Security Incidents mailing list archives

RE: SNMP Scans 02/17/02

From: "Dmitri Smirnov" <Dmitri.Smirnov () roundheaven com>
Date: Wed, 20 Feb 2002 14:35:58 -0800


Aha,

for last 200 reports we've got 3(!) replies back with confirmation of investigation 
or with requests for additional log files.
I have a feeling that ISPs just ignore alerts/reports until you have a legal/criminal case
against them.
This is why I'm using ARIS to report (hope it help everybody/someone to see a global picture) and hope one
day federal government will such global DB to prosecute attackers/ISPs.

Dmitri.

-----Original Message-----
From: Security Coordinator [mailto:security () aptusventures com]
Sent: Tuesday, February 19, 2002 6:51 AM
To: Peter Johnson; incidents () securityfocus com
Subject: Re: SNMP Scans 02/17/02


On Sunday 17 February 2002 23:23, Peter Johnson wrote:


Do you think we should be reporting snmp scans to ISPs
or just a waste of time?


Well, one way or another ISPs need to be fingered. I don't see other people 
in the security community saying much, so maybe its time someone started. 
ISPs ARE RESPONSIBLE for a lot of the security problems on the net today. How 
could someone do SNMP scans of a network unless ISPs let them get away with 
it? Actually this is a bad example, there is legitimate SNMP traffic and it 
would be hard for them to know, but then why is it we see so many spoofed 
packets around? There should be ZERO of them on the net. Every router knows 
what addresses to expect to be inside vs outside. 

I won't belabour the point, but YES, you should not just report it to the 
ISP, you should let everyone know where attacks come from. What we REALLY 
need is a database and system good enough to understand the topology of the 
net and processes attack reports in a sophisticated enough way that we can 
say things like "if this router was filtering like thus, this would be 
impossible" and if an ISP won't configure their equipment properly, then they 
can be held liable.

==================================================================

Peter


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

SNMP Scans 02/17/02 Peter Johnson (Feb 18)
- Re: SNMP Scans 02/17/02 Security Coordinator (Feb 20)
  - Re: SNMP Scans 02/17/02 Valdis . Kletnieks (Feb 22)
  - RE: SNMP Scans 02/17/02 Tyrannis Von Nettesheim (Feb 22)
  - Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 22)
- Re: SNMP Scans 02/17/02 Dan Terhesiu (Feb 20)
  - Re: SNMP Scans 02/17/02 Peter Johnson (Feb 20)
- <Possible follow-ups>
- RE: SNMP Scans 02/17/02 Dmitri Smirnov (Feb 23)
  - Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 24)