rr style scanning of non-customers
Hey gang, Some ISPs, such as RR, appear to be implementing what I personally would consider quite aggressive approaches to guarding their network by implementing "proactive" scanning of non-customers, similar to what's described at http://security.rr.com/probing.htm <http://security.rr.com/probing.htm> In this case, sending email to @rr.com appears to trigger this scanning business (mind you, this is not about the scanning their subs biz; I don't care to get into that in this thread). But, the question is.. How many people here are doing this sort of thing? And where does this stop, short of nmapping the entire box? Some time ago, when Code Red first came around, discussions raged as to how to deal with it and other infestations of customer owned/operated equipment. And this kind of is a different slant on the same issue. Except that it goes quite a bit further than your own prefixes. I'm not looking to start a flamewar, I'm interested in a discussion or consensus discovery of how far "proactive" tasks can/should/shouldn't go. Regards, Christian ***** "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers."
On Fri, 13 Jun 2003, Kuhtz, Christian wrote:
Some ISPs, such as RR, appear to be implementing what I personally would consider quite aggressive approaches to guarding their network by implementing "proactive" scanning of non-customers, similar to what's described at
http://security.rr.com/probing.htm <http://security.rr.com/probing.htm>
In this case, sending email to @rr.com appears to trigger this scanning business (mind you, this is not about the scanning their subs biz; I don't
Proactive = scanning for open systems before they come to you. Reactive = scanning the IPs that connect to you to see if they're open. They spell this out very clearly on the page referenced above and say that they're doing proactive scanning of their own network and reactive scanning of the rest of the internet. Do you have any reason to believe they're not doing as they say? Is it time for the monthy nanog spam debate again already? :) Unfortunately, what they're looking for is only a small sub-set of the commonly used ports by various proxy software typically installed wide open on broadband connected systems. If they're serious about reactive scanning, they ought to either update the ports tested or just ally with one of the various dnsbls that does this sort of testing (less/more effective testing would be the result). The last time this topic came up, it was suggested by others that either trojan or virus software was installing/creating open proxies. I wrote that off as people being overly paranoid. I'm sorry to say that I now know this to be true and have seen many installations of at least one strain of such proxy software. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Fri, 13 Jun 2003 jlewis@lewis.org wrote:
The last time this topic came up, it was suggested by others that either trojan or virus software was installing/creating open proxies. I wrote that off as people being overly paranoid. I'm sorry to say that I now know this to be true and have seen many installations of at least one strain of such proxy software.
According to a study by America Online, 89% of the computers with broadband connections are not safely configured. 91% of the computers had what AOL categorized as spyware installed. In reality, the connection method isn't the determining factor. http://www.staysafeonline.info/press/060403.pdf Although firewalls and anti-virus helps, it doesn't prevent a determined user from infecting his own system. Honeypots and passive detection systems aren't picking up the whole story. The user is an important part of evaluating the security equation.
According to a study by America Online, 89% of the computers with broadband connections are not safely configured. 91% of the computers had what AOL categorized as spyware installed. In reality, the connection method isn't the determining factor.
http://www.staysafeonline.info/press/060403.pdf
Although firewalls and anti-virus helps, it doesn't prevent a determined user from infecting his own system. Honeypots and passive detection systems aren't picking up the whole story. The user is an important part of evaluating the security equation.
so where is the authoritative web site <http://make-your-stinkin-windoze-system-safe.clue> to which we can point all our friends (and use to lock down our kids' machines/sites)? randy
RB> Date: Sat, 14 Jun 2003 21:59:29 -0700 RB> From: Randy Bush RB> so where is the authoritative web site RB> RB> <http://make-your-stinkin-windoze-system-safe.clue> Plenty of *ix idiots running vulnerable systems and "servers", too. Follow a Cobalt mailing list and live in fear. RB> to which we can point all our friends (and use to lock down RB> our kids' machines/sites)? You can lead a horse to water... Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
so where is the authoritative web site <http://make-your-stinkin-windoze-system-safe.clue> Plenty of *ix idiots running vulnerable systems and "servers", too. Follow a Cobalt mailing list and live in fear.
for which there are system-specific sites telling you how to lock it down, e.g., as david lesher just pointed out, <http://www.bastille-linux.org> that fools don't use the resources is another matter. "a fool and their data are soon parted." -- monty williams but where is the equivalent for windoze, the very common and very vulnerable opsys? randy
http://www.nsa.gov/snac/win2k/download.htm http://www.arstechnica.com/tweak/win2k/security/begin-1.html might be places to start john brown On Sat, Jun 14, 2003 at 10:22:50PM -0700, Randy Bush wrote:
so where is the authoritative web site <http://make-your-stinkin-windoze-system-safe.clue> Plenty of *ix idiots running vulnerable systems and "servers", too. Follow a Cobalt mailing list and live in fear.
for which there are system-specific sites telling you how to lock it down, e.g., as david lesher just pointed out,
<http://www.bastille-linux.org>
that fools don't use the resources is another matter. "a fool and their data are soon parted." -- monty williams
but where is the equivalent for windoze, the very common and very vulnerable opsys?
randy
RB> Date: Sat, 14 Jun 2003 22:22:50 -0700 RB> From: Randy Bush RB> > Plenty of *ix idiots running vulnerable systems and "servers", RB> > too. Follow a Cobalt mailing list and live in fear. RB> RB> for which there are system-specific sites telling you how to RB> lock it down, e.g., as david lesher just pointed out, RB> RB> <http://www.bastille-linux.org> RB> RB> that fools don't use the resources is another matter. "a fool Perhaps. That doesn't make the problem any less severe, though. One even could argue that's worse -- people running vulnerable systems despite the availability of lockdown information. RB> and their data are soon parted." -- monty williams RB> RB> but where is the equivalent for windoze, the very common and very RB> vulnerable opsys? Google search for something like securing windows lockdown is a reasonable start. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
On Sat, 14 Jun 2003, Randy Bush wrote:
so where is the authoritative web site
<http://make-your-stinkin-windoze-system-safe.clue>
to which we can point all our friends (and use to lock down our kids' machines/sites)?
How could you have missed Dewie the Internet Security Turtle? http://www.ftc.gov/bcp/conline/edcams/infosecurity/index.html Microsoft has a consumer oriented page with some operating specific items (although open file shares isn't give as much attention as I would) http://www.microsoft.com/security/articles/steps_default.asp Most major ISPs have an online security web site for their customers. There are lots of technical how-to's available with a Google search. However, in a country where VCR's still flash 12:00, users are not going to read the manual or a web site or anything else. Despite liking to pick on Microsoft, as soon as you get the operating system secure, users load all sorts of other applications. And don't forget other things connected to your home network, such using good passwords on your router/firewall, networked home entertainment centor or snmp-enabled refrigerator.
warning: there are no IOS configuration commands in this thread. hit D now. sean@donelan.com (Sean Donelan) writes:
However, in a country where VCR's still flash 12:00, users are not going to read the manual or a web site or anything else. Despite liking to pick on Microsoft, as soon as you get the operating system secure, users load all sorts of other applications. ...
"reading e-mail" should not be the same thing as "loading applications", and for that matter "loading applications" should not be the same thing as "install background malware". i still have to pick on microsoft because their model (from outlook on up) is insecure *by design* and if they had not used their monopoly power to blunt the market effects of java and os/2 and wordperfect and mac/os and who knows what else, then we would at least have genetic diversity, and we might even have some kind of qualitative improvement somewhere due to successful mutations.
And don't forget other things connected to your home network, such using good passwords on your router/firewall, networked home entertainment centor or snmp-enabled refrigerator.
i agree that the most dangerous part of the car is the nut behind the steering wheel, and that no technological force will ever change that fact. but that's not an excuse to design a car without brakes and then use monopoly power to put other carmakers out of business. -- Paul Vixie
participants (7)
-
E.B. Dreger
-
jlewis@lewis.org
-
John Brown
-
Kuhtz, Christian
-
Paul Vixie
-
Randy Bush
-
Sean Donelan