Re: What would you tell the White House?

[Hank Nussbacher <hank () att net il>]

At 21:05 13/02/00 -0800, Eric A. Hall wrote:

Your conclusions are identical to what I have found.  The reasons are:

a) profit margin: Almost all ISPs lose money.  CEOs and CFOs do not see the
dedicated personnel that handles 'abuse@' emails as generating income.
Most small ISPs with revenue under $5M/yr will not be able to dedicate an
FTE to 'abuse@' handling.  ISPs would rather hire another salesman or
purchase a larger Cisco router than invest in handling 'abuse@'.  We may
not like it - but that is what happens.

b) lawyers: once you get into major size ISPs (over $100M/yr), they don't
move without legal counsel.  You were attacked by a Sub Seven port scan?
You want the ISP to yank the user off the network?  First you need to find
a lawyer who understands a bit of the technical jargon.  95% do not.  Once
you do find such a person, legal counsel of the ISP will first demand proof
from the *local* staff that such an attack has occurred.  Your complaint
logs are not admissible, in his view.  Then the lawyer has to check that
the hacker was made aware of the existing AUP.  That gives the hacker a
second chance.  Now if the hacker is not really a hacker - but perhaps some
user who claims to have his account or system hacked and if you revoke
access - he will sue the ISP for every penny since he is working on a
multi-million dollar deal and without email he will lose everything; the
lawyer will fold his tail and run.  I have seen this countless times.  

c) lack of time: a derivative of (a) above.  Severely understaffed, the ISP
has lines down and routers overloaded and servers with disk problems, and
new customers wanting their connection up NOW!  Spam reports and nmap scans
fall to the wastebasket in these cases. 

d) incompetence: a derivative of (a) above.  Some ISPs have no idea what is
nmap or strobe or cheops and have never heard of ISS, Retina, Netrecon, or
Netranger.  Their main Internet guru, is an NT techie, who thinks NT is a
very secure operating system.

See below.

> > The ISPs need to put a system in place where they can work together
> > to quickly trace and isolate the source of any attack.  Perhaps the
> > vendors need to develop some mechanisms to facilitate this.
>
> A good deal of this technology is in place already, but Based on my
> experience, most ISPs just aren't using it or aren't acting on the data.
> I don't know if it's because of the administrative cost of managing a
> secure network, the tight market for talented personnel, or what, but
> it's really annoying when I go to the trouble of reporting security
> incidents and nothing happens.
>
> This week's logs on my very small network show:
>
> 10 events of a user on best.net trying to connect to my RPC port:
>
>       UTC 02/11/2000 02:45:20.784
>       TCP connection dropped
>       Source:209.24.82.10, 3714, WAN
>       Destination:209.31.7.40, 111, LAN
>
> Best.net's security people said "that box was compromised, block access
> to the IP address while it's fixed." Huh? How come best.net is letting
> their users send this crap out? If I can filter in-bound, they can
> filter out-bound while they fix the system.

Because if Best.net filtered at their end - they may be liable to a lawsuit
from the user who had his access blocked.

> 5 events of a user at a Korean site running nmap or some other scanner
> against TCP port 1 on each of my public addresses:
>
>       UTC 02/13/2000 06:22:26.576
>       TCP connection dropped
>       Source:211.45.145.2, 3272, WAN
>       Destination:209.31.7.41, 1, LAN
>
> The Korean ISP didn't respond.

Lack of time.

> Two weeks ago I got:
>
>       UTC 02/05/2000 07:32:05.944
>       Sub Seven Attack Dropped
>       Source:209.245.74.63, 1242, WAN
>       Destination:209.31.7.41, 1243, LAN
>
> Level3.net still hasn't responded to that.

Profit margin.

> Ad nauseum. Every week I get probed, hacked on, ping-o-death'd and more,
> while every week I send copies of the log to the source' security@isp.
> 30% of the time security@ is an invalid mailbox that bounces (which is
> why I also cc: abuse@isp), 60% of the time the message is ignored or not
> responded to, and only 10% of the time do I get a response that some
> form of action might be taken if they can figure out which user had the
> IP address at that moment.
>
> So, based on my experience, the ISP community isn't taking advantage of
> the tools they have to do their own enforcement. It would seem to me
> that the first step in saying "we can take care of this ourselves" is to
> prove that you're credible. If I were asked, I'd say that the quality of
> self-policing to date has been quite miserable.

I suspect we will only see more attacks and not to expect any solutions
from ISPs in the near future.

-Hank

[the above are my own views and do not reflect light nor the opinions of
any companies or organizations for which I do consulting.]

> -- 
> Eric A. Hall                                            ehall () ehsco com
> +1-650-685-0557                                    http://www.ehsco.com