Re: [RE: Nimda et.al. versus ISP responsibility]

["Jason Robertson" <jason () ifuture com>]

As I have said before and I will say again and again and again..

Being a former ISP Admin (luckily I am not one anymore), I have always been an admin, that was 
quite willing to curtail the clients abilities, for the sake of security.  In my case I did Firewall ports of 
less then 1024, I did run network sweeps for various trojans, and for proxy servers, I did test those 
proxy servers, for vulnerabilities.  And I made sure to place it within the Terms of Use.  Also in our 
Terms of Use, was the content that limited our liabilities for illegal content, or abuse of our 
systems.  We also added to our firewall, one simple rule, all ip packets must contain one of our 
local IP Addresses, this right there eliminated possible spoofs, as well as smurfing, though if I had 
time I would have placed the rule on the terminal servers instead.

And for people who were vulnerable, they were notified to resolve this problem, and I would give 
them pointers on where to get what they needed (which was a local website in this case, but damn 
MS they almost totally killed this option, with windows update)
For People running servers, if they were on low ports I didn't pay attention, mainly because they 
were ineffective, unless their machines were doing something they shouldn't be doing, like 
sending out spam, and in this case the account was disabled.
For People who were attempting to use our network for abuse, the account was disabled, and 
depending on the type of abuse, would also allow for what type of reaction, such as calling in Law 
Enforcement or not.

On 27 Sep 2001 at 15:38, Greg Dotoli wrote:

Date sent:              27 Sep 01 15:38:28 EDT
From:                   Greg Dotoli <gdotoli () bizinfoservices com>
To:                     Matt <Matthew.Adcock () GSCCCA ORG>,
        lucp () skopos be <lucp () skopos be>, incidents () securityfocus com
Subject:                Re: [RE: Nimda et.al. versus ISP responsibility]
Mailer:                 USANET web-mailer (53CM.0801.1.09A)

> I am logging IIS and wrote a script to extract from the log the offending IPS
> and return their DNS names. The number of residential DSL and Cable hosts is
> close to 90 %. These worms are thriving in the non-protected home space. There
> are too many unsafe ISPs.
>
> Greg
>
>
>
> "Adcock, Matt" <Matthew.Adcock () GSCCCA ORG> wrote:
> <quote>
>   I think we all agree that connecting an unpatched IIS machine to the
> open Internet is acting irresponsibly. Most AUP's already prohibit
> spamming, port scanning etc. (at least on paper). Why not include
> "infection through negligence" as a reason for suspension? Maybe with a
> reasonable grace period the first time. 
> </quote>
>
> I agree that the end administrator is ultimately responsible.  The ISPs
> could also help by filtering this traffic.  It would take an infrastructure
> upgrade that would end up costing the consumer, but I personally would be
> willing to pay a little more.  Maybe give users a choice between being on a
> filtered network or an open network?
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service. For more
> information on this free incident handling, management and tracking system
> please see: http://aris.securityfocus.com
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service. For more
> information on this free incident handling, management and tracking system
> please see: http://aris.securityfocus.com


---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com      


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com