Re: What would you tell the White House?

["Eric A. Hall" <ehall () ehsco com>]

> The ISPs need to put a system in place where they can work together
> to quickly trace and isolate the source of any attack.  Perhaps the
> vendors need to develop some mechanisms to facilitate this.

A good deal of this technology is in place already, but Based on my
experience, most ISPs just aren't using it or aren't acting on the data.
I don't know if it's because of the administrative cost of managing a
secure network, the tight market for talented personnel, or what, but
it's really annoying when I go to the trouble of reporting security
incidents and nothing happens.

This week's logs on my very small network show:

10 events of a user on best.net trying to connect to my RPC port:

        UTC 02/11/2000 02:45:20.784
        TCP connection dropped
        Source:209.24.82.10, 3714, WAN
        Destination:209.31.7.40, 111, LAN

Best.net's security people said "that box was compromised, block access
to the IP address while it's fixed." Huh? How come best.net is letting
their users send this crap out? If I can filter in-bound, they can
filter out-bound while they fix the system.

5 events of a user at a Korean site running nmap or some other scanner
against TCP port 1 on each of my public addresses:

        UTC 02/13/2000 06:22:26.576
        TCP connection dropped
        Source:211.45.145.2, 3272, WAN
        Destination:209.31.7.41, 1, LAN

The Korean ISP didn't respond.

Two weeks ago I got:

        UTC 02/05/2000 07:32:05.944
        Sub Seven Attack Dropped
        Source:209.245.74.63, 1242, WAN
        Destination:209.31.7.41, 1243, LAN

Level3.net still hasn't responded to that.

Ad nauseum. Every week I get probed, hacked on, ping-o-death'd and more,
while every week I send copies of the log to the source' security@isp.
30% of the time security@ is an invalid mailbox that bounces (which is
why I also cc: abuse@isp), 60% of the time the message is ignored or not
responded to, and only 10% of the time do I get a response that some
form of action might be taken if they can figure out which user had the
IP address at that moment.

So, based on my experience, the ISP community isn't taking advantage of
the tools they have to do their own enforcement. It would seem to me
that the first step in saying "we can take care of this ourselves" is to
prove that you're credible. If I were asked, I'd say that the quality of
self-policing to date has been quite miserable.

-- 
Eric A. Hall                                            ehall () ehsco com
+1-650-685-0557                                    http://www.ehsco.com