North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where has the operational part of Nanog gone?

  • From: Steve Noble
  • Date: Thu Nov 19 20:50:44 1998

On Thu, Nov 19, 1998 at 01:16:22AM -0500, Adam Rothschild wrote:
> On Wed, 18 Nov 1998, Steve Noble wrote:
> > If this issue directly affected you, you should have contacted us and you
> > would have been given the information (as much as we could give).  If you
> 
> For the sake of clarification, could you please define "as much as we
> could give"?

Exactly what I said, as much as they could give. If you turn the situation around
and you were the one with the security issue, exactly how much information would 
you want your ISP to give out?  Probably very little, other then that the situation
has been handled.  I am sure that you would also not want your ISP medling in your
situation unless you requsted it.

You have to remember, Exodus is only the ISP, while they are happy to contact and 
assist any customer with a security problem, it is the customers responsibility to
deal with it.  If you have any other issues with the customer feel free to contact
them directly or Exodus if they are uncooperative. 

> It's not over till it's over.
> And, AFAIK, it was not over when Exodus claimed it was.
> In fact, do we know as a fact that it's over now?  I've been routing
> 209.67.50.0/24 to where it belongs (Null0), so if any access attempts were
> made, I wouldn't have noticed... sorry to sound in the dark here.

Of course, all I've seen have been very small issues which could be attributed
to dns lookups and other such things, nothing malicious since that day.

> Possibly.  Then again, from what I've seen, the majority of the
> portscanning/flooding originated from 209.67.50.0/24, not some other
> provider's blocks.  SO...

Not so true, you posted some yourself :

Date: Mon, 16 Nov 1998 17:30:39 -0500 (EST)               
From: Adam Rothschild <[email protected]>      
Subject: Exodus: this is bad

Hrrrm, I'm seeing 38.29.63.195 trying to telnet to every IP addr in one of
my Exodus  /24's... (around 4.30p EST)

---

Of course I see no reason why you put Exodus: this is bad as the topic of the post
but well, I don't understand half of what you say anyways :) Did you have problems
contacting PSI about this and getting it resolved?  We're they helpful?  I am sure
people from PSI read this list, I haven't seen any responses from them.

Also This one :

Date: Mon, 16 Nov 1998 18:05:25 -0500 (EST)               
From: Adam Rothschild <[email protected]>            
Subject: RE: Exodus: this is bad

True...  and in rapid succession, too.  Anyone notice anything fishy from
this fucker as well?

[r[email protected] log]# cat secure | more
Nov 15 23:41:36 oven in.telnetd[20426]: connect from 207.104.58.91
Nov 15 23:41:36 oven in.telnetd[20427]: connect from 207.104.58.91

---

Now other then your seemingly angry demeanor, this set of IP's seem to be causing you
problems too..  How did the ISP holding these ip's react? is the system shut down?
I didn't see any posts from them on NANOG..

And of course, without your name attached :

Date: Mon, 16 Nov 1998 17:16:36 -0500
From: Richard Irving <[email protected]>            
Subject: Another origin IP

209.119.115.65

telnetd a mile a minute.......

---

It seems pretty clear to me that more then just Exodus was involved to a bigger 
degree then you were saying... I'd quote more, but I don't want to have a 100 page
post.

> I'm confused.  How is a widespread network security issue not of
> operational concern?

Of course a widespread issue is, but harping on the people who resolved the issue
is not.  I understand now why most large ISP's don't even discuss problems publically
just from the amount of trouble it causes.  Just ignore and it all goes away.

-- 
-------------------------------------------------------------------------------
: Steven Noble / Network Janitor / Be free my soul and leave this world alone :
:   My views = My views != The views of any of my past or present employers   :   
-------------------------------------------------------------------------------