You're kidding, right? -K
-----Original Message----- From: bmanning@vacation.karoshi.com [mailto:bmanning@vacation.karoshi.com] Sent: Tuesday, October 24, 2000 7:23 AM To: tme@21rst-century.com Cc: nanog@nanog.org Subject: Re: whois
Yow! A chance to play devils advocate... Cool :)
If you told me a dialup user on my network did anything, I'd doubt your veracity. How do you know I have dialup services in my network? The accuracy of your clock and the recorded IP address are suspect since I have zero visability into your network structure or administrative practice... and you don't have that visability into mine. Your clock is hacked and you are forging IP addresses in an attempt to distract me from providing services. Tell me why this is not a simple case of harassment? Full and public disclosure of the attack profile would help build your credibility. And yes, if I have no business relationship to you and I've never had a relationship with you and you are making assertions about my infrastructure and clients, I will prolly want some incentive to cover the costs of investigating your outragous claims.
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!?
This seems pretty close to the "protection" money that I hear people with POP's in Moscow have to pay :)
(BTW, I said nothing about timeliness or 24x7 availability - a note a week or two later would have sufficed.)
The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a
particular IP
address.
--Mike--
Hello;
When we have had attacks such as root exploits, we have notified the source (at least, the ISP hosting the immediate source) as to the date, time, IP address, etc. (In one case, the attack appeared to come from a dial-up address in Germany, so I thought we had them.) We have NEVER received a response. From conversations at meetings, etc., I understand that this is typical - almost universal - and that it would be naive to expect other ISPs to actually do anything about being a source for attacks.
Maybe a start would be to a BCP for some level of minimal response if you source an attack, and a "web site of shame" listing those domains that source attacks and do nothing about it when notified.
--
Regards Marshall Eubanks
Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
In my specific case, yes, although I've worked w/ some organizations that have taken the approach described. Takes some time but once credibility is established, its easier to work with folk to curb undesirable behaviours. Trouble is, there is no consistant, globally accepted definition of "acceptable behaviour", just like there is no common definition of pornography other than "I know it when I see/smell/taste/hear it". Hence the wide variention in AUP & policy. that said, diverstity is good & bounds checking is a mark of a prudent ISP.
You're kidding, right?
-K
-----Original Message----- From: bmanning@vacation.karoshi.com [mailto:bmanning@vacation.karoshi.com] Sent: Tuesday, October 24, 2000 7:23 AM To: tme@21rst-century.com Cc: nanog@nanog.org Subject: Re: whois
Yow! A chance to play devils advocate... Cool :)
If you told me a dialup user on my network did anything, I'd doubt your veracity. How do you know I have dialup services in my network? The accuracy of your clock and the recorded IP address are suspect since I have zero visability into your network structure or administrative practice... and you don't have that visability into mine. Your clock is hacked and you are forging IP addresses in an attempt to distract me from providing services. Tell me why this is not a simple case of harassment? Full and public disclosure of the attack profile would help build your credibility. And yes, if I have no business relationship to you and I've never had a relationship with you and you are making assertions about my infrastructure and clients, I will prolly want some incentive to cover the costs of investigating your outragous claims.
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!?
This seems pretty close to the "protection" money that I hear people with POP's in Moscow have to pay :)
(BTW, I said nothing about timeliness or 24x7 availability - a note a week or two later would have sufficed.)
The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a
particular IP
address.
--Mike--
Hello;
When we have had attacks such as root exploits, we have notified the source (at least, the ISP hosting the immediate source) as to the date, time, IP address, etc. (In one case, the attack appeared to come from a dial-up address in Germany, so I thought we had them.) We have NEVER received a response. From conversations at meetings, etc., I understand that this is typical - almost universal - and that it would be naive to expect other ISPs to actually do anything about being a source for attacks.
Maybe a start would be to a BCP for some level of minimal response if you source an attack, and a "web site of shame" listing those domains that source attacks and do nothing about it when notified.
--
Regards Marshall Eubanks
Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
participants (2)
-
bmanning@vacation.karoshi.com -
Karyn Ulriksen