Re: RPAT - Realtime Proxy Abuse Triangulation

[Stephen Friedl <steve () unixwiz net>]

> I would be very nervous about running this, remote SNMP queries of someone
> elses system (say a .gov or .mil proxy) may be considered illegal activity
> in some jurisdictions.

People would be out of their minds to run RPAT without /really/
understanding what they were doing, for exactly this reason. You have
to be pretty confident in your approach to pull this off, and a number
of organizations who say they could have benefited from it won't run it.

But in practice this has not been an issue for me. Since the hostile
attacks of interest were *clearly* distinguishable from regular traffic
prior research had shown us that these were always from open proxies.

Open proxies are almost by definition "insecure machines", so they are
not likely to be associated with cluefull security staff for monitoring.
People with their act together generally don't run open proxies.

Second, the RPAT daemon makes at most three tries to fetch the SNMP data,
and if it times out, it never asks that IP again even if more attacks
are seen. Three SNMP packets may well be considered "below the radar"
in terms of characterizing hostile activity.

But this is a very valid point, and if you make a mistake in
characterizing your "hostile" attacks in order to query SNMP, you'll be
banging on doors where somebody unfriendly might answer.

Be careful.

Steve

--- 
Stephen J Friedl | Software Consultant | Tustin, CA |   +1 714 544-6561
www.unixwiz.net  | I speak for me only |   KA8CMY   | steve () unixwiz net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com