|
Security Incidents
mailing list archives
Re: How to cope with, uhm, "mentally challenged" abuse personnel?
From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Tue, 6 Mar 2001 12:31:56 -0600
On 3/6/01 5:18 AM Ralf G. R. Bergs said...
On Sat, 3 Mar 2001 15:07:43 -0600, Blake Frantz wrote:
A UU.net *router* was
trying to communicate with one of our core routers via TCP on a wide range
of arbitraty ports. When asked, UU.net responded with "The type of
internet traffic you describe appears to be of normal origin." and
referred me to RFC 792 (ICMP) - I almost fell off my chair. None the
This is the same thing they *always* do to me, and most scans I need to
report
are RPC and FTP scans.
less, after we recieved their response the activity stopped. Purhaps this
is the same in your case, a first level abuse manager sends out a generic
email to passify wouldbe admins and escalates the incident. Just a
thought.
*Sometimes* the activity stopped, but I had some cases where the activity
went
on for days, so I had to black-hole that subnet. But that can't be an optimal
solution, don't you agree? I can't start to blackhole everyone, because
some day
I hamper my users in their work... :-(
I've had to report probes to UUnet before. The best method I found was
to first send the standard email with all the neccessary info (logs,
description of the problem, etc...), wait 10 minutes, and then call them.
I reference the email I sent and say that the problem is continuous and
ask for a resolution. I usually have pretty good luck with that method.
Probes from UUnet are almost as common as spam from UUnet. :(
Justin
--
Justin Shore, ES Pittsburg State University
Network & Systems Manager Kelce 157Q
Office of Information Systems Pittsburg, KS 66762
Voice: (620) 235-4606 Fax: (620) 235-4545
http://www.pittstate.edu/ois/
Warning: This message has been quadruple Rot13'ed for your protection.
 By Date 
By Thread
Current thread:
- Re: How to cope with, uhm, "mentally challenged" abuse personnel?, (continued)
|
Intro
