Re: cultural questions from a newbie

[Ricky Charlet <rcharlet () speakeasy net>]

OK,
	The feedback I have is: No, there is no current established netiquette 
for handling sending feedback to attacking systems whom you suspect are 
run by unwitting admins. And further more there is no reliable channel 
to give the feedback. And further more, most of these unwitting admins 
would not comprehend the feedback.

	I do not believe or accept the last line above. I think a great many 
people who have bothered to install a server on their system would be 
able to follow directions on a vendors webpage about how to install 
patches and follow directions on another vendor's webpage about how to 
update virus definitions. And a great many more would be able to ask a 
friend how to do it.

	As for the reliable feedback channel problem, we need something new. A 
new tcp port and server for "please stop attacking me" messages. This 
new communication channel needs to have a reliable server (always on) 
listening for messages, needs to be spam proofed, and needs to be 
moderately trusted. This could be done. I'm posting a "what do you 
think" question on this topic to slashdot. And I'm asking this list, 
"What do you think?" I think the internet can be made a better place.

---
Ricky Charlet
rcharlet () alumni calpoly edu
510.324.3163




On Wednesday, August 6, 2003, at 06:39 AM, Erek Adams wrote:

> On Tue, 5 Aug 2003, Ricky Charlet wrote:
>
> > 	OK, I've had snort snorting on my system for about 4 days now. (by 
> > the
> > way, count this as a success report on Mac OSX 10.2.6 with snort 
> > 2.0.0,
> > clean compile and install - no problems).
>
> Schweet!  :)
>
> >         So WOW! What a lot of attempted attacks there are! Yesterday alone I
> > have 14 attempted attacks and 24 attempted scans. For the 4 days the
> > attacks have been overwhelmingly aimed at MS-SQL server and
> > MS-ISS-ISAPI. The Rule descriptions (SIDs=2003 and 1243) say that the
> > worms "Slammer" and "Code Rode" (respectively) used these
> > vulnerabilities to propagate.
>
> Welcome to our world.  :)  It's kinda like having a pair of really, 
> really
> dark shades removed....
>
> >         So my initial (newbie) assessment is that there are many unpatched,
> > infected systems out there. I would guess that most of the infected
> > systems are run by sys-admins who want to be white-hat guys or gals 
> > but
> > are simply unaware that they have an infection.
>
> Errrr...  I think you're giving them too much credit.  For the most 
> part,
> your "normal" user has no concept of Security, patching, advisories,
> vendor notices, or anything along those lines.  It's the "turn it on, 
> and
> it works" mentality.  We've been clicked and dragged into a 
> point-n-drool
> generation courtesy of <insert Microsoft bash here>.
>
> >         My big question is: what can be done to help the admins of these
> > infected systems?
>
> Install OpenBSD on them.  ;-)
>
> > Because these attacks are against MS systems, sending an email to
> > root@<IP_ADDRESS> is very unlikely to reach anyone. It seems to me 
> > that
> > we would need the cooperation of each ISP to get a message to the 
> > owners
> > of the infected systems. But sending a email to abuse@<ISP> seems a
> > little extreme. Is there any current netequite in the snort community
> > relating to how to get in touch with attacking systems under the
> > assumption that the sysadmin would correct the infection if made aware
> > of it?
>
> Honestly, there's not too much you can do.  You could look up the 
> contacts
> for the domain and make a phone call, but that has limited success.  
> Email
> is almost useless for the majority of those.  If it's coming from a
> DSL/Cable modem....  Just forget it.  No one will care or even 
> understand
> what you are telling them--And you'd never get to the end user anyway.
> :-/
>
> Yeah, it sucks.   That's the sad part about becoming "clueful" and
> understanding what's going on--You see so much of the failures of 
> others,
> you start to wonder "Why did I even do this?"
>
> Cheers!  (And yes, I'm feeling a bit cynical this morning....)
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users