Re: Connectivity problems with the US Army

["Brock, Anthony - NET" <Anthony.Brock () OREGONSTATE EDU>]

We have a team of 8 individuals who monitor the abuse address on a
regular basis. We respond to almost every complaint and deal with them
individually (the exception was an internal communication issue over a
single complaint about 4 months ago). We know for a fact that we were
never notified. Also, we checked our domain registration information
last October. It is both up to date and monitored by a related group of
individuals who forward notices immediately.

It is truly sad that you've has such negative experience. However, you
have obviously never sent us an abuse report. Otherwise, you would know
that we monitor and respond to these. We take them very seriously and
act on them in a relatively short time period.

A agree that self-defense is appropriate. However, it doesn't excuse
failing to notify the administrators of the affected domain. It also
doesn't excuse failing to offer potential for remediation. If the
notices are ignored and the abuse continues from the same IP addresses,
THEN I agree that permanent blocking could be considered. To do
otherwise is to perpetuate the very problems your referencing.

Tony

> -----Original Message-----
> From: Pace, Guy [mailto:gpace () CIS CTC EDU] 
> Sent: Friday, January 19, 2007 10:06 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Connectivity problems with the US Army
>
> Maybe you did get a notification. Who monitors your abuse email alias?
> Did you respond or was it handled with an auto-responder?
>
> My own experience is that a lot of the abuse aliases are either not
> monitored, use auto-responders, or they just seem like a 
> black hole. Is
> the information in the whois current? When was the last time 
> you checked
> your domain registration for current info?
>
> The network and security admins in the .mil networks have just as much
> time and resources, or less, than we do. If they get 29 of your IP's
> hitting their perimeter, they'll block your domain. Investigation and
> remediation--and notification--can follow when there is time ... If
> there is time. From the .mil perspective, .edu networks are a vast
> cespool of infected/bot'ed systems and that have been used 
> against .mil
> networks in the past. Blocking your domain isn't extreme, just simple
> self-defense in times of limited personnel and other resources.
>
> How many times have you sent notes with log extracts to ISP's or abuse
> contacts about probes or attacks on your network only to get either an
> auto-reply or nothing and watch the activity continue and 
> continue, day
> after day? Out of the last seven years, I can count on one hand the
> number of actual responses I got from abuse contacts regarding serious
> malicious traffic against one of my networks. One was from a Japanese
> admin. One was from a sys admin at a .edu (an Oregon CC, 
> BTW). The other
> two were from .com/ISP's. That is out of more than a thousand.
>
> I think we are way past the time when we can expect polite.
>
> Guy L. Pace, CISSP
> Security Administrator
> Center for Information Services (CIS)
> 3101 Northup Way, Suite 100
> Bellevue, WA 98004
> 425-803-9724
>
> gpace () cis ctc edu
>
>
> -----Original Message-----
> From: Brock, Anthony - NET [mailto:Anthony.Brock () OREGONSTATE EDU] 
> Sent: Friday, January 19, 2007 9:18 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Connectivity problems with the US Army
>
> > -----Original Message-----
> > Maybe they meant 29 IPs were probing.  We saw around 35 of your IPs 
> > either scanning port 2967 or actively attempting to exploit the 
> > Symantec vulnerability against systems here.
>
> Very possible. However, this still seems a bit extreme for 
> implementing
> a "permanent block" of this scale. Also, there should be some 
> method for
> notifying the affected site and correcting the issue.
>
> Tony