Re: SNMP Scans 02/17/02

[Eric Brandwine <ericb () UU NET>]

> > > > > "ds" == Dmitri Smirnov <Dmitri.Smirnov () roundheaven com> writes:

ds> for last 200 reports we've got 3(!) replies back with confirmation
ds> of investigation or with requests for additional log files.  I
ds> have a feeling that ISPs just ignore alerts/reports until you have
ds> a legal/criminal case against them.  This is why I'm using ARIS to
ds> report (hope it help everybody/someone to see a global picture)
ds> and hope one day federal government will such global DB to
ds> prosecute attackers/ISPs.

We have a similar response rate for our complaints.  But we still
complain to offenders.

You've gotta realize that being an ISP is a buisiness, not a public
service.  Read some peering agreements.  Read the AUP of your ISP, and
of the ISPs that you complain to.  THey're carefully worded.

The services you want are possible.  We have the technology for them.
But they don't scale well, and they aren't cheap.  If you insist, and
enough people like you do so as well, then this will change.  The
federal government will pass legislation requiring ISPs to perform
these services, and ISPs will comply.

Your Internet costs will quadruple.  Or have you not noticed Global
Crossing, PSINet, XO Communications, etc?  It ain't a money making
business anymore, and any expenses forced onto us will be passed
directly on to you.

A much simpler, cheaper, more cost effective solution is to just be a
good Internet citizen.  Antispoof at the edges, keep your ARIN
contacts up to date, respond to complaints.

You get what you pay for and you (collectively) want cheap bandwidth.

ericb

ds> -----Original Message-----
ds> From: Security Coordinator [mailto:security () aptusventures com]
ds> Sent: Tuesday, February 19, 2002 6:51 AM
ds> To: Peter Johnson; incidents () securityfocus com
ds> Subject: Re: SNMP Scans 02/17/02


ds> On Sunday 17 February 2002 23:23, Peter Johnson wrote:
> > Do you think we should be reporting snmp scans to ISPs
> > or just a waste of time?

ds> Well, one way or another ISPs need to be fingered. I don't see other people 
ds> in the security community saying much, so maybe its time someone started. 
ds> ISPs ARE RESPONSIBLE for a lot of the security problems on the net today. How 
ds> could someone do SNMP scans of a network unless ISPs let them get away with 
ds> it? Actually this is a bad example, there is legitimate SNMP traffic and it 
ds> would be hard for them to know, but then why is it we see so many spoofed 
ds> packets around? There should be ZERO of them on the net. Every router knows 
ds> what addresses to expect to be inside vs outside. 

ds> I won't belabour the point, but YES, you should not just report it to the 
ds> ISP, you should let everyone know where attacks come from. What we REALLY 
ds> need is a database and system good enough to understand the topology of the 
ds> net and processes attack reports in a sophisticated enough way that we can 
ds> say things like "if this router was filtering like thus, this would be 
ds> impossible" and if an ISP won't configure their equipment properly, then they 
ds> can be held liable. 
> > ==================================================================
> >
> > Peter

ds> ----------------------------------------------------------------------------
ds> This list is provided by the SecurityFocus ARIS analyzer service.
ds> For more information on this free incident handling, management 
ds> and tracking system please see: http://aris.securityfocus.com


ds> ----------------------------------------------------------------------------
ds> This list is provided by the SecurityFocus ARIS analyzer service.
ds> For more information on this free incident handling, management 
ds> and tracking system please see: http://aris.securityfocus.com



-- 
Eric Brandwine     |  The editor of the beast - vi vi vi
UUNetwork Security |
ericb () uu net       |
+1 703 886 6038    |      - Usenet
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com