At 21:05 13/02/00 -0800, Eric A. Hall wrote: Your conclusions are identical to what I have found. The reasons are: a) profit margin: Almost all ISPs lose money. CEOs and CFOs do not see the dedicated personnel that handles 'abuse@' emails as generating income. Most small ISPs with revenue under $5M/yr will not be able to dedicate an FTE to 'abuse@' handling. ISPs would rather hire another salesman or purchase a larger Cisco router than invest in handling 'abuse@'. We may not like it - but that is what happens. b) lawyers: once you get into major size ISPs (over $100M/yr), they don't move without legal counsel. You were attacked by a Sub Seven port scan? You want the ISP to yank the user off the network? First you need to find a lawyer who understands a bit of the technical jargon. 95% do not. Once you do find such a person, legal counsel of the ISP will first demand proof from the *local* staff that such an attack has occurred. Your complaint logs are not admissible, in his view. Then the lawyer has to check that the hacker was made aware of the existing AUP. That gives the hacker a second chance. Now if the hacker is not really a hacker - but perhaps some user who claims to have his account or system hacked and if you revoke access - he will sue the ISP for every penny since he is working on a multi-million dollar deal and without email he will lose everything; the lawyer will fold his tail and run. I have seen this countless times. c) lack of time: a derivative of (a) above. Severely understaffed, the ISP has lines down and routers overloaded and servers with disk problems, and new customers wanting their connection up NOW! Spam reports and nmap scans fall to the wastebasket in these cases. d) incompetence: a derivative of (a) above. Some ISPs have no idea what is nmap or strobe or cheops and have never heard of ISS, Retina, Netrecon, or Netranger. Their main Internet guru, is an NT techie, who thinks NT is a very secure operating system. See below.
The ISPs need to put a system in place where they can work together to quickly trace and isolate the source of any attack. Perhaps the vendors need to develop some mechanisms to facilitate this.
A good deal of this technology is in place already, but Based on my experience, most ISPs just aren't using it or aren't acting on the data. I don't know if it's because of the administrative cost of managing a secure network, the tight market for talented personnel, or what, but it's really annoying when I go to the trouble of reporting security incidents and nothing happens.
This week's logs on my very small network show:
10 events of a user on best.net trying to connect to my RPC port:
UTC 02/11/2000 02:45:20.784 TCP connection dropped Source:209.24.82.10, 3714, WAN Destination:209.31.7.40, 111, LAN
Best.net's security people said "that box was compromised, block access to the IP address while it's fixed." Huh? How come best.net is letting their users send this crap out? If I can filter in-bound, they can filter out-bound while they fix the system.
Because if Best.net filtered at their end - they may be liable to a lawsuit from the user who had his access blocked.
5 events of a user at a Korean site running nmap or some other scanner against TCP port 1 on each of my public addresses:
UTC 02/13/2000 06:22:26.576 TCP connection dropped Source:211.45.145.2, 3272, WAN Destination:209.31.7.41, 1, LAN
The Korean ISP didn't respond.
Lack of time.
Two weeks ago I got:
UTC 02/05/2000 07:32:05.944 Sub Seven Attack Dropped Source:209.245.74.63, 1242, WAN Destination:209.31.7.41, 1243, LAN
Level3.net still hasn't responded to that.
Profit margin.
Ad nauseum. Every week I get probed, hacked on, ping-o-death'd and more, while every week I send copies of the log to the source' security@isp. 30% of the time security@ is an invalid mailbox that bounces (which is why I also cc: abuse@isp), 60% of the time the message is ignored or not responded to, and only 10% of the time do I get a response that some form of action might be taken if they can figure out which user had the IP address at that moment.
So, based on my experience, the ISP community isn't taking advantage of the tools they have to do their own enforcement. It would seem to me that the first step in saying "we can take care of this ourselves" is to prove that you're credible. If I were asked, I'd say that the quality of self-policing to date has been quite miserable.
I suspect we will only see more attacks and not to expect any solutions from ISPs in the near future. -Hank [the above are my own views and do not reflect light nor the opinions of any companies or organizations for which I do consulting.]
-- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com