Thread: Firewalls and reporting
View Single Post
  #3   Report Post  
 
Posts: n/a
Default Firewalls and reporting
In article ,
Bruce L. Bergman wrote:
On 2 May 2004 11:10:12 -0400, wrote:

I believe you were talking about MyNe****chman specificly. I wouldn't bother
with them. As one of those on the "source ISP" end of things, we get notices
from them often and they are useless. They report that someone with foo
address tried to make a connection to baz address on this date. There isn't
enough information in the reports to determine what was happening and why,
so it gets ignored. Requests for more information from MyNe****chman were
also never answered.

So what would you recommend as an effective method of reporting
spammers, scammers & skript kiddies poking at your system ports for
vulnerabilities, that the BOFH ;-) Sysop community will actually
listen to?

If you can find the email addresses for the people who really run the
networks, they are usually very interested in cleaning their own sandbox.
The helpdesk and abuse people usually don't seem to know what to do or care.
Unfortunately you are largely on your own out there just like everyone else.
The best thing to do about spammers is press the delete key and put in a
good filter to press the delete key for you next time. If you use the "click
here to remove your address" they like to send in the email all you do is
let the spamers know that you are a live address. Complaints to
usually get dumped on the floor along
with all the spam they get. Most of the spam you get out there is from
compromised computers that have been pressed into service by the spamers.
Not that much comes sources that are easy to terminate. Reporting hacking
attempts will usually get more action, if it is from somewhere in the US or
Canada, unless it is owned by a cable or phone company. Nothing but a
lawsuit seems to get them moving.

I've been doing this from the user end for FAR too long (IBM 360
mark-sense card runs in Junior High, TI 99/4A, PC-XT...) and don't
want to spend too much time tracerouting the idiots and chasing down
foreign WHOIS sites, etc. - but if a neat little program can point me
to the moron's true origins, I'll gladly drop a dime on his ass so you
can terminate the account "with extreme prejudice". ;-)

Unfortunately, there are so many poorly run networks out there that it is
easy to cover your tracks. You trace the moron to some netblock in Siberia
and then can't even get the owners of the network to answer your email.
Moron is now safe and you are out of luck. Best you can do is lock down your
own systems (turn off everything and deny access to all. Start turning on
the stuff you use and find doesn't work anymore) and watch your logs.
Attempts get shrugged off. Strange stuff originating from your own network
gets shut down and investigated immediately.

The Internet is supposed to be self-policing. Give us the tools and
we'll help.

-- Bruce --

The days of the self-policing internet seem to have died long ago (about the
time that all the commercial enterprises entered the arena, it seems) but
there is hope. Our security guy has been hanging around with the security
guys from dozens of other networks (both educational and commercial). Now
there are mailing lists and the word of mouth pipeline that have many, many
networks all looking out for each other. For example, we know the admins
that own the net block just above ours. Preiodicaly, they give us a call and
tell us which of our machines have started scanning their netspace. Some
viruses will just keep working their way up the addresses looking for more
machines to infect. If we don't catch it, then it walks into his space and
he notices it. We shut it down and fix it. I guess it is self-policing, but
not everyone is in the same game.

-- Joe

--
Joseph M. Krzeszewski Mechanical Engineering and stuff
 Jack of All Trades, Master of None... Yet
Reply With QuoteReply With Quote