|
Firewall Wizards
mailing list archives
Re: "Who else picked this one up?"
From: "Paul D. Robertson" <proberts () clark net>
Date: Tue, 4 May 1999 07:10:38 -0400 (EDT)
On Mon, 3 May 1999, R. DuFresne wrote:
So where do you find a problem with folks who like to test scanners from
their networks being listed as such? Surely if I don't want traffic from
a particular AS to reach my network that's up to me? Surely if I find a
particular behaviour counter-productive to my connectivity, I should have
a resource that lets me identify sites that exhibit that behaviour and do
what I feel is right to protect my networks?
And you are telling me that without a publically accessible database, with
the potential of it being used as a BLACKLIST <how soon we forget the
50's, McCarthy, and even times earlier, are we now in the panic of some
post WWIII (I missed it, was that mitnick?) syndrome??>, you do not now
have that capability?? You are stating that your routers and firewalls,
VPN's and such are not doing the job?
They aren't doing the job outside of the scope of my information.
Attackers are coordinating attacks - you're seeming to advocate not
coordinating information of those attacks. No network is an island.
Mil sites do audits of those sites they contract with, how many corporate
sites might also do the same of those they are going to network peer with?
How many sites, just on this list, when hit with packets, do a defensive
reverse scan to the 'suspected' source? What's the potential for these
Very few if they've got reasonably paranoid lawyers.
kind of records to enter the database? How much does this contaminate the
data?
It doesn't, it's still good data.
Mine? My solution is to get legislation enhanced, to make it something
that can be actually backup with the legal system, rather then running
amuck ass a group of inane vigilanties doeling out their onw brand of
justice, nevermind the "innocents" that incur the wrath of the fanatics,
collateral damage, as they say.
You end up with the exact same issues with legislation *except* that
there's no such thing as global legislation and you're dealing with a
global network.
Better yet, grab all that gigo you so over value and inflate so as to
enhance your position with your employer, and find a nice little private
peered network to toss packets of data back and forth upon. As it is,
your fellow employees waste far too much of their valuable workplace time
playing on the net as it is, stealing from your employer.
An if they had the ability to launch attacks from my networks that were
wide-ranging, I'd certainly want to know if they were doing so. One
person complaining isn't the same as a community complaining.
No one seemed to notice, when melisa hit a few weeks ago, it was the
government sites, and a few major business sites that were hardest and
first hit, having 'picked up' the virus from their 'empoyees' having had
all that time to scour the sex related newsgroups whence it was released
As with most viruses, I'm relatively sure that a statistically small
sample got the first generation copy. Like most large corporations, my
employer gets hit regularly with viruses - we've yet to see a first or
second generation virus.
into the wild to. I was surpised at the total lack f a thread in any of
the security related lists and newsgroups about this fact. For, it was
I wasn't, but maybe you should look a little more into the replication
scheme, or just do the penny-a-day doubled-a-day math.
these sites that I suspect, if anaylsis, is conducted on the spread
pattern of the cyber-bug, that they, their partners, had 'become' the
treat, most often attacking their peering partners. Are folks now
reconsidering their working relationships and VPN connections with this
thought in mind: my *partner* has employees that seem to spend alot of
time at sex related sites, they expose *me*...
The thread would be the same if the virus had been unleashed on AOL as
another IE upgrade, rec.underwater.basketweaving, or any other place a
large number of unsophisticated users end up.
What are the liabilities of one company so exposing another? Has there
So far, RBL has been the best model for this type of situation, and while
there are pretty much constant threats of legal action, I'm not
personally aware of any real attempts. I'm not on the RBL team though,
and I don't follow it too closely.
been any shakeout from this? What might be the liabilities of the
maintaners of this data, should a company suffer some damage because of
this potential representation of there addresses in such a public
manner...
It's not misrepresentation if the data is good. You can jump to bad
conclusions, but data is data. The keepers of the data don't even have
to be involved for it to work.
And "enfocrment". The underlying problem is not that theses scans take
place, but, that there is nothing at present to deter them. And to act
outside the law, and to take a position of liebling an innocent party,
Just how is "packets sourced at 10.1.1.1 hit my network looking for
BackOriface" libel?
putting them in the cyber version of the old elizabethan 'stocks' for
public ridicul and chastisement. Is there a mailing list for corporate
lawyers? Maybe this thread should be cross-posted there, for they will be
I'm not sure, LACC is the only general-interest list on computer law I'm
aware of, but IANAL.
loving this enhancement of their postions that is forming as we speak.
There's another way to a partial fix, from the top down. Though because
of the competitive nature of the communications game, and the aquisition
frenzy, the waters are so muddied at present, if there's a scheme in
action, it's not being implemented. The core backbones have to force
their clients to provide a clean unbroken setup to get their pipes opened.
And be responsible for assuring that their clients also have to do the
same.
The only way that will be palatable is if the alternative is to not get
traffic out. That's not realistic in an open multi-jurisdictional
environment without some sort of impetus.
That's fine, because my stance is that if they do that, I won't exchange
traffic with them.
But, you are, have been, and will continue to do so. Your clients, your
employers employees are and have been seeing to that. As it is, most of
these 'minor' probes get by and set off none of your alarms. A single
telnet attempt, the accepting and sending of cookies by your web browsing
fellow employees, see to that.
My employees don't get telnet. As for not setting off alarms, I have my
threasholds, and I'm comfortable with them as they are. But if I deploy
a system that can track single-packet probes and report that information
to a central repository and gather data on similar packets hitting other
networks, I'm in a better position, not a worse one.
If you feel this is as big a threat as you state, with no recourse but to
strapon the cyber-sixgun and hit the street at highnoon to duel out your
justice, perhaps it's time to really, seriously consider pulling up the
cable roots and moving them to a completely private networking scheme and
go to a totally private peering ideal.
Why? Because you don't like it? If I want to limit the exposure of my
network and my peers want to do likewise without the inherrent
disadvantages of building a new network, then why shouldn't I? You've
yet to address that question.
Abuse and misuse are in the eye of the beholder. I don't see why you're
against me wanting to exchange abuse information with my peers to make
choices about the operation of my networks.
You are not talking about the private exchange of information, you are
talking of a publically accessible 'blacklist'. One that once a site is
My peers are the network operators of every network on the planet. Given
the lack of ability to verifiy 3rd party operators, it's a necessarily
public list.
posted on, they are forever damned, without the benifit of a trial in a
court of law, or even a open review of their peers. Others are starting
to state how they have foundthemselves on similair lists, and are starting
to state the troubles involved in getting removed from such lists after
discovery, and after suffering the consequences of appearing there.
Yet none of them have been innoncent of the reasons for getting on the
list - open relay. Intent is good for criminal cases, but it doesn't
matter one whit to the victim.
With spoofing, the potential for GIGO and collateral damage is quite
inevitable, and from the outset...
Nobody's advocating blackholing from the outset, but we'd be naiive to
not make it a future possibility and perhaps probability.
I could see a database, that contended it had no purpose *but* to show
that scanning and probing and prodding of networks, not to mention other
attacks, are common place, even on the rise. But, to draw any other
conculsions about such data, and or advocating retalitory actions based
upon that data is far beyond a point of subjective analysis of that data
and what it likely represents.
And yet if it stops 95% of network abuse, is it so evil? That depends on
the value of your networks I'd think. I wouldn't accept an ISP for home
that blocked my traffic, but I'd accept a job from an employer that did.
Consider: your comaony has been spoofed into sending packets my way, my
system kicks in and fires off some probes to your system so I can
determine what actions I might take and know who to address such issues to
and the data makes it to the database, consider that in some cases it is
correctly interpreted on one side and contributed to the database once, in
some cases not preinterpretted and entered twice, once by both parties.
Does this skew the data in any way?...
No, the data is still accurate. Without the contribution, there's no way
to link the events though, is there?
smallpipes.but-well-connected.com is being DOS'ed by a packet
storm from spoofed/amplifying bigpipes.not-so-well-connected.com.
smallpipes makes a few calls and gets bigpipes shutoff, and mostly cause
bigpipes, is on a list maintained by the firewalls wizards group, in fact,
bigpipes is an avid contributor to the list...
You seem to think that immediate cut-off is going to happen out of the
box. I don't see that as a logical conclusion unless all the tier-1
providers do it. If that's the case, then we'll get tier-1 accountability.
company1.com is considering a VPN working relationship with company2.com.
Company2.com is revealed to be in a database that shows that they are
constantly being bombarded with nasty packets, that company1.com, either
misses in their audits, or lack thereof, or is just small enough to have
not been 'discovered' and so queried, or even just publically known and
abused for that reason. Company1.com decides that it's best interests are
to avoid company2.com's exposure? Of, course, nevermind the fact that
company2.com has never been compromised, nor has it sufferd much as a
result of these scans, being they are in bigpipes realm, are the corporate
And if they have been compromised continuously? How do you explain that
to your shareholders after you take a collarteral hit?
lawyers still watching? We all love them, don;t we? We all, at least
those of us *not* selfemployed and incorporated, have close working
relatoinships, and have discussed such matters as this before even
exposing our *employers* comapany to such a contribution as is being
proposed, yes?
I can be sure what traffic enters and leaves my networks. That's part of
a network operator's responsibility. Some operators aren't living up to
that responsibility.
Just like it has traditionally had ramifications as far as the resources
AOL has contributed to the IRC networks and the effectiveness of their
abuse department.
It's a matter of *exposure* and perspective, I'm sure. Consider, you are
reporting to me, AOLish.com, abuse, and from what I've been seeing in *my*
data, in fact, I'm seeing you the complainer as being one fo the sites
most often hitting me with packets. Add to that that AOLish.com entered
Then we both do discovery and corellate the results. If you're not
interested in doing that, then that's fine, my data will stand on its own.
into the game, and has been learning as they go <as most here have and
are>, trying hard to do the right thing, yet, their exposure and name have
set themselves up for abuse from all ends. I might get to be a bit
That's a business risk they're taking.
hesitant and standoffish, might I not? Hell, I, AOLish.com look at my
customer database and start to see that a number of my clients call in
from your pbx, now, who's exposing and abusing whom?
If eight additional sites show the same trend, you might learn something
about your business model, network setup or something else. We *already
have* the one-to-one mapping - now we're looking at the next level of
information.
RBL works, UDP works, to some extent UCE reporting works. Anarchy
doesn't work because there are too many people willing to victimize others.
As concerns RBL, once listed there, who does one see and who does one go
about getting their site removed from the listing? Assuming that spamming
has been curtailed from the abuing site and all...
There's a pointer on the RBL Web page, http://maps.vix.com/rbl/
I'd like to add that RBL seems to be well-run and getting on and off the
list is well documented and easy. I've yet to see a report of a non-UCE,
or even a UCE place not getting off of RBL sucessfully once they've fixed
the problem. RBL isn't 100% effective, but it works.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts () clark net which may have no basis whatsoever in fact."
PSB#9280
 By Date 
By Thread
Current thread:
| 
Intro
