I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. "Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end? -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************
I think your next step is your lawyer. Put all your missives, your email, your phone conversations, your logs, your auditing results, your detection troubleshooting and sleuthing trails etc. in a folder, create a one page summary including any damages you feel might have been caused (e.g. time, effort, and money spent on this so far) and a timeline, and make an appointment with your lawyer. --Patrick Darden -----Original Message----- From: Brett Charbeneau [mailto:brett@wrl.org] Sent: Wednesday, March 11, 2009 9:34 AM To: nanog@nanog.org Subject: Dynamic IP log retention = 0? I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. "Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end? -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************
On Wed, 11 Mar 2009, Darden, Patrick S. wrote:
I think your next step is your lawyer. Put all your missives, your email, your phone conversations, your logs, your auditing results, your detection troubleshooting and sleuthing trails etc. in a folder, create a one page summary including any damages you feel might have been caused (e.g. time, effort, and money spent on this so far) and a timeline, and make an appointment with your lawyer.
I wouldn't necessarily believe the response from Covad and try to escalate to someone with a bit more clue there...but what's the point in getting lawyers involved? Whatever access isn't supposed to be open should be filtered. Beyond that, you should expect regular scans from random hosts on the net. That's the way it's been for the past 20 or more years, and it's unlikely to stop just because you don't like it. What effect will your lawers have next week when the 'abusive scans' are coming from Romania, China, Russia, etc.? If port scans really bother you, then you should setup a system to detect them, and regularly rebuild ACLs/null route lists/etc. to stop them in near real time. AFAIK, Cisco sells such a product, as do other network vendors I'm sure. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 11-Mar-2009, at 10:03, Jon Lewis wrote:
but what's the point in getting lawyers involved?
It might convince some pointy-haired person at covad to review the policies and procedures on the abuse desk, maybe.
Whatever access isn't supposed to be open should be filtered.
If you can demonstrate reasonable costs resulting from the behaviour of others, perhaps that's not relevant. Note that in the grand NANOG tradition I say these things without the faintest glimmer of knowledge of the law. Joe
On Wed, 11 Mar 2009 10:28:33 -0400 Joe Abley <jabley@hopcount.ca> wrote:
On 11-Mar-2009, at 10:03, Jon Lewis wrote:
but what's the point in getting lawyers involved?
It might convince some pointy-haired person at covad to review the policies and procedures on the abuse desk, maybe.
Whatever access isn't supposed to be open should be filtered.
If you can demonstrate reasonable costs resulting from the behaviour of others, perhaps that's not relevant. Note that in the grand NANOG tradition I say these things without the faintest glimmer of knowledge of the law.
I had long discussions on this with a lawyer ~15 years ago. A "tort" can arise from failure to do something you have a duty to do. Do ISPs have a duty to filter against port scans? I've never seen consensus on that here -- quite the contrary, in many cases. Now -- the courts can rule that you do have a duty to filter, even if the industry does not do it. Do we really want to be there, where ISPs are liable for the actions of their users? Of course, the attacker -- assuming that a scan is really an attack, which is itself a controversial question -- is liable. Is the OP really planning on filing suit? Let me play devil's advocate: how does Covad know that there were really port scans? Perhaps the logs are fakes, designed to uncover the name of someone doing file-sharing or criticizing someone on a blog. Maybe the offended site is a front for the government of Freedonia, which is trying to track down and harass (or worse) expatriate dissidents. Note that courts have held that under the DMCA, at least, the RIAA et al. can't learn alleged infringers' names via mandatory process (i.e., a subpoena) until they have actually filed suit for infringement. And of course, if Covad has a privacy policy, they might be liable to a customer for improper disclosure of identifying information. Don't neglect another possibility: the net result of a disclosure is likely to reveal that the scanning machine is really a bot, in which case the information is useless to the victim. So -- be careful what you wish for; you might get it. --Steve Bellovin, http://www.cs.columbia.edu/~smb
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Lewis wrote:
If port scans really bother you, then you should setup a system to detect them, and regularly rebuild ACLs/null route lists/etc. to stop them in near real time. AFAIK, Cisco sells such a product, as do other network vendors I'm sure.
It is pretty easy to do this with pf running on OpenBSD (et al). You can even set a timeout so that additions to a banned list get removed after x {hours,days,weeks} table evil persist {0.0.0.0} block in log quick from <evil> to any label "evil" pass in quick proto {tcp,udp} from any to any port 1024:65000 \ synproxy state \ (max-src-conn-rate 5/15, overload <evil> flush global) Pick a port range and/or ip address range combo that you don't have anything running on for the rule, then as scans take place the offending IP will be added to the evil table and blocked. OK, there are some additional details for expiring the evil IPs, and of course your own network details. But this has worked quite well for me, and I love checking the evil table from time to time to see who's been naughty. My best guess is other firewalls can do something similar. ... alec - -- `____________ / Alec Berry \______________________________ | Senior Partner and Director of Technology \ | PGP/GPG key 0xE8E9030F | | http://alec.restontech.com/#PGP | |-------------------------------------------| | RestonTech, Ltd. | | http://www.restontech.com/ | | Phone: (703) 234-2914 | \___________________________________________/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJt+1tREO1P+jpAw8RAhkXAKDlZK1gv00oxswqjkRu6TmG7JkoGACfcdSX S0mIegpuf++j+yMTjoNHLOI= =nIb7 -----END PGP SIGNATURE-----
On Wed, Mar 11, 2009 at 12:57 PM, Alec Berry <alec.berry@restontech.com> wrote:
block in log quick from <evil> to any label "evil"
RFC 3514? :-) -- Jeremy L. Gaddis http://evilrouters.net/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeremy L. Gaddis wrote:
RFC 3514? :-)
Ah, but if it was just that easy... The choice of "evil" for a table name was not random, of course! I do appreciate that the pf syntax makes for such entertaining configuration snippets. I have yet to pen a functional haiku, however. ... alec - -- `____________ / Alec Berry \______________________________ | Senior Partner and Director of Technology \ | PGP/GPG key 0xE8E9030F | | http://alec.restontech.com/#PGP | |-------------------------------------------| | RestonTech, Ltd. | | http://www.restontech.com/ | | Phone: (703) 234-2914 | \___________________________________________/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJuAY8REO1P+jpAw8RAkXNAJ490Lz1hbEvRwiwyFp7fvemcBVrvQCfSUfE 17LKUrs7ts871zQPUCLnH6o= =1/i9 -----END PGP SIGNATURE-----
Brett Charbeneau wrote:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets.
Port scanning is rather common, and shouldn't be considered "attacking" -- unless it's taking a significant amount of bandwidth. The latter is a Denial of Service (DoS) attack, and should be reported as such. I understand that a library might have limited bandwidth. Often port scanning is followed by an actual attack, ssh attempts, etc. That's what should be reported.
... I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
Now that's just odd, and probably the "operator" at Covad simply doesn't have access to the logs. DHCP should be logged. In my experience, the usual practice is to keep the logs for 3 days, or until the log files roll over.
Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
While I applaud your taking security seriously, and your active monitoring of your resources, other folks might be handling huge numbers of Conficker, Mebroot, and Torpig infections these days. So, they might be rather busy. Are your library systems all clean? You don't seem to have your own ARIN allocation for wrl.org, so it's kinda hard to tell from here.... AS | IP | AS Name 4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc.
On Wed, 11 Mar 2009, William Allen Simpson wrote: WAS> While I applaud your taking security seriously, and your active monitoring WAS> of your resources, other folks might be handling huge numbers of Conficker, WAS> Mebroot, and Torpig infections these days. So, they might be rather busy. Excellent point. And with dwindling staff levels outgoing worm traffic may be super low priority for them. I know every operation is different - I just wanted to check with the group before cranking up my level of indignation. =8^) WAS> Are your library systems all clean? I believe them to be. I have a Snort-based network intrusion detection system (using sguil) running with eight taps - and we subscribe to the Snort VRT rules. That's on top of host-based intrusion (OSSEC) on all of our servers and critical workstations. And centrallly-manged anti-virus (Kaspersky) on all desktops. WAS> You don't seem to have your own ARIN allocation for wrl.org, so it's kinda WAS> hard to tell from here.... WAS> WAS> AS | IP | AS Name WAS> 4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc. Yes - while we handle our own DNS our ISP prefers to mask our ARIN entry for (their) ease of management. I try to be the anti-salmon with this and go WITH the flow... -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************
On Wed, Mar 11, 2009 at 10:55:43AM -0400, Brett Charbeneau wrote:
On Wed, 11 Mar 2009, William Allen Simpson wrote:
WAS> While I applaud your taking security seriously, and your active monitoring WAS> of your resources, other folks might be handling huge numbers of Conficker, WAS> Mebroot, and Torpig infections these days. So, they might be rather busy.
Excellent point. And with dwindling staff levels outgoing worm traffic may be super low priority for them. I know every operation is different - I just wanted to check with the group before cranking up my level of indignation. =8^)
WAS> Are your library systems all clean?
I believe them to be. I have a Snort-based network intrusion detection system (using sguil) running with eight taps - and we subscribe to the Snort VRT rules. That's on top of host-based intrusion (OSSEC) on all of our servers and critical workstations. And centrallly-manged anti-virus (Kaspersky) on all desktops.
WAS> You don't seem to have your own ARIN allocation for wrl.org, so it's kinda WAS> hard to tell from here.... WAS> WAS> AS | IP | AS Name WAS> 4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc.
Yes - while we handle our own DNS our ISP prefers to mask our ARIN entry for (their) ease of management. I try to be the anti-salmon with this and go WITH the flow...
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here. Marcus
On 11 Mar 2009, at 11:53, Marcus Reid wrote:
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses.
It's indeed nice to see people deploying networks the way there were supposed to be built, for once. Nice troll, though. It has been at least a few weeks since the last "security = NAT" thread exploded in my inbox. Joe
On Wed, 11 Mar 2009, Marcus Reid wrote: MR> A quick scan of the reverse mapping for your address space in DNS reveals MR> that you have basically your entire network on public addresses. No wonder MR> you're worried about portscans when the printer down the hall and the MR> receptionists machine are sitting on public addresses. I think you are MR> trying to secure your network from the wrong end here. I apologize to the list for the static - I'm not sure how a question about log retention morphed into a misinformed critique of my organization's security posture. -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here.
Your idea of "security" is strange and unrealistic. Putting all of your network behind NAT is not a guarantee of security. IPv4 is slowly grinding to a close. NAT has been an aid to reduce the requirement for routable IP space at many sites, but it has never been required to stick your entire network behind NAT. Anyone capable of justifying the IP space and acquiring it from an upstream ISP is able to put all their IP-enabled gizmos, no matter even if it's just a bunch of printers, scanners, UPS's, and other random IP-capable gear, on the public Internet. It should not be the operator community's job to be the arbiter of what devices are worthy of public IP space. And take that and think about it, because IPv6 is coming. This will encourage the deployment of networks that connect every IP-capable device in reach. This implies many things. It is clear that we've not done a real good job of designing IPv4 devices with sufficient layers of security to be able to stick random devices on the Internet without a firewall and some contemplation of rules, something I hope changes between now and IPv6 widespread deployment. The question shouldn't be about whether this gentleman is securing his network from the wrong end. In our neighbourhood, we don't have a high crime rate. Despite that, if we saw someone walking from house to house, trying doorknobs, we'd call the cops. The fact that everyone has locks on their doors does not make it all right for someone to go around from house to house to see if they're all locked. In that same fashion, there's no particular reason to expect that the gentleman who started this thread hasn't already provided some layers of protection for his network. Trying to address the attacker is a sane and reasonable next step. We have some real and difficult questions to address in terms of how much do we want to do in response to such complaints. There are a lot of potential impacts on operators for dealing with abuse complaints, but we should be aware that this issue isn't going to go away, that blaming the target site's security rather than the attacker is simply wrong, that we're going to see even more devices attached under IPv6, and that if we don't want legislative solutions handed to us to implement, I would expect that it's a better idea to stop people from doing things from your network that causes others to squawk (and obviously I'm talking about Covad and the Covad-emitted traffic here). ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe Greco wrote:
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here.
Your idea of "security" is strange and unrealistic.
Putting all of your network behind NAT is not a guarantee of security.
Amen. Our NOCS workstations all use public IP addresses that are routed through a firewall. The firewall applies appropriate policies that would be functionally no different from applying the same policies to NAT'd hosts. In our environment, we'd gain absolutely nothing from a security perspective by enabling NAT. But it does help ensure that poorly designed applications don't require proxies to support them through NAT (SIP, FTP etc). And we'll never have problems with a partner VPN conflicting with our internal IP space. Mike
On Wed, 11 Mar 2009, Joe Greco wrote:
In our neighbourhood, we don't have a high crime rate. Despite that, if we saw someone walking from house to house, trying doorknobs, we'd call the cops. The fact that everyone has locks on their doors does not make it all right for someone to go around from house to house to see if they're all locked.
However, it's not illegal, AFAIK. It's only illegal if you enter. Either that, or I'm gonna go prosecute some Girl Scouts. More relatedly, is there some sort of obligation with IPv6 to move all of your NAT'ed hosts away from NAT? Just because you can doesn't make it a good idea. I agree, NAT != security, but it does give one a single point to manage those hosts behind it. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On Wed, 11 Mar 2009, Joe Greco wrote:
In our neighbourhood, we don't have a high crime rate. Despite that, if we saw someone walking from house to house, trying doorknobs, we'd call the cops. The fact that everyone has locks on their doors does not make it all right for someone to go around from house to house to see if they're all locked.
However, it's not illegal, AFAIK. It's only illegal if you enter. Either that, or I'm gonna go prosecute some Girl Scouts.
It may not be technically illegal, but I'd bet hard cash that our local cops would find a way to put you in cuffs and haul you in. Girl Scouts are probably going to be treated a bit different than random adults who have no reasonable explanation to be trying the knobs. Girl Scouts could possibly be excused as not knowing any better.
More relatedly, is there some sort of obligation with IPv6 to move all of your NAT'ed hosts away from NAT?
No. There's also no obligation with a loaded shotgun to not point it at your foot. You can do it, you can pull the trigger. NAT has many drawbacks, especially including a whole bunch of shortcomings where workarounds are required for various protocols due to our insistence on inflicting the brokenness of NAT on the world. These are all well documented. http://www.circleid.com/posts/nat_just_say_no/ etc.
Just because you can doesn't make it a good idea. I agree, NAT != security, but it does give one a single point to manage those hosts behind it.
So's a firewall. Nobody is suggesting that we throw out the baby with the bathwater. But the bathwater's old and stinky, and is a severe impediment to growth at this point. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, Mar 11, 2009 at 6:27 PM, Peter Beckman <beckman@angryox.com> wrote:
On Wed, 11 Mar 2009, Joe Greco wrote:
In our neighbourhood, we don't have a high crime rate. Despite that, if we saw someone walking from house to house, trying doorknobs, we'd call the cops. The fact that everyone has locks on their doors does not make it all right for someone to go around from house to house to see if they're all locked.
However, it's not illegal, AFAIK. It's only illegal if you enter. Either that, or I'm gonna go prosecute some Girl Scouts.
Actually, in most jurisdictions trying strangers' doorknobs is probably misdemeanor disorderly conduct, typically punishable by fines of a few hundred dollars and jail for a few months. More often than not used as a threat: "Sir, you need to leave the neighborhood or you'll be arrested and charged with disorderly conduct." That's what "disorderly conduct" is for: folks who are obviously doing something they ought not be doing but for which an explicit law has not been written. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On Wed, 11 Mar 2009 07:53:01 -0800, Marcus Reid said:
A quick scan of the reverse mapping for your address space in DNS reveals that you have basically your entire network on public addresses. No wonder you're worried about portscans when the printer down the hall and the receptionists machine are sitting on public addresses. I think you are trying to secure your network from the wrong end here.
You *do* realize that "has a public address" does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say "bugger off" to unwanted traffic. And you can put a firewall appliance inline without using NAT as well.
Valdis.Kletnieks@vt.edu wrote:
You *do* realize that "has a public address" does not actually mean that the machine is reachable from random addresses, right? There *are* these nice utilities called iptables and ipf - even Windows and Macs can be configured to say "bugger off" to unwanted traffic. And you can put a firewall appliance inline without using NAT as well.
The other big benefit to using real public IPs is abuse related. There's a scenario we encounter on a semi-regular basis where we forward a report of an apparently infected host to a customer who responds back: "How can I tell which one of our hosts is infected? We've got 200 workstations inside our NAT and this abuse report only has our single public address." So I recommend a packet sniffer inside their LAN or accounting on their firewall. But sometimes the source is a salesperson's laptop, and they've gone on a business trip. So no new reports come in and everyone decides it must have been a false alarm. Now imagine that salesperson only stops back in the office once a month, at random undocumented intervals to make backups. How do we ever track him down? The abuse report cycle just doesn't turn around fast enough - often we don't even get reports for a day or two. So I find myself advising customers in this situation to give every user a public IP. Even if they still do 1:1 NAT, the problem is mostly resolved provided they faithfully document MAC addresses and keep DHCP logs for a suitable length of time. Mike
William Allen Simpson wrote:
Port scanning is rather common, and shouldn't be considered "attacking" -- unless it's taking a significant amount of bandwidth.
Attempting to gain unauthorised access to a computing system is a crime in most countries. Port scanning is a tool used to gain unauthorised access. (Yes, port scanning can be used for other things, but it's difficult to argue for those when scanning someone else's machines.) A telecommunications carrier releasing a customer's details without their permission, to a non-investigatory third party, without a court order. Hmmm. It's certainly illegal here in Australia. And last I checked wasn't the US firm Hewlett Packard in trouble for hiring people to do just that? So your basic problem is that you have a law enforcement problem, and the law enforcers don't give this priority. Which leads to one of those vicious circle thingies, where the ISPs don't give a stuff about their customers running scans, since they aren't seeing any hassle from Mr Plod, those customers aren't seeing any consequences, and so the amount of scanning increases, to the extent where people believe it is normal and acceptable. Why not contact the FBI. Not because it will help. But because if even 1% of the libraries in the country do that then the FBI will take the path of least resistance, which is to hassle ISPs with enough warrants until the ISPs find it economic to clean up their act, at least with regard to their own customers. -- Glen Turner <http://www.gdt.id.au/~gdt/>
On Thu, 12 Mar 2009, Glen Turner wrote:
William Allen Simpson wrote:
A telecommunications carrier releasing a customer's details without their permission, to a non-investigatory third party, without a court order. Hmmm. It's certainly illegal here in Australia. And last I checked wasn't the US firm Hewlett Packard in trouble for hiring people to do just that?
<!-- rambling One of the funniest things I see with these arguments (dishing out info to someone else) is what I perceive to be a sort of chain-mail like trickle effect where no matter what anyone says, don't trust them. "We never give out information" sayeth the forms on many a vendor. This does not mean if that company is bought old the purchaser won't dish out your information. So then who do you see?
So your basic problem is that you have a law enforcement problem, and the law enforcers don't give this priority. Which leads to one of those vicious circle thingies, where the ISPs don't give a stuff about their customers running scans, since they aren't seeing any hassle from Mr Plod, those customers aren't seeing any consequences, and so the amount of scanning increases, to the extent where people believe it is normal and acceptable.
Why should it be given priority. There is only so much a provider can do. I'm with you when you state providers can do more but guess what? So can vendors of operating systems. Should we point the finger back at Microsoft for making things as simple as possible for the average non-technical user? Maybe petition them to close all ports by default and allow its users to open up what they need when they need it? How long before their userbase drops? Grandma: "Say who, what? What's a netbios? Port? 137? Huh? Darling, I just want to print and send pictures... Oh darn forget it!"
Why not contact the FBI. Not because it will help. But because if even 1% of the libraries in the country do that then the FBI will take the path of least resistance, which is to hassle ISPs with enough warrants until the ISPs find it economic to clean up their act, at least with regard to their own customers.
If 1% of the cases of port scanning were even taken serious, I'd be pretty pissed my tax money is going down the toilet - I mean it's bad enough my economy is tanking, no need to add to it. With this said, re-take on another analogy I've done on this before... Acme Superlocks states certain versions of their locks may be picked. I know this because for one, not only did I receive the e-mail from them, the news is showing that many owners of Acme Superlocks have had their homes and businesses broken into. As an owner of Acme Superlocks seeing the newsflashes, getting the emails, I decide to continue using the locks. My home is intruded. Who's fault is it, Acme Superlocks or was I the idiot for not taking a second to fix my lock. After all the company did some form of "due diligence" in explaining that 1) their lock is fubar'd 2) they did send me the email 3) I did see the news 4) I'm not cripple - but competent enough to "Google" "Acme Superlock". Who's to blame? Now take this a step further, if I were about to do an insurance claim, do you think my insurance company would cover my claim after (at this point) I neglected to act on my own behalf. Claim Adjustor: "We see you did receive the warnings" Me: "My bad. Sure I knew they were vulnerable..." When you get down to the nitty-gritty, it was my own negligence that cause this at the end of the day. We can say for those instances where I was the first person "hit up" that I was just unlucky, but at what point in time should I stop shifting blame to my provider or say Microsoft. I already *know* it's not my providers role to protect me. I already *know* Microsoft "can be" an insecure operating system. So here I am not doing anything about it, yet shifting the blame when compromised. rambling --> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Enough research will tend to support your conclusions." - Arthur Bloch "A conclusion is the place where you got tired of thinking" - Arthur Bloch 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
J. Oquendo wrote:
On Thu, 12 Mar 2009, Glen Turner wrote:
William Allen Simpson wrote:
A telecommunications carrier releasing a customer's details without their permission, to a non-investigatory third party, without a court order. Hmmm. It's certainly illegal here in Australia. And last I checked wasn't the US firm Hewlett Packard in trouble for hiring people to do just that?
Hey, bad quotation! I'm not from Australia. That's not my writing. Nor did I ever advocate releasing a customer's details -- to anybody. :-( I also disagree with your point about responsibilities of ISPs. Yes, it's true that Microsoft externalized its costs upon its customers. But only the ISPs are in a position to detect the abuse, and that's part of the business. Some of us take network security seriously.
Covad telling you they don't keep logs is different from them not really having the logs... but, if they really don't keep logs, they are posing a risk that FBI or DHS might not be happy with. The feds will probably be more persuasive than you, so maybe hinting them about this situation may change something to better. Rubens On Wed, Mar 11, 2009 at 10:34 AM, Brett Charbeneau <brett@wrl.org> wrote:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. "Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
-- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************
On Wed, 11 Mar 2009 12:42:40 -0300 Rubens Kuhl <rubensk@gmail.com> wrote:
Covad telling you they don't keep logs is different from them not really having the logs... but, if they really don't keep logs, they are posing a risk that FBI or DHS might not be happy with. The feds will probably be more persuasive than you, so maybe hinting them about this situation may change something to better.
There is no US legal requirement for keeping logs. The FBI et al. may want you to, and there is a bill before Congress to mandate retention (and that has been discussed on NANOG -- look for the Subject: 'Legislation and its effects in our world', or you can find the text itself at http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.1076:) but there is no legal obligation to keep DHS happy. --Steve Bellovin, http://www.cs.columbia.edu/~smb
How did a simple thread about network scanning get so derailed....we have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow. I'll try to answer you in a more common sense approach as some have tried to do. First of all no network operator has to hand over their logs or user information over to you just because you want to know. You can ask their abuse department to intervene but that is all up to that department. They may have told you they don't have them just because they didn't want you pestering them anymore or they may really not have them, who knows. Don't try to judge them but try to fix this very minute problem in a way you can control. The ways you can control this are simple. 1) Block all of covad (not very smart) 2) Block all of covad except for essential ports (25,80,443 or whatever other common ports they may need) 3) Setup a perimeter protection that blocks hosts that are scanning you and removes them after a determined amount of time This trying to shun people in public because they aren't following your guide to network administration probably isn't going to work very well for you. If 65000 covad addresses were ddosing you then I would agree that you have a legitimate gripe but focus on what you can control and not what you believe others should be doing. -- Ross ross [at] dillio.net
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. "Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
-- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett@wrl.org ********************************************************************
On Mar 12, 2009, at 12:25 AM, Ross wrote:
How did a simple thread about network scanning get so derailed....we have people talking about the legal implications of port scanning, hiring lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of NAT as a security policy, etc. Wow just wow.
it's nanog, you expect something different? :)
Ross wrote:
I'll try to answer you in a more common sense approach as some have tried to do. First of all no network operator has to hand over their logs or user information over to you just because you want to know.
There seems to be a big misconception that he asked them to "hand over" the info. As I read the OP, he asked Comcast to do something about it and Comcast said "we can't do anything about it because we don't have logs". Here's a quote from the OP:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
IMHO, that's a bunch of BS from whoever he's talking with at Comcast. In the normal course of business they would have logs of which customer had that IP just 48 hours earlier. They *can* do something about their customer. And they *should* do something about their customer who is causing problems on another network, the same as if that customer was spewing spam, or actually attacking (DDoS etc.) another network. So the question circles back around to how does the OP get Comcast to step up, internally identify and take care of their problem customer? What path should he take to get connected with someone who has more clue about this type of problem so that they can address it in a timely fashion? Has it come to needing to get a lawyer to write a strongly worded letter just to get this type of thing done today? jc
JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700):
Ross wrote:
There seems to be a big misconception that he asked them to "hand over" the info. As I read the OP, he asked Comcast to do something about it and Comcast said "we can't do anything about it because we don't have logs". Here's a quote from the OP:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
IMHO, that's a bunch of BS from whoever he's talking with at Comcast. In the normal course of business they would have logs of which customer had that IP just 48 hours earlier. They *can* do something about their customer. And they *should* do something about their customer who is causing problems on another network, the same as if that customer was spewing spam, or actually attacking (DDoS etc.) another network.
So the question circles back around to how does the OP get Comcast to step up, internally identify and take care of their problem customer? What path should he take to get connected with someone who has more clue about this type of problem so that they can address it in a timely fashion?
Has it come to needing to get a lawyer to write a strongly worded letter just to get this type of thing done today?
jc
[Disclaimer - I am a lawyer, and I write strongly worded letters to pay my bills.] Not to disagree with any of your points, but the OP (which you quoted!) was talking about Covad, while you're bashing Comcast. -- _________________________________________ Nachman Yaakov Ziskind, FSPA, LLM awacs@ziskind.us Attorney and Counselor-at-Law http://ziskind.us Economic Group Pension Services http://egps.com Actuaries and Employee Benefit Consultants
In message <20090312120816.B668@egps.egps.com>, "N. Yaakov Ziskind" writes:
JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700):
Ross wrote:
There seems to be a big misconception that he asked them to "hand over" the info. As I read the OP, he asked Comcast to do something about it and Comcast said "we can't do anything about it because we don't have logs". Here's a quote from the OP:
The real problem is that Covad claim (second hand) that they can't identify the perpetrator(s). I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. One shouldn't need to have to get the indentities of the perpetrators to get AUP enforced. Port scanning is against 99.9% of AUP's. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them. Again, why worry about things out of your control, especially when we are talking about port scanning. I would think people have more pressing issues, guess not. -- Ross ross [at] dillio.net
In message <20090312120816.B668@egps.egps.com>, "N. Yaakov Ziskind" writes:
JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700):
Ross wrote:
There seems to be a big misconception that he asked them to "hand over" the info. As I read the OP, he asked Covad to do something about it and Covad said "we can't do anything about it because we don't have logs". Here's a quote from the OP:
The real problem is that Covad claim (second hand) that they can't identify the perpetrator(s).
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
One shouldn't need to have to get the indentities of the perpetrators to get AUP enforced. Port scanning is against 99.9% of AUP's.
Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them.
Yes, it's all a business decision. That kind of antisocial thinking is the sort of thing that has allowed all manner of bad guys to remain attached to the Internet.
Again, why worry about things out of your control, especially when we are talking about port scanning.
Yes, why not talk about rapists and drug dealers instead. They're much worse. It's just that this forum ... isn't for that.
I would think people have more pressing issues, guess not.
While I am all for increasing overall security on the Internet, the reality is that there will often be devices that are attached that are found to be vulnerable in new and intriguing ways. Port scanning is a primary method for finding these vulnerabilities. To the extent that an ISP might proactively port scan its own userbase, that's a good use and probably a good idea (has tradeoffs), but bad guys finding holes in random devices so that they can launch multiGbps attacks against random destinations is a bad thing. If your idea of "operations" is to make your router work and collect your paycheck for another day, then this discussion probably does not make any sense to you and you probably don't understand the importance of the issue. If your idea of "operations" is to ensure the reliable operation and uphold the performance standards of an IP network, then it should not be beyond comprehension that allowing miscreants access to the network is one of many things that can adversely affect operations. If you accept that the presence of miscreants on the network is a negative, it shouldn't be hard to see that complaining about consistent and persistent port scans from what is probably an identifiable host is one way to make an impact. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Joe, I'll respond to you and this will be my last reply to this thread because I know I won't be able to change your mind. Saying a company's business decisions are antisocial just because they aren't doing you want is very unhelpful. I don't know how many large ISPs you have worked for but I'm not sure if you understand corporate budgets or politics. If you consider people who port scan the bad guys of the internet then obviously you and I are two different planes of reality. I had a discussion today with someone who I immensely respect where I talked about port scanning and how people compare it to trying to break in to someone's house. He disagreed and said that port scanning was like being a part of the neighborhood watch and that trying to exploit any vulnerabilities you find would be an attempted break in, I have to agree. As for your second point of comparing port scanning to the heinous crimes of rape I'll just ask, "have you lost your damn mind"? Seriously, port scanning a machine compared to the horrid act of abusing someone sexually? Seriously, what will be your next analogy, pedophiles are the same as file sharers? Port scanning can be a method to find vulnerabilities indeed but what of those of us who port scan before we use certain services? I often scan certain hosts before I use them to make sure they don't have gaping vulnerabilities, should I go to jail? The op said nothing about an attack but only a scan, so don't go there. Your idea of operations seems simple because you have the black and white barrier, there is no gray for you. Some of us actually have a larger userbase and very small budgets. Now I'll say that the company I work for goes after network abusers vigorously. To say that port scanners are miscreants and abusers is your view. I think everyone wants to stop botnets and exploits from spreading but Joe, people don't have to answer to you just because you feel that you are privileged because you have a role in the internet. Scanning and attacks are two different things and I hope you realize this. If a host on my network is attacking a host on yours I'm sure we will work to stop it quickly. If you demand that I turn over the person who scanned you last night at 12:52 am I may ignore you. I wish you the best of luck against your crusade against the evil of port scanning. -- Ross ross [at] dillio.net
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them.
Yes, it's all a business decision. That kind of antisocial thinking is the sort of thing that has allowed all manner of bad guys to remain attached to the Internet.
Again, why worry about things out of your control, especially when we are talking about port scanning.
Yes, why not talk about rapists and drug dealers instead. They're much worse. It's just that this forum ... isn't for that.
I would think people have more pressing issues, guess not.
While I am all for increasing overall security on the Internet, the reality is that there will often be devices that are attached that are found to be vulnerable in new and intriguing ways. Port scanning is a primary method for finding these vulnerabilities. To the extent that an ISP might proactively port scan its own userbase, that's a good use and probably a good idea (has tradeoffs), but bad guys finding holes in random devices so that they can launch multiGbps attacks against random destinations is a bad thing.
If your idea of "operations" is to make your router work and collect your paycheck for another day, then this discussion probably does not make any sense to you and you probably don't understand the importance of the issue.
If your idea of "operations" is to ensure the reliable operation and uphold the performance standards of an IP network, then it should not be beyond comprehension that allowing miscreants access to the network is one of many things that can adversely affect operations. If you accept that the presence of miscreants on the network is a negative, it shouldn't be hard to see that complaining about consistent and persistent port scans from what is probably an identifiable host is one way to make an impact.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sat, 14 Mar 2009 00:56:24 CDT, Ross said:
I know I won't be able to change your mind. Saying a company's business decisions are antisocial just because they aren't doing you want is very unhelpful. I don't know how many large ISPs you have worked for but I'm not sure if you understand corporate budgets or politics.
Ross - it doesn't help when you turn around and present another false dichotomy. It's quite possible that Joe *does* understand corporate budgets and politics, and *still* thinks that business decisions are antisocial. In fact, one can fairly easily argue that *many* of our current socio-economic issues are due to the fact that corporate decisions are in general required to be in the stockholder's interests, not society's. In other words, they are in general *by definition* anti-social. So the correct phrasing is "How do we change the anti-social behavior into something less anti-social which still pleases the stockholders?"
Seriously, what will be your next analogy, pedophiles are the same as file sharers?
Paging Jack Valenti...
Vladis, I'm not going to argue with you on a socio economic opinion that companies who have stock holders are evil because they don't spend their funds where they want you to and promote anti-social behavior by doing so. If you think society's biggest problem is to stop port scanning then I hope you succeed in your crusade. I think many of us have bigger problems than you getting port scanned but if you every truly get attacked, I'll be there to help. As a good friend of mine says "no one ever goes to work and says, how am I going to suck today." We can all improve in our operations, public shaming for not dropping ones other duties to hand over information that you aren't privileged to is a bit sad. </rant> *nite* -- Ross ross [at] dillio.net
On Sat, 14 Mar 2009 00:56:24 CDT, Ross said:
I know I won't be able to change your mind. Saying a company's business decisions are antisocial just because they aren't doing you want is very unhelpful. I don't know how many large ISPs you have worked for but I'm not sure if you understand corporate budgets or politics.
Ross - it doesn't help when you turn around and present another false dichotomy.
It's quite possible that Joe *does* understand corporate budgets and politics, and *still* thinks that business decisions are antisocial. In fact, one can fairly easily argue that *many* of our current socio-economic issues are due to the fact that corporate decisions are in general required to be in the stockholder's interests, not society's. In other words, they are in general *by definition* anti-social.
So the correct phrasing is "How do we change the anti-social behavior into something less anti-social which still pleases the stockholders?"
Seriously, what will be your next analogy, pedophiles are the same as file sharers?
Paging Jack Valenti...
Ross wrote:
We can all improve in our operations, public shaming for not dropping ones other duties to hand over information that you aren't privileged to is a bit sad.
No one asked anyone to "hand over information that they weren't privileged to". Trying to publicly shame someone for asking for this, when they asked for no such thing, is more than a bit sad. What was requested is that Covad deal with their problem customer. Covad tried to claim that they couldn't deal with it because supposedly they don't have any logs of which customer had the IP less than 48 hours ago, which is just not very believable. There also wasn't any indication that Covad claimed they had more important duties to attend to and that this wasn't important to address - they just claimed they "can't" address it because they don't have log data to link the IP to the customer. jc
Joe,
I'll respond to you and this will be my last reply to this thread because I know I won't be able to change your mind.
Yes, it's clear *you* won't be able to.
Saying a company's business decisions are antisocial just because they aren't doing you want is very unhelpful.
Well, then, it's good that that's not what's happening. There are lots of things I would want a business to do that most of 'em aren't doing. We aren't talking about any of those things. We're talking about something that is commonly understood to be a bad thing, bad enough that most AUP's explicitly forbid it.
I don't know how many large ISPs you have worked for but I'm not sure if you understand corporate budgets or politics.
I have worked for large ISP's, I understand corporate budgets and politics, and I'm smart enough to understand that "corporate budgets and politics" do not define what is acceptable within the framework of the Internet. Were "corporate budgets and politics" to define that, we'd be likely to see a balkanized, spam-riddled ghost-of-what-used-to-be-the-Internet where the potential for making a buck defines what is right and what is wrong. Modern corporations are responsible to their shareholders, and many people feel this gives them a free pass. Staffing an abuse desk and reducing these sorts of emissions would seem to be more costly, and certainly there are people who cut corners on their abuse departments in order to save a buck, but the point is that this ultimately results in greater costs further out, when your network is riddled with problems, and your upstreams and peers are applying pressure to you to stop the DDoS attacks coming from your network. Regardless, many companies follow that path, in search of "better performance this quarter." We've seen it all before, and we'll see it all again. Eventually it gets bad enough that either your policies cause you to fold (AGIS, etc), or you're forced to clean up. More enlightened companies can take a longer view, and they'll realize that a well-run network is actually a valuable asset.
If you consider people who port scan the bad guys of the internet then obviously you and I are two different planes of reality.
Clearly. Because the people who port scan are the people who are breaking into boxes (whether manually or automatically), and the people who are breaking into boxes are generally people with no good intent. If you think these are "good guys," you definitely *are* on a different plane of reality.
I had a discussion today with someone who I immensely respect where I talked about port scanning and how people compare it to trying to break in to someone's house. He disagreed and said that port scanning was like being a part of the neighborhood watch and that trying to exploit any vulnerabilities you find would be an attempted break in, I have to agree.
Random port scanning is not like "the neighborhood watch." Neighborhood watches are set up by a neighbor you know, and presumably trust, and even if they have a ridiculous policy of testing doorknobs, they will respect it if you tell them you don't want to participate. Some ISP's fulfill this role by proactively scanning their own IP space for vulnerable machines. They'll tell you your box is hackable, or maybe even sandbox you. That's equivalent to a neighborhood watch. What you're defending is some guy in a ski mask who comes in and visits each house, testing all the doors and windows to see if they open, and who makes note of vulnerable houses. Maybe he then leaves, maybe he then breaks into a house. Even if he leaves, he's leaving with knowledge of insecure houses, and we know that this knowledge is not going to be put to a *positive* use. How you can possibly equate this to a "neighborhood watch" is beyond me.
As for your second point of comparing port scanning to the heinous crimes of rape I'll just ask, "have you lost your damn mind"?
No, of course I haven't, but then again I didn't make such a comparison. I did say "they're much worse." You might want to go back and re-read that little exchange, as you clearly didn't comprehend what I was saying.
Seriously, port scanning a machine compared to the horrid act of abusing someone sexually? Seriously, what will be your next analogy, pedophiles are the same as file sharers?
Seriously, try reading for comprehension.
Port scanning can be a method to find vulnerabilities indeed but what of those of us who port scan before we use certain services?
Scanning a machine that you're authorized to access is not at issue here.
I often scan certain hosts before I use them to make sure they don't have gaping vulnerabilities, should I go to jail?
See above. And below.
The op said nothing about an attack but only a scan, so don't go there.
Ah ha. See, you've just tried to equate your scanning of some machine that you are authorized to use, with what the original poster was complaining about, which was relentless scans by an unauthorized party, where the responsible party actually explicitly requested that such scans stopped. You're trying to make a case that the second case is acceptable because the first is? You're showing yourself as being unable to argue your way out of a paper bag.
Your idea of operations seems simple because you have the black and white barrier, there is no gray for you.
The hell you say.
Some of us actually have a larger userbase and very small budgets.
Your budget is a choice. Maybe not your choice personally, but a choice by someone, regardless. Choices have consequences. Maybe not immediately, but eventually. The ability to see (and ideally, to harness) the long-term effect of your choices is generally what differentiates most of the successful companies that I've seen.
Now I'll say that the company I work for goes after network abusers vigorously. To say that port scanners are miscreants and abusers is your view.
Hm. Well, even dodgy providers like SAVVIS recognize port scanning as a problem: http://www9.savvis.net/corp/Acceptable%20Use%20Policy Section B subsection 2: "including any activity that typically precedes attempts to breach security such as scanning, probing, or other testing or vulnerability assessment activity," So, um, who exactly is it that you work for, I'd love to check out their AUP (tfic).
I think everyone wants to stop botnets and exploits from spreading but Joe, people don't have to answer to you just because you feel that you are privileged because you have a role in the internet.
You seem to be attributing to me something I didn't say.
Scanning and attacks are two different things and I hope you realize this.
One could reasonably say that one is a lesser form of the second. When someone is doing something that is clearly and unambiguously "casing the joint," and isn't authorized to be doing so, that could reasonably be construed as an attack. From afar, you have no way to determine whether or not your unauthorized traffic has the potential for costing my site more (maybe I'm on the far end of a really expensive circuit), or maybe interfering with normal operations (overloading syslog reporting due to heavy firewall rejections), etc. You have no idea what effect scanning has on a remote machine, and if you have no business doing it, assuming that it can't be perceived as an attack and that it won't cause problems is naive.
If a host on my network is attacking a host on yours I'm sure we will work to stop it quickly. If you demand that I turn over the person who scanned you last night at 12:52 am I may ignore you.
Of course, neither I nor the original poster made any such demand. The original poster simply wanted Covad to "make it stop," which would seem to be a fairly reasonable request.
I wish you the best of luck against your crusade against the evil of port scanning.
Since it's "okay" to do that, why don't you post your employer's IP ranges along with an official invitation for NANOG'ers to scan those ranges? Geez. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
In message <c229aa5b01749718e25f61ae579659a3.squirrel@www.dillio.net>, "Ross" writ es:
Whether Covad chooses to enforce their AUP against port scanning is a business decision up to them. Again, why worry about things out of your control, especially when we are talking about port scanning. I would think people have more pressing issues, guess not.
-- Ross ross [at] dillio.net
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously.
Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco <jgreco@ns.sol.net> wrote:
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously.
Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better.
Port scanning is the Internet equivelant of the common cold. They're a dime a dozen. I recommend taking some Vitamin B and D. Block, and Drop. Best, Martin -- Martin Hannigan martin@theicelandguy.com p: +16178216079
On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco <jgreco@ns.sol.net> wrote:
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously.
Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better.
Port scanning is the Internet equivelant of the common cold. They're a dime a dozen.
I recommend taking some Vitamin B and D. Block, and Drop.
No, it's more comparable to the jerk who not only doesn't stay at home with his cold, but actively walks around the workplace coughing and sneezing without covering his mouth/nose with a kleenex, spraying people. The reality is that it fails the "if everybody did this, would it be a good thing" test. While some "B&D" is common sense on the receiving end, this does not make it any more correct for the originating site to let it keep happening. If every PC on the Internet (conservatively, let's assume a billion devices that are sufficiently sophisticated that they could be infected) were to send you a single packet per day, you'd be seeing over 10,000pps. That should suggest that the behaviour is not something to be encouraged. My locking my doors does not mean it's okay for you to check if my door is locked. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Just wondering but the knowledge I have of DHCP is that an IP address is assigned to the same computer (or host) and will continue to do so until the pool of IP's is exhausted. Once that occurs, a new request is parsed by the DHCP server and the oldest non-renewed lease address is checked to see if it is live. If no response occurs then the DHCP server assigns that IP to the requesting host. It's much more efficient to write once and check that then it is to write everytime.This is done to save resources on the DHCP server not much unlike the cache on a DNS server. Every look up does not travers the root servers and the auth server, only those that have expired cached entries. Wouldn't it create a DOS against the DHCP server if every host constantly required the server go through the aformentioned process? It does whit in DNS. Change the expire to 2 and the ttl to 2 and see what happens. This did happen for boxsports dot com (what rhymes with box? not sure of the legalities around saying the name). An SA, while trouble shooting, did just that and about 1 month later BOOM! crap hit the fan. It appearedd as though our DNS auth servers were being DOS'd but all requests were legit. The entry was not cached. That said, unless Covad is constantly exhausting it's pool or they mandate that after the lease expires to give a different IP a reverse lookup would give you the hostname of the offender which should remain accurate for some amount of time. No action on Covads part constitutes legal action on yoru part... -Bobbyjim On Fri, Mar 13, 2009 at 8:53 AM, Joe Greco <jgreco@ns.sol.net> wrote:
On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco <jgreco@ns.sol.net> wrote:
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously.
Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better.
Port scanning is the Internet equivelant of the common cold. They're a dime a dozen.
I recommend taking some Vitamin B and D. Block, and Drop.
No, it's more comparable to the jerk who not only doesn't stay at home with his cold, but actively walks around the workplace coughing and sneezing without covering his mouth/nose with a kleenex, spraying people.
The reality is that it fails the "if everybody did this, would it be a good thing" test. While some "B&D" is common sense on the receiving end, this does not make it any more correct for the originating site to let it keep happening. If every PC on the Internet (conservatively, let's assume a billion devices that are sufficiently sophisticated that they could be infected) were to send you a single packet per day, you'd be seeing over 10,000pps. That should suggest that the behaviour is not something to be encouraged.
My locking my doors does not mean it's okay for you to check if my door is locked.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Fri, 13 Mar 2009 13:57:56 CDT, Bobby Mac said:
That said, unless Covad is constantly exhausting it's pool or they mandate that after the lease expires to give a different IP a reverse lookup would give you the hostname of the offender which should remain accurate for some amount of time. No action on Covads part constitutes legal action on yoru part...
OK. So you get hit by 129.257.34.98. You look up the PTR and get back 98.34.257.129.cable-pool-slash-12.covad.net. What did you gain here? You knew it was in a Covad /12 before, and that's all you know after, and Covad *still* isn't stopping their customer's bad behavior. After all, you didn't *really* care that the IP was assigned to a computer belonging to Herman Munster, 1313 Mockingbird Lane. What you actually *wanted* was for somebody (preferably Covad) to hand Herman a clue.
On Fri, Mar 13, 2009 at 2:15 PM, <Valdis.Kletnieks@vt.edu> wrote:
After all, you didn't *really* care that the IP was assigned to a computer belonging to Herman Munster, 1313 Mockingbird Lane. What you actually *wanted* was for somebody (preferably Covad) to hand Herman a clue.
Yeah. I miss the days that you could fix Covad problems by calling Brent, or by sending the attacker a Ping of Death :-) In practice, of course, the chances are extremely high that the attacker is a zombie pc whose owner is not aware that it's infected, and they really need their ISP to quarantine them somewhere until they can get it fixed. -- ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Um.... Aren't dsl addresses handed out over ipcp? So perhaps a bit more static then dhcp? Sent via BlackBerry from T-Mobile -----Original Message----- From: Bobby Mac <bobbyjim@gmail.com> Date: Fri, 13 Mar 2009 13:57:56 To: <nanog@nanog.org> Subject: Re: Dynamic IP log retention = 0? Just wondering but the knowledge I have of DHCP is that an IP address is assigned to the same computer (or host) and will continue to do so until the pool of IP's is exhausted. Once that occurs, a new request is parsed by the DHCP server and the oldest non-renewed lease address is checked to see if it is live. If no response occurs then the DHCP server assigns that IP to the requesting host. It's much more efficient to write once and check that then it is to write everytime.This is done to save resources on the DHCP server not much unlike the cache on a DNS server. Every look up does not travers the root servers and the auth server, only those that have expired cached entries. Wouldn't it create a DOS against the DHCP server if every host constantly required the server go through the aformentioned process? It does whit in DNS. Change the expire to 2 and the ttl to 2 and see what happens. This did happen for boxsports dot com (what rhymes with box? not sure of the legalities around saying the name). An SA, while trouble shooting, did just that and about 1 month later BOOM! crap hit the fan. It appearedd as though our DNS auth servers were being DOS'd but all requests were legit. The entry was not cached. That said, unless Covad is constantly exhausting it's pool or they mandate that after the lease expires to give a different IP a reverse lookup would give you the hostname of the offender which should remain accurate for some amount of time. No action on Covads part constitutes legal action on yoru part... -Bobbyjim On Fri, Mar 13, 2009 at 8:53 AM, Joe Greco <jgreco@ns.sol.net> wrote:
On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco <jgreco@ns.sol.net> wrote:
Well most port scanning is from compromised boxes. Once a box is compromised it can be used for *any* sort of attack. If you really care about security you take reports of ports scans seriously.
Yeahbut, the real problem is that port scanning is typically used as part of a process to infect _other_ boxes. If you allow this sort of illness to spread, the patient (that is, the Internet) doesn't get better.
Port scanning is the Internet equivelant of the common cold. They're a dime a dozen.
I recommend taking some Vitamin B and D. Block, and Drop.
No, it's more comparable to the jerk who not only doesn't stay at home with his cold, but actively walks around the workplace coughing and sneezing without covering his mouth/nose with a kleenex, spraying people.
The reality is that it fails the "if everybody did this, would it be a good thing" test. While some "B&D" is common sense on the receiving end, this does not make it any more correct for the originating site to let it keep happening. If every PC on the Internet (conservatively, let's assume a billion devices that are sufficiently sophisticated that they could be infected) were to send you a single packet per day, you'd be seeing over 10,000pps. That should suggest that the behaviour is not something to be encouraged.
My locking my doors does not mean it's okay for you to check if my door is locked.
... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Wed, Mar 11, 2009 at 6:34 AM, Brett Charbeneau <brett@wrl.org> wrote:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents. The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug. "Well, maybe you want to ban our entire /15 at your perimeter..." I'm reluctant to ban over 65,000 hosts as my staff have colleagues all over the continental US with whom they communicate regularly. I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind. Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
I think you are being a little naive. Port scans, while possibly used for malicious ends, can very often be benign. I've port scanned netblocks for such trivia such as the IP of the printer which I forgot to scribble down. (Naturally, this doesn't explain your situation of scanning from another ISP, but you get the idea (I hope).) As William pointed out, it's the things that follow that determine whether someone's being bad. To flag port-scans might be responsible, but I think pursuing legal action over it would be the exact opposite. Wait until someone demonstrates true maliciousness before trying to punish them, rather than bringing the heat merely because they've demonstrated the potential for maliciousness. This is almost akin to attacking someone because they're carrying a gun: sure, the gun gives them the potential to do bad things, but it often enough is innocent. (Political agendas aside...)
On Sat, Mar 14, 2009 at 4:12 AM, Neil <kngspook@gmail.com> wrote:
On Wed, Mar 11, 2009 at 6:34 AM, Brett Charbeneau <brett@wrl.org> wrote:
......... As William pointed out, it's the things that follow that determine whether someone's being bad. To flag port-scans might be responsible, but I think pursuing legal action over it would be the exact opposite. Wait until someone demonstrates true maliciousness before trying to punish them, rather than bringing the heat merely because they've demonstrated the potential for maliciousness.
In the physical world, this is the equivalent of 'casing the joint'. In most parts of the world, you can now get stopped/interrogated for simply taking pictures of the wrong buildings. (Even ones that in the past might have been considered tourist attractions.) Whether you think this is a good/bad thing, you shouldn't be surprised that people are similarly concerned about such behavior in the virtual world.
This is almost akin to attacking someone because they're carrying a gun: sure, the gun gives them the potential to do bad things, but it often enough is innocent. (Political agendas aside...)
No, this is more like some unknown guy in a high-rise a mile a way pointing his laser sniper scope at people walking in the park. They don't KNOW that he has a rifle attached to that scope. Even if he does, they don't KNOW that he plans to use it. Most people will never notice that little red dot in the middle of their chest. If they do notice and report it, however, I can guarantee that a significant investigation will take place. Bill Bogstad
On Sat, Mar 14, 2009 at 6:24 AM, Bill Bogstad <bogstad@pobox.com> wrote:
On Sat, Mar 14, 2009 at 4:12 AM, Neil <kngspook@gmail.com> wrote:
On Wed, Mar 11, 2009 at 6:34 AM, Brett Charbeneau <brett@wrl.org> wrote:
......... As William pointed out, it's the things that follow that determine whether someone's being bad. To flag port-scans might be responsible, but I think pursuing legal action over it would be the exact opposite. Wait until someone demonstrates true maliciousness before trying to punish them, rather than bringing the heat merely because they've demonstrated the potential for maliciousness.
In the physical world, this is the equivalent of 'casing the joint'. In most parts of the world, you can now get stopped/interrogated for simply taking pictures of the wrong buildings. (Even ones that in the past might have been considered tourist attractions.) Whether you think this is a good/bad thing, you shouldn't be surprised that people are similarly concerned about such behavior in the virtual world.
Getting stopped/interrogated for simply taking pictures of tourist-y, or other, buildings is over-reacting as well, in my opinion. (For nearly all of them, there are already existing pictures of them; and once the Bad Guys get wind that people are being stopped for taking pictures, they'll either use already existing pictures, or go up and take them, get stopped, and blend in with all the other innocent people taking pictures... Pointless, unless someone's sitting on some magical Bad-Guy-Identifier that only works in interrogations.) And there's another name for 'casing the joint', it is 'looking around'. Looking around generally isn't a crime. Neither is casing a joint, for that matter. And like I suggested with port scanning, whether someone was 'looking around' or 'casing the joint' is really only determinable after they've robbed the joint or not. Before that point, you're almost stabbing in the dark.
This is almost akin to attacking someone because they're carrying a gun: sure, the gun gives them the potential to do bad things, but it often
enough
is innocent. (Political agendas aside...)
No, this is more like some unknown guy in a high-rise a mile a way pointing his laser sniper scope at people walking in the park. They don't KNOW that he has a rifle attached to that scope. Even if he does, they don't KNOW that he plans to use it. Most people will never notice that little red dot in the middle of their chest. If they do notice and report it, however, I can guarantee that a significant investigation will take place.
That's a bit questionable as well; the intention with a port scan is hardly so well defined as you suggest. And what if that little red dot is simply a laser pointer? I think I'd assume laser pointer before laser-aiming sniper, following the "Don't attribute to malice what could be attributed to stupidity instead" maxim or Occam's Razor...
And there's another name for 'casing the joint', it is 'looking around'. Looking around generally isn't a crime. Neither is casing a joint, for that matter. And like I suggested with port scanning, whether someone was 'looking around' or 'casing the joint' is really only determinable after they've robbed the joint or not. Before that point, you're almost stabbing in the dark.
"Looking around" Rockefeller Center generally isn't a crime. "Looking around" where you're in my back yard and peeking in the windows is, at a minimum, trespass, and if our local cops notice you doing it, you can expect that you may find yourself ... severely inconvenienced. There is no "freedom to look around" on private property, despite what you appear to think. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
On Sat, Mar 14, 2009 at 23:17, Joe Greco <jgreco@ns.sol.net> wrote:
"Looking around" Rockefeller Center generally isn't a crime.
"Looking around" where you're in my back yard and peeking in the windows is, at a minimum, trespass, and if our local cops notice you doing it, you can expect that you may find yourself ... severely inconvenienced.
There is no "freedom to look around" on private property, despite what you appear to think.
Isn't Rockefeller Center private property? ;-) -Jim P.
Can we please get this thread closed or something? Jim Popovitch wrote:
On Sat, Mar 14, 2009 at 23:17, Joe Greco <jgreco@ns.sol.net> wrote:
"Looking around" Rockefeller Center generally isn't a crime.
"Looking around" where you're in my back yard and peeking in the windows is, at a minimum, trespass, and if our local cops notice you doing it, you can expect that you may find yourself ... severely inconvenienced.
There is no "freedom to look around" on private property, despite what you appear to think.
Isn't Rockefeller Center private property? ;-)
-Jim P.
On Mar 15, 2009, at 1:20 AM, Charles Wyble wrote:
Can we please get this thread closed or something?
Maybe we should start the nanog-law mailing list.
Jim Popovitch wrote:
On Sat, Mar 14, 2009 at 23:17, Joe Greco <jgreco@ns.sol.net> wrote:
"Looking around" Rockefeller Center generally isn't a crime.
"Looking around" where you're in my back yard and peeking in the windows is, at a minimum, trespass, and if our local cops notice you doing it, you can expect that you may find yourself ... severely inconvenienced.
There is no "freedom to look around" on private property, despite what you appear to think. Isn't Rockefeller Center private property? ;-) -Jim P.
Marshall Eubanks wrote:
Maybe we should start the nanog-law mailing list.
Maybe we should stick to the operational "Subject" at hand: log retention? Is there any disagreement that everybody SHOULD keep dynamic assignment logs for at least 36 hours as a Best Current Practice? Is there any evidence that Covad *keeps* logs, and responds to abuse notice? (I've seen no evidence that Covad has become such a bad actor that everybody should de-peer, but that might be incentive to keep better logs.)
A finely tuned killfile that remains mostly static once defined works wonders across all threads and fairly well. Best, Marty On 3/15/09, Marshall Eubanks <tme@multicasttech.com> wrote:
On Mar 15, 2009, at 1:20 AM, Charles Wyble wrote:
Can we please get this thread closed or something?
Maybe we should start the nanog-law mailing list.
Jim Popovitch wrote:
On Sat, Mar 14, 2009 at 23:17, Joe Greco <jgreco@ns.sol.net> wrote:
"Looking around" Rockefeller Center generally isn't a crime.
"Looking around" where you're in my back yard and peeking in the windows is, at a minimum, trespass, and if our local cops notice you doing it, you can expect that you may find yourself ... severely inconvenienced.
There is no "freedom to look around" on private property, despite what you appear to think. Isn't Rockefeller Center private property? ;-) -Jim P.
Once upon a time, Neil <kngspook@gmail.com> said:
I think you are being a little naive. Port scans, while possibly used for malicious ends, can very often be benign.
That sounds naive to me. From what I've seen, the number of malicious scans is much greater than the number of benign scans. The vast majority of end users have no idea what a port scan is or how to run one (or how to make sense of the output if they saw one run). In any case, this isn't really about the port scan. This is about Covad claiming they cannot identify who had an IP 48 hours ago. What if it wasn't a port scan; what if it was a DoS attack, spamming bot, etc.? Do you think Covad would respond to a DMCA complaint like that? -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Chris Adams wrote:
Do you think Covad would respond to a DMCA complaint like that?
That's actually the one thing that would make sense of this - that they *do* purge the logs fast enough that they could reply to a DMCA complaint by saying "sorry, we don't have logs". The question is, in doing so are they also purging the logs so fast they can't deal with customers that cause problems for Covad itself? If so, then they probably aren't purging the logs this fast, they just said so to avoid having to deal with their customers that are posing problems for others, and they probably would respond quite differently if it were a legal matter (where lying equals perjury) rather than just a "complaint". jc
participants (34)
-
Alec Berry
-
Bill Bogstad
-
Bill Stewart
-
Bobby Mac
-
Brett Charbeneau
-
Brett Watson
-
Charles Wyble
-
Charles@thewybles.com
-
Chris Adams
-
Darden, Patrick S.
-
Glen Turner
-
J. Oquendo
-
JC Dill
-
Jeremy L. Gaddis
-
Jim Popovitch
-
Joe Abley
-
Joe Greco
-
Jon Lewis
-
Marcus Reid
-
Mark Andrews
-
Marshall Eubanks
-
Martin Hannigan
-
Martin Hannigan
-
Mike Lewinski
-
N. Yaakov Ziskind
-
Neil
-
Peter Beckman
-
Rob Evans
-
Ross
-
Rubens Kuhl
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu
-
William Allen Simpson
-
William Herrin