nanog mailing list archives

Re: Scaled Back Cybersecuruty

From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Tue, 14 Jan 2003 14:56:30 -0500

i've had absolutely no luck getting the source isp's to care about
the problems i've seen at my home firewall in recent weeks.  (see
below if you wonder whether i'm implicating anyone here.)  there's
no other way to view the internet than as a worm-infested zombie.


hehe... I know the feeling. With DShield, we try hard to send out
correlated and filtered reports in a standardized format to valid
'contact' addresses. There are some success stories, but more misses
than hits overall. The 'misses' fall into two categories:

- ignored/bad contact/   ( /dev/null group )

- or the "portscanning is not a crime" group. (at least they respond).

What is an appropriate reaction if an ISP receive an abuse report?
I know abuse@ is getting swamped with Excel Spreadsheets, screenshots
and hate mail, and most of them are 'begnin' (P2P file sharing after
glow and the like). 

But would it be too much for an ISP to send an email to the customer
as they receive the first reports, a phone call after the third ... ?

(BTW: Any ISPs here that would like a daily unfiltered report? I just
streamlined that function last week.)


here some dshield data for the IPs in your list

Jan  1 18:40:44 fwlha /kernel: ipfw: 1800 Deny TCP 64.139.35.209:2559 204.152.184.163:21 in via dc0


scanned 9 different targets , > 30 days ago

Jan  3 06:15:19 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2113 204.152.184.163:57 in via dc0
Jan  3 06:15:37 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2595 204.152.184.163:21 in via dc0
Jan  3 06:15:40 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2595 204.152.184.163:21 in via dc0


2 targets, > 30 days ago... TONLINE is receiving a daily summary report from us. For a while,
they bounced it forth and back between departments for days. Now they just /dev/null it I think.

Jan  4 09:02:17 fwlha /kernel: ipfw: 1800 Deny TCP 193.251.0.37:4992 204.152.184.163:21 in via dc0
Jan  4 09:02:20 fwlha /kernel: ipfw: 1800 Deny TCP 193.251.0.37:3314 204.152.184.163:21 in via dc0


Wanadoo.fr... do I need to say more?

Jan 12 23:21:16 fwlha /kernel: ipfw: 6400 Deny TCP 212.202.170.154:3540 204.152.188.2:21 in via vlan0


3 different tagets... does ftp and P2P... 


-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: _bin
Description:

Current thread:

Re: Scaled Back Cybersecuruty, (continued)
- - Re: Scaled Back Cybersecuruty Paul Vixie (Jan 08)
    - Re: Scaled Back Cybersecuruty Kelly J. Cooper (Jan 14)
- Re: Scaled Back Cybersecuruty Avi Freedman (Jan 14)
  - Re: Scaled Back Cybersecuruty Martin Hannigan (Jan 14)
  - Re: Scaled Back Cybersecuruty Pete Kruckenberg (Jan 14)
    - Re: Scaled Back Cybersecuruty Paul Vixie (Jan 14)
    - Re: Scaled Back Cybersecuruty Christopher L. Morrow (Jan 14)
    - Re: Scaled Back Cybersecuruty Andy Dills (Jan 14)
    - Re: Scaled Back Cybersecuruty Martin Hannigan (Jan 14)
    - Re: Scaled Back Cybersecuruty Bryan Bradsby (Jan 14)
    - Re: Scaled Back Cybersecuruty Johannes Ullrich (Jan 14)
    - Attacks against Paul Vixie's home network Jeff S Wheeler (Jan 14)
    - Re: Scaled Back Cybersecuruty Sean Donelan (Jan 15)
  - Re: Scaled Back Cybersecuruty Vijay Gill (Jan 14)
    - Re: Scaled Back Cybersecuruty Pete Kruckenberg (Jan 14)
    - Re: Scaled Back Cybersecuruty Valdis . Kletnieks (Jan 14)
    - RE: Scaled Back Cybersecuruty Merlin Communications (Jan 14)
    - Re: Scaled Back Cybersecuruty Rajesh Talpade (Jan 14)
- Re: Scaled Back Cybersecuruty Avi Freedman (Jan 14)
  - Re: Scaled Back Cybersecuruty Vijay Gill (Jan 14)
- Re: Scaled Back Cybersecuruty sgorman1 (Jan 14)

(Thread continues...)