Re: "Who else picked this one up?"

["R. DuFresne" <dufresne () sysinfo com>]

On Mon, 3 May 1999, Paul D. Robertson wrote:

> On Sat, 1 May 1999, R. DuFresne wrote:
>
> > > Nobody should be "testing" a scanner against a network I administer 
> > > without my express permission.  The idea that scanning a foreign network 
> > > for potential vulnerabilities without permission is valid behaviour is 
> > > just plain wrong.
> >
> > In theory, yes, I agree.  Yet, I have watched over the years and learned
> > that it is merely a theory, practice, capability, and legalities show this
> > to be something that at this point is merely theory.
>
> So where do you find a problem with folks who like to test scanners from
> their networks being listed as such?  Surely if I don't want traffic from
> a particular AS to reach my network that's up to me?  Surely if I find a
> particular behaviour counter-productive to my connectivity, I should have
> a resource that lets me identify sites that exhibit that behaviour and do
> what I feel is right to protect my networks?

And you are telling me that without a publically accessible database, with
the potential of it being used as a BLACKLIST <how soon we forget the
50's, McCarthy, and even times earlier, are we now in the panic of some
post WWIII (I missed it, was that mitnick?) syndrome??>, you do not now
have that capability?? You are stating that your routers and firewalls,
VPN's and such are not doing the job?

Mil sites do audits of those sites they contract with, how many corporate
sites might also do the same of those they are going to network peer with?
How many sites, just on this list, when hit with packets, do a defensive
reverse scan to the 'suspected' source?  What's the potential for these
kind of records to enter the database?  How much does this contaminate the
data?


> > > > scanners, to get a feel for the SW just brought up, those door knockers
> > > > just testing, they will not muddie up the waters too much, will they?  The
> > > > NFR SW also, knows how to track down spoofed scans, so as to not logs the
> > >
> > > Spoofing is a fact of life on a packet switched network.  Guess what?  
> > > It's a solvable problem if upstreams did source filtering on their 
> > > downstreams and providers did the same.  There's absolutely no impetus 
> > > for anyone to do that at the moment.  So instead of trying to solve the 
> > > problem, we should all just decide that business as usual is ok?  I think 
> > > not.
> >
> > Ahh, I see, so, since things are the way they now are, and since those
> > responsible for enacting legislation that would make it a federal
> > misdemeanor for such door knocking and window rattling have not reacted in
> > a mannner enforcable, *another* small mob of internet vigilanties will?
>
> Call it what you wish, I have no impetus to peer with the entire planet if
> the risk is higher than I'm willing to accept.  Whatever means I chose to
> use to achive that end is up to me, just as it is to every network
> operator.  It's called self-policing, and it's about the only recourse we
> have.  I haven't seen a better idea, what's your solution, or is it just
> status quo?

Mine?  My solution is to get legislation enhanced, to make it something
that can be actually backup with the legal system, rather then running
amuck ass a group of inane vigilanties doeling out their onw brand of
justice, nevermind the "innocents" that incur the wrath of the fanatics,
collateral damage, as they say.

Better yet, grab all that gigo you so over value and inflate so as to
enhance your position with your employer, and find a nice little private
peered network to toss packets of data back and forth upon.  As it is,
your fellow employees waste far too much of their valuable workplace time
playing on the net as it is, stealing from your employer.

No one seemed to notice, when melisa hit a few weeks ago, it was the
government sites, and a few major business sites that were hardest and
first hit, having 'picked up' the virus from their 'empoyees' having had
all that time to scour the sex related newsgroups whence it was released
into the wild to.  I was surpised at the total lack f a thread in any of
the security related lists and newsgroups about this fact.  For, it was
these sites that I suspect, if anaylsis, is conducted on the spread
pattern of the cyber-bug, that they, their partners, had 'become' the
treat, most often attacking their peering partners.  Are folks now
reconsidering their working relationships and VPN connections with this
thought in mind:  my *partner* has employees that seem to spend alot of
time at sex related sites, they expose *me*...

What are the liabilities of one company so exposing another?  Has there
been any shakeout from this?  What might be the liabilities of the
maintaners of this data, should a company suffer some damage because of
this potential representation of there addresses in such a public
manner...


> > > In most of the world, the current situation in Singapore withstanding, 
> > > the only people scanning to "document broken networks" should be the 
> > > network operators of those networks.  This means that they need to know 
> > > they're being abused so that they can start the process of fixing them.  
> > > Notification of apparent sources of packets fulfills that.  If the 
> > > packets are spoofed, then a network operator can filter packets at their 
> > > ingress point to ensure that they're only sourced at legitimate 
> > > addresses.  You don't get that in the current environment.
> >
> > Again, a nice theory, but, not a fact at all, considering the legalities,
> > the capabilities and prcatice...But, I recall there being a database,
> > built by outsiders not too long ago, that documented broken networks that
> > can be usde to amplify smurfs and such, and the goal of that database<s?> 
> > was to let those folks know that they in fact had broken networks, how
> > well did that effort workout?  Exposure has forced all those networks to
> > be fixed, yes?
>
> I'm not sure how well it worked out, since I wasn't watching that one too
> closely, but if I'm given the ability to blackhole smurf amplifiers until
> they fix their networks, then why are you so upset at my choice of who to
> accept traffic from?  That's between me and the amplifier, and if you're
> them, then you're in the loop, if you aren't, then what do you care?
> Abusive networks need to curtail their abuse.  For that there needs to be
> an impetus for them to do so.
>
> > The fact remains, that the capbility is there and the legailties do *not*
> > make this tweaking a crime with true potential of redress.  Even legit
>
> It may or may not be a crime, that's dependent on jurisdiction.  

And "enfocrment".  The underlying problem is not that theses scans take
place, but, that there is nothing at present to deter them.  And to act
outside the law, and to take a position of liebling an innocent party,
putting them in the cyber version of the old elizabethan 'stocks' for
public ridicul and chastisement.  Is there a mailing list for corporate
lawyers?  Maybe this thread should be cross-posted there, for they will be
loving this enhancement of their postions that is forming as we speak.

There's another way to a partial fix, from the top down.  Though because
of the competitive nature of the communications game, and the aquisition
frenzy, the waters are  so muddied at present, if there's a scheme in
action, it's not being implemented.  The core backbones have to force
their clients to provide a clean unbroken setup to get their pipes opened.
And be responsible for assuring that their clients also have to do the
same.

> > operators use this.  Many networks I work and play in see telnet probes
> > launched by IRC admins per client connections to their servers <we have
> > also seen ftp sites do similar, defending thier actions on the fact that
> > if you like it not, no not use their service, what they are truely seeking 
> > in these actions, one can only guess.  Hell, I recall being probed by
>
> That's fine, because my stance is that if they do that, I won't exchange
> traffic with them.  

But, you are, have been, and will continue to do so.  Your clients, your
employers employees are and have been seeing to that.  As it is, most of
these 'minor' probes get by and set off none of your alarms.  A single
telnet attempt, the accepting and sending of cookies by your web browsing
fellow employees, see to that.  

If you feel this is as big a threat as you state, with no recourse but to
strapon the cyber-sixgun and hit the street at highnoon to duel out your
justice, perhaps it's time to really, seriously consider pulling up the
cable roots and moving them to a completely private networking scheme and
go to a totally private peering ideal.

> > sites because I sent e-mail to a user there, same justification>. Does
> > this consistute *abuse* or "misuse" of current capabilities and
> > legailities, and their own sense of 'protection' is weighted against this?
>
> Abuse and misuse are in the eye of the beholder.  I don't see why you're
> against me wanting to exchange abuse information with my peers to make
> choices about the operation of my networks.

You are not talking about the private exchange of information, you are
talking of a publically accessible 'blacklist'.  One that once a site is
posted on, they are forever damned, without the benifit of a trial in a
court of law, or even a open review of their peers.  Others are starting
to state how they have foundthemselves on similair lists, and are starting
to state the troubles involved in getting removed from such lists after
discovery, and after suffering the consequences of appearing there.

With spoofing, the potential for GIGO and collateral damage is quite
inevitable, and from the outset...

> > > How can data be abused?  It's real packets hitting a real network.  
> > > Fortunately, networks aren't transient like customers, so a known 
> > > quantity can be established and metrics given to providers of the data.  
> > > Given logs, a network operator can be responsible about cleaning up 
> > > abuse.  It's the same issue that ISP's abuse departments face every day 
> > > with USENET and SMTP reports.  Spoofing is possible, and network 
> > > operators can mostly determine the validity of a report.  If networks are 
> > > overly abusive, then the rest of the world can agree not to peer with 
> > > them until they solve their problems.  It's the same principle that 
> > > governs USENET, USENET II, and RBL.  Without data there's no way to start 
> > > the process of accountability.  
> >
> > The potential of abuse is easy to comprehend here, very easy to see, once
> > a network makes the list, the site in question, on the posted database are
> > blacklisted, or for our purposes, blackholed, by those 'reading' the
>
> And it's completely up to anyone who wishes to read the database to do so.
> Once again I ask what purpose you have in trying to tell me what sorts of
> sites I should accept traffic from?  
>
> > database.  Nevermind how obvious the disclamers posted concerning
> > this data, we all know how much attention folks pay to disclaimers and
> > documentation.  Once listed, those 'offenders' have what recourse to
> > be removed from such a list?  How does a network go about getting
> > themselves unlisted should they be misrepresented in this database?  To
>
> When we get to that point, I'm sure we'll have a process.
>
> > what body do those 'offender' seek redress?  Are we now, not talking about
> > the creation of another arbitrary body of database maintainers that sit as
> > judge and jury, adding and removing networks and addresses based upon an
> > as yet unwritten set of criteria that will gain the 'offenders' a *pardon*
>
> For the scope of their database yes.  Just like if I don't want e-mail
> from you, I'm free bto add you to my procmail scripts, and I'm free to
> share those with other peoplw who share the same views of acceptable
> electronic mail.  That group of people is free to do as they wish with the
> data, and make any analysis they want with it.  If it's bad for the
> market, then the market will move to mail systems without procmail.
>
> > or a *probation*?  How many scans document a network as being particularly
> > abusive?  One scan a day to one outside network per, what, 100, 1,000
> > users?  Two scans?  10?  How many ports do they need to hit, 1, 2,
>
> That's a damn good question, and the reason we need the data we're talking
> about.  Because right now, we don't even know what the norm is.

I could see a database, that contended it had no purpose *but* to show
that scanning and probing and prodding of networks, not to mention other
attacks, are common place, even on the rise.  But, to draw any other
conculsions about such data, and or advocating retalitory actions based
upon that data is far beyond a point of subjective analysis of that data
and what it likely represents.

Consider:  your comaony has been spoofed into sending packets my way, my
system kicks in and fires off some probes to your system so I can
determine what actions I might take and know who to address such issues to
and the data makes it to the database, consider that in some cases it is
correctly interpreted on one side and contributed to the database once, in
some cases not preinterpretted and entered twice, once by both parties.
Does this skew the data in any way?...

smallpipes.but-well-connected.com is being DOS'ed by a packet
storm from spoofed/amplifying bigpipes.not-so-well-connected.com.
smallpipes makes a few calls and gets bigpipes shutoff, and mostly cause
bigpipes, is on a list maintained by the firewalls wizards group, in fact,
bigpipes is an avid contributor to the list...

company1.com is considering a VPN working relationship with company2.com.
Company2.com is revealed to be in a database that shows that they are
constantly being bombarded with nasty packets, that company1.com, either
misses in their audits, or lack thereof, or is just small enough to have
not been 'discovered' and so queried, or even just publically known and
abused for that reason.  Company1.com decides that it's best interests are
to avoid company2.com's exposure? Of, course, nevermind the fact that
company2.com has never been compromised, nor has it sufferd much as a
result of these scans, being they are in bigpipes realm, are the corporate
lawyers still watching?  We all love them, don;t we?  We all, at least
those of us *not* selfemployed and incorporated, have close working
relatoinships, and have discussed such matters as this before even
exposing our *employers* comapany to such a contribution as is being
proposed, yes?

> > 10, 100?  Hell, let's just do it like the leet scripts in
> > IRC, set all the routers ACL's to block *@*.home.com *@*.aol.com and such
> > right now.  Of course, that in itself will have some ramifications for
> > this list itself and some of it's users.
>
> Just like it has traditionally had ramifications as far as the resources
> AOL has contributed to the IRC networks and the effectiveness of their
> abuse department.

It's a matter of *exposure* and perspective, I'm sure.  Consider, you are
reporting to me, AOLish.com, abuse, and from what I've been seeing in *my*
data, in fact, I'm seeing you the complainer as being one fo the sites
most often hitting me with packets.  Add to that that AOLish.com entered
into the game, and has been learning as they go <as most here have and
are>, trying hard to do the right thing, yet, their exposure and name have
set themselves up for abuse from all ends.  I might get to be a bit
hesitant and standoffish, might I not?  Hell, I, AOLish.com look at my
customer database and start to see that a number of my clients call in
from your pbx, now, who's exposing and abusing whom?

> > > RBL works, UDP works, to some extent UCE reporting works.  Anarchy 
> > > doesn't work because there are too many people willing to victimize others.
> >
> > As concerns RBL, once listed there, who does one see and who does one go
> > about getting their site removed from the listing?  Assuming that spamming
> > has been curtailed from the abuing site and all...
>
> There's a pointer on the RBL Web page, http://maps.vix.com/rbl/
>
> > Being that the sites I work and play in are probed multiple time daily,
> > yes, I'm well aware that their is a problem out here <yes, I log it, and
> > use that information, but, it's not available publically, it's an
> > arbitrary decision to assess the risk, and an abitrary decision is used
> > to place actual *value* on the *assests* I feel I'm in possesion of and
> > protecting (keep your gigo away from *my* gigo)>. This might well be the
> > last frontier on this planet. But, I'm not so sure that the way to tame it
> > is via another *mob of internet vigilanties* promoting their own agenda is
> > the way to go.
>
> Like all good schemes, it's ipt-in, so it's not vigilantism since there's
> no co-option of non-volunteer networks.  Better we police ourselves than
> have it done for us.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!