North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Scaled Back Cybersecuruty

  • From: Johannes Ullrich
  • Date: Tue Jan 14 14:58:38 2003

> i've had absolutely no luck getting the source isp's to care about
> the problems i've seen at my home firewall in recent weeks.  (see
> below if you wonder whether i'm implicating anyone here.)  there's
> no other way to view the internet than as a worm-infested zombie.

hehe... I know the feeling. With DShield, we try hard to send out
correlated and filtered reports in a standardized format to valid
'contact' addresses. There are some success stories, but more misses
than hits overall. The 'misses' fall into two categories:

- ignored/bad contact/   ( /dev/null group )

- or the "portscanning is not a crime" group. (at least they respond).

What is an appropriate reaction if an ISP receive an abuse report?
I know [email protected] is getting swamped with Excel Spreadsheets, screenshots
and hate mail, and most of them are 'begnin' (P2P file sharing after
glow and the like). 

But would it be too much for an ISP to send an email to the customer
as they receive the first reports, a phone call after the third ... ?

(BTW: Any ISPs here that would like a daily unfiltered report? I just
streamlined that function last week.)


here some dshield data for the IPs in your list

> Jan  1 18:40:44 fwlha /kernel: ipfw: 1800 Deny TCP 64.139.35.209:2559 204.152.184.163:21 in via dc0

scanned 9 different targets , > 30 days ago

> Jan  3 06:15:19 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2113 204.152.184.163:57 in via dc0
> Jan  3 06:15:37 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2595 204.152.184.163:21 in via dc0
> Jan  3 06:15:40 fwlha /kernel: ipfw: 1800 Deny TCP 80.145.56.173:2595 204.152.184.163:21 in via dc0

2 targets, > 30 days ago... TONLINE is receiving a daily summary report from us. For a while,
they bounced it forth and back between departments for days. Now they just /dev/null it I think.

> Jan  4 09:02:17 fwlha /kernel: ipfw: 1800 Deny TCP 193.251.0.37:4992 204.152.184.163:21 in via dc0
> Jan  4 09:02:20 fwlha /kernel: ipfw: 1800 Deny TCP 193.251.0.37:3314 204.152.184.163:21 in via dc0

Wanadoo.fr... do I need to say more?



> Jan 12 23:21:16 fwlha /kernel: ipfw: 6400 Deny TCP 212.202.170.154:3540 204.152.188.2:21 in via vlan0

3 different tagets... does ftp and P2P... 


-- 
--------------------------------------------------------------------
[email protected]             Collaborative Intrusion Detection
                                         join http://www.dshield.org

Attachment: pgp00004.pgp
Description: PGP signature