Educause Security Discussion mailing list archives

Re: Connectivity problems with the US Army

From: "Pace, Guy" <gpace () CIS CTC EDU>
Date: Fri, 19 Jan 2007 10:05:59 -0800

Maybe you did get a notification. Who monitors your abuse email alias?
Did you respond or was it handled with an auto-responder?

My own experience is that a lot of the abuse aliases are either not
monitored, use auto-responders, or they just seem like a black hole. Is
the information in the whois current? When was the last time you checked
your domain registration for current info?

The network and security admins in the .mil networks have just as much
time and resources, or less, than we do. If they get 29 of your IP's
hitting their perimeter, they'll block your domain. Investigation and
remediation--and notification--can follow when there is time ... If
there is time. From the .mil perspective, .edu networks are a vast
cespool of infected/bot'ed systems and that have been used against .mil
networks in the past. Blocking your domain isn't extreme, just simple
self-defense in times of limited personnel and other resources.

How many times have you sent notes with log extracts to ISP's or abuse
contacts about probes or attacks on your network only to get either an
auto-reply or nothing and watch the activity continue and continue, day
after day? Out of the last seven years, I can count on one hand the
number of actual responses I got from abuse contacts regarding serious
malicious traffic against one of my networks. One was from a Japanese
admin. One was from a sys admin at a .edu (an Oregon CC, BTW). The other
two were from .com/ISP's. That is out of more than a thousand.

I think we are way past the time when we can expect polite.

Guy L. Pace, CISSP
Security Administrator
Center for Information Services (CIS)
3101 Northup Way, Suite 100
Bellevue, WA 98004
425-803-9724

gpace () cis ctc edu


-----Original Message-----
From: Brock, Anthony - NET [mailto:Anthony.Brock () OREGONSTATE EDU] 
Sent: Friday, January 19, 2007 9:18 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Connectivity problems with the US Army

-----Original Message-----
Maybe they meant 29 IPs were probing.  We saw around 35 of your IPs 
either scanning port 2967 or actively attempting to exploit the 
Symantec vulnerability against systems here.


Very possible. However, this still seems a bit extreme for implementing
a "permanent block" of this scale. Also, there should be some method for
notifying the affected site and correcting the issue.

Tony

Current thread:

Re: Connectivity problems with the US Army, (continued)
- Re: Connectivity problems with the US Army Mike Iglesias (Jan 18)
- Re: Connectivity problems with the US Army Jay Tumas (Jan 19)
- Re: Connectivity problems with the US Army Brock, Anthony - NET (Jan 19)
- Re: Connectivity problems with the US Army Brock, Anthony - NET (Jan 19)
- Re: Connectivity problems with the US Army Jamie A. Stapleton (Jan 19)
- Re: Connectivity problems with the US Army Samuel Liles (Jan 19)
- Re: Connectivity problems with the US Army Randy Marchany (Jan 19)
- Re: Connectivity problems with the US Army Mike Iglesias (Jan 19)
- Re: Connectivity problems with the US Army Brock, Anthony - NET (Jan 19)
- Re: Connectivity problems with the US Army David Gillett (Jan 19)
- Re: Connectivity problems with the US Army Pace, Guy (Jan 19)
- Re: Connectivity problems with the US Army HALL, NATHANIEL D. (Jan 19)
- Re: Connectivity problems with the US Army Cal Frye (Jan 19)
- Re: Connectivity problems with the US Army Brock, Anthony - NET (Jan 19)