Home page logo

nanog logo nanog mailing list archives

Re: whois
From: bmanning () vacation karoshi com
Date: Wed, 25 Oct 2000 02:40:29 +0000 (UCT)

        In my specific case, yes, although I've worked w/ some
        organizations that have taken the approach described.
        Takes some time but once credibility is established,
        its easier to work with folk to curb undesirable behaviours.
        Trouble is, there is no consistant, globally accepted 
        definition of "acceptable behaviour", just like there is no
        common definition of pornography other than "I know it when 
        I see/smell/taste/hear it". Hence the wide variention in
        AUP & policy.  that said, diverstity is good & bounds checking is 
        a mark of a prudent ISP.

You're kidding, right?


-----Original Message-----
From: bmanning () vacation karoshi com
[mailto:bmanning () vacation karoshi com]
Sent: Tuesday, October 24, 2000 7:23 AM
To: tme () 21rst-century com
Cc: nanog () nanog org
Subject: Re: whois

 Yow!  A chance to play devils advocate... Cool :)

 If you told me a dialup user on my network did anything, I'd doubt
 your veracity. How do you know I have dialup services in my network?
 The accuracy of your clock and the recorded IP address
 are suspect since I have zero visability into your network structure
 or administrative practice... and you don't have that visability into
 mine.  Your clock is hacked and you are forging IP addresses 
in an attempt
 to distract me from providing services. Tell me why this is 
not a simple
 case of harassment? Full and public disclosure of the attack 
profile would 
 help build your credibility.  And yes, if I have no business 
 to you and I've never had a relationship with you and you are making
 assertions about my infrastructure and clients, I will prolly want
 some incentive to cover the costs of investigating your outragous

Are you really saying that if I tell you that a dial-up 
user on your network
hacked into my system at some precise time, from a precise 
IP address 
(so that you could probably tell easily which user did it), 
and did so
in a fashion
which suggested an automated "script kiddie" effort, I should only
expect a response from you if I PAY for it ?!? 

This seems pretty close to the "protection" money that I 
hear people with
POP's in Moscow have to pay :) 

(BTW, I said nothing about timeliness
or 24x7 availability - a note a week or two later would 
have sufficed.)

The key to an anti-hacker ISP association would be
a very special ip address / contact person lookup database.
ie: who/how to contact for the 'SWAT' response for a 
particular IP



When we have had attacks such as root exploits, we have 
notified the
source (at least,
the ISP hosting the immediate source) as to the date, 
time, IP address, etc.
(In one case, the attack appeared to come from a 
dial-up address in Germany,
so I thought we had them.) We have NEVER received a 
response. From
conversations at meetings, etc., I understand that this 
is typical - almost
universal - and that it would be naive to expect other 
ISPs to actually
do anything
about being a source for attacks.

Maybe a start would be to a BCP for some level of 
minimal response if
you source
an attack, and a "web site of shame" listing those 
domains that source
attacks and do nothing about it when notified.


                                   Marshall Eubanks

   Multicast Technologies, Inc.
   10301 Democracy Lane, Suite 201
   Fairfax, Virginia 22030
   Phone : 703-293-9624          Fax     : 703-293-9609     
   e-mail : tme () on-the-i com     http://www.on-the-i.com

  By Date           By Thread  

Current thread:
  • RE: whois Karyn Ulriksen (Oct 24)
    • Re: whois bmanning (Oct 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]