North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Scaled Back Cybersecuruty

  • From: Christopher L. Morrow
  • Date: Tue Jan 14 14:41:18 2003


On 14 Jan 2003, Paul Vixie wrote:

>
> > This is alarming, considering the increase in attacks
> > against infrastructure, and the sophistication of attacks
> > over the last year. And we still use basically the same
> > ineffective techniques to counteract and track attacks that
> > became household words two years ago.
>
> yes.
>
> > I suspect a very effective worm would change this pretty
> > quickly, most likely through onerous regulation. It's
> > surprising that it hasn't happened already.
>
> i've had absolutely no luck getting the source isp's to care about
> the problems i've seen at my home firewall in recent weeks.  (see
> below if you wonder whether i'm implicating anyone here.)  there's
> no other way to view the internet than as a worm-infested zombie.
>

One problem with notifications typically (that I've seen) is that there is
no one to notify... there may be an email address, but most likely that's
not even watched/read/responded-to/reacted-upon. From my experience we
recieve less than 1 in 3K responses :( For UUNET I know that there is a
response and action on 'all' complaints, provided there is enough info to
take some action. NOTE, that action might not be 'disconnect' it might be
'notify downstream customer'... but atleast someone is doing something :)
And there is a 24/7 security group responsible for dealing with live
incidents. This is also not very common at most organizations. :(

To start fixing this problem every ISP really needs some security folks
dedicated to customer security issues... These folks need to have the
ability to contact customers and shut off services until the problem has
been rectified.

Hopefully, once there are security folks at all ISP's the ISP's will be
able to speak intelligently and civily to each other to cooperate and
contain problems.

> (this is a grep of just the port scans and attacks against ftp here.)
> -- snipped --