|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Open relays and open proxies
> > I use proxycheck to manually check hosts for open proxies > > (http://www.corpit.ru/mjt/proxycheck.html)... you could script this (or > > a similar tool) and run scans of your entire network. > > That's what I would suggest. You could also reactively test your customers > when they make a connection to your webserver or mailserver. that won't catch the case where a proxy is open and is being abused but the resulting traffic is directed outside of the local isp, which is going to be the common case since parasites don't like to endanger their hosts. every network owner should routinely scan/probe every address they are responsible for, looking for everything from ntpd vulnerabilities to sendmail or bind vulnerabilities to open proxies to open relays to etc. by "routinely" i mean every day. if something's found, block it 'til it's fixed. this will save you huge money in [email protected] staffing costs, as well as giving you "n'ya n'ya" rights when you meet uunet at the nanog bar :-). this is as important as having [email protected] and [email protected] mailboxes, or doing uRPF on customer edges. if you're an ISP and your customer agreement doesn't explicitly demand the ability to do this testing, then have it updated. i now think that http://www.icann.org/committees/security/sac004.htm was not nearly draconian enough, even though it claims... 3 - DDoS Vector 3.1. The typical vector for DDoS launches is a personal computer (PC) running operating system and application software that purposely trades off security for convenience. These computers are usually poorly managed, such that there are weak passwords or no passwords, known security "holes" that are never patched or closed, and services offered to the global Internet that the owner has no knowledge and no use for. 3.2. From the point of view of almost any single purveyor -- or consumer -- of operating system and application software, convenience will almost always have more perceived value than security. It is only when viewed in the aggregate that the value of security becomes obviously higher than the value of convenience. 3.3. With the advent of high speed "always on" connections, these PCs add up to either an enormous global threat, or a bonanza of freely retargetable resources, depending upon one's point of view. 3.4. Bad actors, in teams or acting alone, exert constant background effort to locate these hosts, probe them for known weaknesses, and subvert them in any way possible. There are software "kits" available that make all of this trivially easy, so no actual technical skill is needed to locate, subvert, and direct an army of thousands of high performance drones. ...to be aware of this problem. -- Paul Vixie
|