Re: SNMP Scans 02/17/02

[Security Coordinator <security () aptusventures com>]

On Sunday 17 February 2002 23:23, Peter Johnson wrote:
> Do you think we should be reporting snmp scans to ISPs
> or just a waste of time?

Well, one way or another ISPs need to be fingered. I don't see other people 
in the security community saying much, so maybe its time someone started. 
ISPs ARE RESPONSIBLE for a lot of the security problems on the net today. How 
could someone do SNMP scans of a network unless ISPs let them get away with 
it? Actually this is a bad example, there is legitimate SNMP traffic and it 
would be hard for them to know, but then why is it we see so many spoofed 
packets around? There should be ZERO of them on the net. Every router knows 
what addresses to expect to be inside vs outside. 

I won't belabour the point, but YES, you should not just report it to the 
ISP, you should let everyone know where attacks come from. What we REALLY 
need is a database and system good enough to understand the topology of the 
net and processes attack reports in a sophisticated enough way that we can 
say things like "if this router was filtering like thus, this would be 
impossible" and if an ISP won't configure their equipment properly, then they 
can be held liable. 
> ==================================================================
>
> Peter

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com