Security Incidents mailing list archives
Re: SNMP Scans 02/17/02
From: Eric Brandwine <ericb () UU NET>
Date: 23 Feb 2002 16:17:21 +0000
"ds" == Dmitri Smirnov <Dmitri.Smirnov () roundheaven com> writes:
ds> for last 200 reports we've got 3(!) replies back with confirmation ds> of investigation or with requests for additional log files. I ds> have a feeling that ISPs just ignore alerts/reports until you have ds> a legal/criminal case against them. This is why I'm using ARIS to ds> report (hope it help everybody/someone to see a global picture) ds> and hope one day federal government will such global DB to ds> prosecute attackers/ISPs. We have a similar response rate for our complaints. But we still complain to offenders. You've gotta realize that being an ISP is a buisiness, not a public service. Read some peering agreements. Read the AUP of your ISP, and of the ISPs that you complain to. THey're carefully worded. The services you want are possible. We have the technology for them. But they don't scale well, and they aren't cheap. If you insist, and enough people like you do so as well, then this will change. The federal government will pass legislation requiring ISPs to perform these services, and ISPs will comply. Your Internet costs will quadruple. Or have you not noticed Global Crossing, PSINet, XO Communications, etc? It ain't a money making business anymore, and any expenses forced onto us will be passed directly on to you. A much simpler, cheaper, more cost effective solution is to just be a good Internet citizen. Antispoof at the edges, keep your ARIN contacts up to date, respond to complaints. You get what you pay for and you (collectively) want cheap bandwidth. ericb ds> -----Original Message----- ds> From: Security Coordinator [mailto:security () aptusventures com] ds> Sent: Tuesday, February 19, 2002 6:51 AM ds> To: Peter Johnson; incidents () securityfocus com ds> Subject: Re: SNMP Scans 02/17/02 ds> On Sunday 17 February 2002 23:23, Peter Johnson wrote:
Do you think we should be reporting snmp scans to ISPs or just a waste of time?
ds> Well, one way or another ISPs need to be fingered. I don't see other people ds> in the security community saying much, so maybe its time someone started. ds> ISPs ARE RESPONSIBLE for a lot of the security problems on the net today. How ds> could someone do SNMP scans of a network unless ISPs let them get away with ds> it? Actually this is a bad example, there is legitimate SNMP traffic and it ds> would be hard for them to know, but then why is it we see so many spoofed ds> packets around? There should be ZERO of them on the net. Every router knows ds> what addresses to expect to be inside vs outside. ds> I won't belabour the point, but YES, you should not just report it to the ds> ISP, you should let everyone know where attacks come from. What we REALLY ds> need is a database and system good enough to understand the topology of the ds> net and processes attack reports in a sophisticated enough way that we can ds> say things like "if this router was filtering like thus, this would be ds> impossible" and if an ISP won't configure their equipment properly, then they ds> can be held liable.
================================================================== Peter
ds> ---------------------------------------------------------------------------- ds> This list is provided by the SecurityFocus ARIS analyzer service. ds> For more information on this free incident handling, management ds> and tracking system please see: http://aris.securityfocus.com ds> ---------------------------------------------------------------------------- ds> This list is provided by the SecurityFocus ARIS analyzer service. ds> For more information on this free incident handling, management ds> and tracking system please see: http://aris.securityfocus.com -- Eric Brandwine | The editor of the beast - vi vi vi UUNetwork Security | ericb () uu net | +1 703 886 6038 | - Usenet Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SNMP Scans 02/17/02 Peter Johnson (Feb 18)
- Re: SNMP Scans 02/17/02 Security Coordinator (Feb 20)
- Re: SNMP Scans 02/17/02 Valdis . Kletnieks (Feb 22)
- RE: SNMP Scans 02/17/02 Tyrannis Von Nettesheim (Feb 22)
- Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 22)
- Re: SNMP Scans 02/17/02 Dan Terhesiu (Feb 20)
- Re: SNMP Scans 02/17/02 Peter Johnson (Feb 20)
- <Possible follow-ups>
- RE: SNMP Scans 02/17/02 Dmitri Smirnov (Feb 23)
- Re: SNMP Scans 02/17/02 Eric Brandwine (Feb 24)
- Re: SNMP Scans 02/17/02 Security Coordinator (Feb 20)