Re: auto-reporting to ISPs

[woods () MOST WEIRD COM (Greg A. Woods)]

[ On Tuesday, February 29, 2000 at 16:47:44 (-0800), Robert Graham wrote: ]
> Subject: auto-reporting to ISPs
>
> Below is an e-mail from a customer who would like to see us add an
> auto-email feature to our product in order to notify the ISP of the
> offending hacker. This is pretty funny because we've already seen some
> complaints by ISPs from such a feature in other products appear on this list
> over the past couple of days.

Actually I'd much rather see the complaints from my own users about
incidents they've suffered from remote users than complaints from random
remote users who might have suffered some sort of incident perpetrated
by one of my users.  If I were able to mediate such complaints then I
could council my users on what network security really is and how they
should be handling their systems and I'd only have to ask the ISP at the
apparent source of the "attack" for help and verification if indeed it
was an attack.

As I said I only want to see good hard evidence from other people when
ongoing recurring incidents occur, or indeed when actual penetrations
occur.  One-off events are almost always meaningless unless they are
indeed evidence of known attacks and arrive almost simultaneously from
many different sources (though in that case I think most of my clients
would only issue a warning, and of course usually to the parent who pays
for the account).

> Could abuse@isp people please send me e-mail:
> * what is the proper way a product like BlackICE Defender should assist the
> user in reporting such events?

Unless the event matches a signature of a known attack then any firewall
should simply log it for statistical analysis.  If the incoming event
does match a known attack, and if it is one where the source address is
known to be accurate then a higher priority log message is perhaps
called for.  If your product were to include a log analysis tool in
order to spot recurring "attacks" then perhaps those could be reported
to the user directly, but doing so assumes the user has some expertise
and will know when to file a formal complaint and when to write the
events off as silly kids playing tricks.  Given that most users of
products such as yours are unlikely to have any expertise at all in
these matters I would indeed really prefer if such reports directed them
to seek local help from their own ISP (or their local network admin if
they're on an office LAN or whatever).

The point of a firewall is to block attacks and prevent penetrations,
not to ring the alarm bells and call 911 every time some shady character
looks at it from the other side of the street!

All of the BlackIce reports I've received were all 100% totally useless
-- they were simply single attempts to connect to the telnet port (23).
They all came from probably well meaning people who had been scared by a
threat being blown out of all proportion.

> * what should I tell this user about why we haven't put such a simple
> feature into the product?

That's up to you!  ;-)

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>