Security Incidents mailing list archives

Re: auto-reporting to ISPs

From: raane () WMDATA COM (Rasmus Andersson)
Date: Thu, 2 Mar 2000 18:27:47 +0100


The proper way is not to do it completely automatic. Ever!

If you really have some good heuristics that can sort out a real
"attack" from just a user typing the wrong address in some sort of
client, maybe you could produce a mail template or something that the
user could forward, preferrably after reading and understanding it...

Some side notes:

1. Any reporting to abuse departments must include *known correct*
timestamps, including the time zone used. For example "Time is MET-DST
countinously synchronized with NTP to stratum 3". Otherwise the report
is useless (at least provided the attack came from a dynamic address).
I've seen ISP's cancelling dial-up accounts (or claiming they did) from
a report with no time zone stated (and it was *not* the zone the ISP
probably guessed!) and without asking about the correctness of the time
stamps. That's a bit too responsive. I've seen plenty of firewalls with
a completely inaccurate local time (and date, and sometime year :^)

2. As often stated, many "attacks" can be spoofed.

3. When getting a dynamic address, some traffic aimed for the previous
user of that address is often recieved. That is not an attack :-)

4. Any (well, most) automatic reporting could be fooled and used against
you. If I know a bunch of targets using it, I could send lots of spoofed
attacks, creating a large number of bogus mails.

Many many other issues are involved. I forecast this thread to be huge
:-)

regards

Rasmus Andersson

WM-data Security    http://www.wmdata.se/security
Löjtnantsgatan 25, Box 27307, 102 54 Stockholm
Tel: +46-(0)8-459 10 46, +46-(0)70-535 14 21
Fax: +46-(0)8-459 10 45
raane () wmdata com   PGP Id:70650262

Robert Graham wrote:

Could abuse@isp people please send me e-mail:
* what is the proper way a product like BlackICE Defender should assist the
user in reporting such events?
* what should I tell this user about why we haven't put such a simple
feature into the product?

Thanks,
Robert Graham
CTO/Network ICE

Current thread:

Re: @home: Is *anyone* really home there??? Robert G. Ferrell (Feb 29)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
  - auto-reporting to ISPs Robert Graham (Feb 29)
    - Re: auto-reporting to ISPs Jon Lewis (Mar 01)
    - Re: auto-reporting to ISPs Network Operations (Mar 02)
    - Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
    - Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
    - CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
    - UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
    - UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
    - Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
    - Port 65535 Murray, Mike (Mar 02)
    - @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
    - Re: Port 65535 Pavel Kankovsky (Mar 04)
    - Re: Port 65535 Murray, Mike (Mar 04)

(Thread continues...)