RE: whois

[Karyn Ulriksen <kulriksen () publichost com>]

You're kidding, right?

-K

> -----Original Message-----
> From: bmanning () vacation karoshi com
> [mailto:bmanning () vacation karoshi com]
> Sent: Tuesday, October 24, 2000 7:23 AM
> To: tme () 21rst-century com
> Cc: nanog () nanog org
> Subject: Re: whois
>
>
>
>  Yow!  A chance to play devils advocate... Cool :)
>
>  If you told me a dialup user on my network did anything, I'd doubt
>  your veracity. How do you know I have dialup services in my network?
>  The accuracy of your clock and the recorded IP address
>  are suspect since I have zero visability into your network structure
>  or administrative practice... and you don't have that visability into
>  mine.  Your clock is hacked and you are forging IP addresses 
> in an attempt
>  to distract me from providing services. Tell me why this is 
> not a simple
>  case of harassment? Full and public disclosure of the attack 
> profile would 
>  help build your credibility.  And yes, if I have no business 
> relationship
>  to you and I've never had a relationship with you and you are making
>  assertions about my infrastructure and clients, I will prolly want
>  some incentive to cover the costs of investigating your outragous
>  claims.
>
>
> > Are you really saying that if I tell you that a dial-up 
> user on your network
> > hacked into my system at some precise time, from a precise 
> IP address 
> > (so that you could probably tell easily which user did it), 
> and did so
> > in a fashion
> > which suggested an automated "script kiddie" effort, I should only
> > expect a response from you if I PAY for it ?!? 
> >
> > This seems pretty close to the "protection" money that I 
> hear people with
> > POP's in Moscow have to pay :) 
> >
> > (BTW, I said nothing about timeliness
> > or 24x7 availability - a note a week or two later would 
> have sufficed.)
> > > > > The key to an anti-hacker ISP association would be
> > > > > a very special ip address / contact person lookup database.
> > > > > ie: who/how to contact for the 'SWAT' response for a 
> particular IP
> > > > > address.
> > > > >
> > > > > --Mike--
> > > >
> > > > Hello;
> > > >
> > > > When we have had attacks such as root exploits, we have 
> notified the
> > > > source (at least,
> > > > the ISP hosting the immediate source) as to the date, 
> time, IP address, etc.
> > > > (In one case, the attack appeared to come from a 
> dial-up address in Germany,
> > > > so I thought we had them.) We have NEVER received a 
> response. From
> > > > conversations at meetings, etc., I understand that this 
> is typical - almost
> > > > universal - and that it would be naive to expect other 
> ISPs to actually
> > > > do anything
> > > > about being a source for attacks.
> > > >
> > > > Maybe a start would be to a BCP for some level of 
> minimal response if
> > > > you source
> > > > an attack, and a "web site of shame" listing those 
> domains that source
> > > > attacks and do nothing about it when notified.
> >
> >
> > -- 
> >
> >
> >                                    Regards
> >                                    Marshall Eubanks
> >
> >
> >    Multicast Technologies, Inc.
> >    10301 Democracy Lane, Suite 201
> >    Fairfax, Virginia 22030
> >    Phone : 703-293-9624          Fax     : 703-293-9609     
> >    e-mail : tme () on-the-i com     http://www.on-the-i.com