EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx
Pursuant to my previous post, I just rec'd this. Not exactly the same, but very similar. Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning actually an illegal activity? Was anything actually hacked, cracked, or 0wn3d? It's an absurd waste of resources to be emailed by automagic systems every time someone sends a stray packet. -- Alex Rubenstein, AR97, K2AHR, alex@nac.net, latency, Al Reuben -- -- Net Access Corporation, 800-NET-ME-36, http://www.nac.net -- ---------- Forwarded message ---------- Date: Fri, 26 Oct 2001 04:50:27 -0600 (MDT) From: Super-User <root@xx.xx.net> To: "dnsadmin@NAC.NET" <dnsadmin@NAC.NET> Subject: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx ### This email was generated by so-and-so Canada's network intrusion detection system. Please forward to your Internet security personnel if you are not the appropriate person to receive this notice. so-and-so Canada, located in Calgary, Alberta Canada, wishes to inform you that we experienced a probe or scan from your IP space. LOGGED INFORMATION: -------------------------- Source: 209.123.x.229 Destination: Host-x.x.19.254 Date: 26Oct2001 Time: 4:50:23 (Local Calgary Time GMT-7) Service/Protocol: http -------------------------- This notification has been sent to: alex@NAC.NET dnsadmin@NAC.NET abuse@NAC.NET Because we view this activity as possible intent to breach security, we ask you to review your logs and take appropriate action against the offending party responsible for this suspicious activity. Please respond to xx@xx.net for any issues concerning this. You may also visit our Intrusion Detection Information website at: http://x.x.19.11/intrusion_detection Thank you. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim bleh Senior Unix Network Analyst xxx Canada Calgary, AB Canada (403) xxx-yyyy
On Fri, 26 Oct 2001 09:03:01 -0300, Alex Rubenstein <alex@nac.net> said:
Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning actually an illegal activity? Was anything actually hacked, cracked, or 0wn3d?
Nope, it's not illegal (yet). But it might be suspicious...
It's an absurd waste of resources to be emailed by automagic systems every time someone sends a stray packet.
Well, there's stray packets and there's stray packets...
Source: 209.123.x.229 Destination: Host-x.x.19.254 Date: 26Oct2001 Time: 4:50:23 (Local Calgary Time GMT-7) Service/Protocol: http
This could be suspicious *if* and *only if* Host-x.x.19.254 is known to not be an http server. It may be totally innocuous - I've been known to put http:// instead of ftp:// in a URL more than once myself. Might be a user error at your site. Might be a misconfig at your site. Might be a malicious user at your site. They don't know, and they can't tell.
Because we view this activity as possible intent to breach security, we ask you to review your logs and take appropriate action against the offending party responsible for this suspicious activity.
And they're correct - it *could* be. All they're asking is that you check it out as per your procedures. If your procedures include hitting the big button labeled "refile in trash", that's your decision. ;) We send a lot of similar notes of our own (though usually it takes more than one stray packet to get our attention), and we receive a lot of similar notes about our users (goes with the territory, we're a large university). We do what we feel is proper in response (any 'first report' we get that involves our NTP servers gets an FAQ sent back, we don't often hear back again). And we're happy to get the reports - we've had more than one incident where we didn't know we had a problem until we had *multiple* sites reporting that the *same* box at our site was poking their stuff.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Alex Rubenstein Sent: October 26, 2001 9:03 AM To: nanog@nanog.org Subject: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx
Pursuant to my previous post, I just rec'd this. Not exactly the same, but very similar.
Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning actually an illegal activity? Was anything actually hacked, cracked, or 0wn3d?
It's an absurd waste of resources to be emailed by automagic systems every time someone sends a stray packet.
At least that one is relatively _polite_; we've received some from someone who was very rude and threatened to break into our systems to retaliate. Actually, I think it even hinted that the retaliation system was automated... not exactly the most comforting thing out there. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
On Fri, 26 Oct 2001, Alex Rubenstein wrote:
Kind of my point; SO WHAT THAT THIS PERSON WAS SCANNED? Is scanning actually an illegal activity? Was anything actually hacked, cracked, or 0wn3d?
I suppose if you see someone looking into the windows of your home and hear them twisting the doorknobs you don't mind either, you just ignore him and go about your business. After all, they didnt actually break in did they? So, no worries. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Blasphemy. There is quite a difference, even in analogy, of some pinging/port scanning, and someone twisting my doorknobs. If you can't see it, you won't. On Fri, 26 Oct 2001, Dan Hollis wrote:
I suppose if you see someone looking into the windows of your home and hear them twisting the doorknobs you don't mind either, you just ignore him and go about your business. After all, they didnt actually break in did they? So, no worries.
Pinging is not analogous to twisting doorknobs, I think of it more like driving past your house - "yep, there's a house there." NMAP scans are more like twisting doorknobs to me. -C On Fri, Oct 26, 2001 at 02:52:15PM -0400, Alex Rubenstein wrote:
Blasphemy.
There is quite a difference, even in analogy, of some pinging/port scanning, and someone twisting my doorknobs.
If you can't see it, you won't.
On Fri, 26 Oct 2001, Dan Hollis wrote:
I suppose if you see someone looking into the windows of your home and hear them twisting the doorknobs you don't mind either, you just ignore him and go about your business. After all, they didnt actually break in did they? So, no worries.
-- --------------------------- Christopher A. Woodfield rekoil@semihuman.com PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
I think that Alex's point is that if you want to *really* have a secure network, you can't do it by sending out automated mails every time a stray packet hits your network. That's likely to cause way more annoyance than any good it could possibly do. A much more effective way of proceeding would be to have a person looking at each and every incident, deciding whether it merits a notice to the offending network, and then sending a personal, non-threatening mail. --Adam -- Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
On Fri, Oct 26, 2001 at 12:57:55PM -0700, Adam McKenna wrote:
I think that Alex's point is that if you want to *really* have a secure network, you can't do it by sending out automated mails every time a stray packet hits your network. That's likely to cause way more annoyance than any good it could possibly do.
A much more effective way of proceeding would be to have a person looking at each and every incident, deciding whether it merits a notice to the offending network, and then sending a personal, non-threatening mail.
--Adam -- Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
Now I think that might be a bit much.. but you are right.. Sending out e-mails like this is rather annoying. Instead of reporting every little http request, maybe filter it so that only very suspicious ports are reported? Not that they're here to hear advice, but it's the thought that counts. -- Greg Poirier System Administrator EarthLink, Inc. Multi-Function Engineering (404) 748-7106 Atlanta, GA
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The problem with automated notifications to IDS alerts is that they are justified with faulty reasoning. 1. I get too many security alerts, and notifying the responsibile parties takes too much of my time. 2. Most notifications are the same thing, only the addresses and timestamps are different. 3. I'll automate the notifications to save me time. .... few days later .... 4. Damn! My inbox is overflowing with people responding to my automated notifications! It's taking too much time to answer them all. He should have stopped at #1, first phrase: "I get too many security alerts." Well dude, configure your IDS properly. Not every spark grows to be a four alarm fire.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Greg Poirier Sent: Friday, October 26, 2001 1:23 PM To: nanog@merit.edu Subject: Re: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx
On Fri, Oct 26, 2001 at 12:57:55PM -0700, Adam McKenna wrote:
I think that Alex's point is that if you want to *really* have a secure network, you can't do it by sending out automated mails every
packet hits your network. That's likely to cause way more annoyance than any good it could possibly do.
A much more effective way of proceeding would be to have a
each and every incident, deciding whether it merits a notice to
time a stray person looking at the offending
network, and then sending a personal, non-threatening mail.
--Adam -- Adam McKenna <adam@flounder.net> | GPG: 17A4 11F7 5E7E C2E7 08AA http://flounder.net/publickey.html | 38B0 05D0 8BF7 2C6D 110A
Now I think that might be a bit much.. but you are right.. Sending out e-mails like this is rather annoying. Instead of reporting every little http request, maybe filter it so that only very suspicious ports are reported?
Not that they're here to hear advice, but it's the thought that counts.
-- Greg Poirier System Administrator EarthLink, Inc. Multi-Function Engineering (404) 748-7106 Atlanta, GA
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9ni6UksS4VV8BvHEQIEawCg+TGSi+Ac9fcv+eMaZqZ6gXwVTnYAoOQ4 jBrfZfvhl/RL5y/ouueNmW8p =tIyz -----END PGP SIGNATURE-----
On Fri, 26 Oct 2001, Mike Batchelor wrote: :The problem with automated notifications to IDS alerts is that they are :justified with faulty reasoning. : :He should have stopped at #1, first phrase: "I get too many security :alerts." Well dude, configure your IDS properly. Not every spark grows to :be a four alarm fire. My advice regarding IDS's is that it is ridiculous to have an IDS do anything other than alert the human responsible for that sensor, as it is either ineffectual or dangerous to have any other automated system reliably act upon the information IDS's provide, in their current form. This includes strikeback, attacker notification, or any contingencies. As an IDS collects security information, it should not have access to perform any action other than to store, and take steps to preserve the integrity of that information. In any reasonable security policy where separation of duties is enforced, a sensor shouldn't be trusted to interprate the information it collects beyond the initial alert. I think it's irresponsible of some of the home firewall vendors to incorporate this into their products, as I can just imagine a ddos mail attack, where you spoof couple of packets from the network you want to damage, and thousands of idiot scripts send mail to the arin contact information. This may sound irate, but seriously, I think handing users these tools with no explanation is half-assed. Though if they used a common XML alert format and could be sent to a single site for processing (a la aris.securityfocus), that might be a little more sensible. It doesn't make sense to equip users with an automated incident reporting tool with nobody to report to. My 1.26904 cents after exchange. -- batz Reluctant Ninja Defective Technologies
participants (9)
-
Adam McKenna
-
Alex Rubenstein
-
batz
-
Christopher A. Woodfield
-
Dan Hollis
-
Greg Poirier
-
Mike Batchelor
-
Valdis.Kletnieks@vt.edu
-
Vivien M.