangulation Stephen Friedl (Dec 27)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Jay D. Dyson (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)
- Virus? Trojan? David Gillett (Dec 30)
- Re: Virus? Trojan? Peter Kruse (Dec 30)
- Re: RPAT - Realtime Proxy Abuse Triangulation Greg Barnes (Dec 30)