On Thu, Nov 19, 1998 at 01:16:22AM -0500, Adam Rothschild wrote:
On Wed, 18 Nov 1998, Steve Noble wrote:
If this issue directly affected you, you should have contacted us and you would have been given the information (as much as we could give). If you
For the sake of clarification, could you please define "as much as we could give"?
Exactly what I said, as much as they could give. If you turn the situation around and you were the one with the security issue, exactly how much information would you want your ISP to give out? Probably very little, other then that the situation has been handled. I am sure that you would also not want your ISP medling in your situation unless you requsted it. You have to remember, Exodus is only the ISP, while they are happy to contact and assist any customer with a security problem, it is the customers responsibility to deal with it. If you have any other issues with the customer feel free to contact them directly or Exodus if they are uncooperative.
It's not over till it's over. And, AFAIK, it was not over when Exodus claimed it was. In fact, do we know as a fact that it's over now? I've been routing 209.67.50.0/24 to where it belongs (Null0), so if any access attempts were made, I wouldn't have noticed... sorry to sound in the dark here.
Of course, all I've seen have been very small issues which could be attributed to dns lookups and other such things, nothing malicious since that day.
Possibly. Then again, from what I've seen, the majority of the portscanning/flooding originated from 209.67.50.0/24, not some other provider's blocks. SO...
Not so true, you posted some yourself : Date: Mon, 16 Nov 1998 17:30:39 -0500 (EST) From: Adam Rothschild <asr@millburn.net> Subject: Exodus: this is bad Hrrrm, I'm seeing 38.29.63.195 trying to telnet to every IP addr in one of my Exodus /24's... (around 4.30p EST) --- Of course I see no reason why you put Exodus: this is bad as the topic of the post but well, I don't understand half of what you say anyways :) Did you have problems contacting PSI about this and getting it resolved? We're they helpful? I am sure people from PSI read this list, I haven't seen any responses from them. Also This one : Date: Mon, 16 Nov 1998 18:05:25 -0500 (EST) From: Adam Rothschild <asr@millburn.net> Subject: RE: Exodus: this is bad True... and in rapid succession, too. Anyone notice anything fishy from this fucker as well? [root@oven log]# cat secure | more Nov 15 23:41:36 oven in.telnetd[20426]: connect from 207.104.58.91 Nov 15 23:41:36 oven in.telnetd[20427]: connect from 207.104.58.91 --- Now other then your seemingly angry demeanor, this set of IP's seem to be causing you problems too.. How did the ISP holding these ip's react? is the system shut down? I didn't see any posts from them on NANOG.. And of course, without your name attached : Date: Mon, 16 Nov 1998 17:16:36 -0500 From: Richard Irving <rirving@onecall.net> Subject: Another origin IP 209.119.115.65 telnetd a mile a minute....... --- It seems pretty clear to me that more then just Exodus was involved to a bigger degree then you were saying... I'd quote more, but I don't want to have a 100 page post.
I'm confused. How is a widespread network security issue not of operational concern?
Of course a widespread issue is, but harping on the people who resolved the issue is not. I understand now why most large ISP's don't even discuss problems publically just from the amount of trouble it causes. Just ignore and it all goes away. -- ------------------------------------------------------------------------------- : Steven Noble / Network Janitor / Be free my soul and leave this world alone : : My views = My views != The views of any of my past or present employers : -------------------------------------------------------------------------------