Security Incidents mailing list archives
Re: auto-reporting to ISPs
From: raane () WMDATA COM (Rasmus Andersson)
Date: Thu, 2 Mar 2000 18:27:47 +0100
The proper way is not to do it completely automatic. Ever! If you really have some good heuristics that can sort out a real "attack" from just a user typing the wrong address in some sort of client, maybe you could produce a mail template or something that the user could forward, preferrably after reading and understanding it... Some side notes: 1. Any reporting to abuse departments must include *known correct* timestamps, including the time zone used. For example "Time is MET-DST countinously synchronized with NTP to stratum 3". Otherwise the report is useless (at least provided the attack came from a dynamic address). I've seen ISP's cancelling dial-up accounts (or claiming they did) from a report with no time zone stated (and it was *not* the zone the ISP probably guessed!) and without asking about the correctness of the time stamps. That's a bit too responsive. I've seen plenty of firewalls with a completely inaccurate local time (and date, and sometime year :^) 2. As often stated, many "attacks" can be spoofed. 3. When getting a dynamic address, some traffic aimed for the previous user of that address is often recieved. That is not an attack :-) 4. Any (well, most) automatic reporting could be fooled and used against you. If I know a bunch of targets using it, I could send lots of spoofed attacks, creating a large number of bogus mails. Many many other issues are involved. I forecast this thread to be huge :-) regards Rasmus Andersson WM-data Security http://www.wmdata.se/security Löjtnantsgatan 25, Box 27307, 102 54 Stockholm Tel: +46-(0)8-459 10 46, +46-(0)70-535 14 21 Fax: +46-(0)8-459 10 45 raane () wmdata com PGP Id:70650262 Robert Graham wrote:
Could abuse@isp people please send me e-mail: * what is the proper way a product like BlackICE Defender should assist the user in reporting such events? * what should I tell this user about why we haven't put such a simple feature into the product? Thanks, Robert Graham CTO/Network ICE
Current thread:
- Re: @home: Is *anyone* really home there??? Robert G. Ferrell (Feb 29)
- Complaining to providers (was: @home: Is *anyone* really home there??? Rob Quinn (Mar 02)
- <Possible follow-ups>
- Re: @home: Is *anyone* really home there??? Jason Spence (Feb 29)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)