FYI- "There was something with one of our customers, however it was a customer machine, and as such, we aren't at liberty to discuss the issue unless they specifically allow us to." - quoth Exodus So, in other words, they can't discuss abuse issues with the victim, unless the *offender* (client) gives them permission to? I'll sleep much better tonight knowing this.
Every post I see from you has something to do with what's wrong with Exodus. Why is that? -Jon On Tue, 17 Nov 1998 14:43:19 -0500 (EST), asr@millburn.net writes:
FYI-
"There was something with one of our customers, however it was a customer machine, and as such, we aren't at liberty to discuss the issue unless they specifically allow us to." - quoth Exodus
So, in other words, they can't discuss abuse issues with the victim, unless the *offender* (client) gives them permission to? I'll sleep much better tonight knowing this.
On Tue, 17 Nov 1998, Jon Green wrote:
Every post I see from you has something to do with what's wrong with Exodus. Why is that?
Wow, how observant of you. I'm truly impressed. Let's see... This is a security/operations-related thread. One of the suspected origins of naughtiness is an Exodus customer. I, too, an an Exodus customer. Believe it or not, I have information/insight (regarding the nature of these attacks, and how to contact someone at Exodus who cares) worth sharing. To be quite honest with you, I would love to say something positive about Exodus to the men and women of NANOG. Unfortunately, I cannot do so in a truthful manner. From my [far too] numerous dealings with Exodus, it seems obvious that many Exodus employees love to set low goals for themselves, and then continuously fail to meet them. Your mileage may vary, of course. If you think my bitching is a futile attempt to spread dirt, collapse Exodus, and impoverish Ellen Hancock and pals, think again... Bear in mind that, for every one clueful NANOG reader, there are thousands of clue-deprived droids, looking for a colocation/transit shop to house their p0rn servers and whatnot. As long is this continues to be the case, Exodus will manage to rake in vict^H^H^H^Hcustomers easily. Oh well.
On Tue, 17 Nov 1998 16:19:46 -0500 (EST), asr@millburn.net writes:
On Tue, 17 Nov 1998, Jon Green wrote:
Every post I see from you has something to do with what's wrong with Exodus. Why is that?
Wow, how observant of you. I'm truly impressed.
Let's see... This is a security/operations-related thread. One of the suspected origins of naughtiness is an Exodus customer. I, too, an an Exodus customer. Believe it or not, I have information/insight (regarding the nature of these attacks, and how to contact someone at Exodus who cares) worth sharing.
Then give it, without the editorial comments on how terrible Exodus is. We all know you're an unhappy customer, which leads me to ask why you're still a customer. Personally, I take my business somewhere else when I'm unhappy with the service someone is providing. Unless of course you just like to whine. As for the current situation, if *I* were an Exodus customer I sure as hell wouldn't want them releasing information about me to some random person that requests it. You provide Exodus with a court order and I'm sure they'll be happy to give you whatever information you want. I always thought that was standard practice for an ISP. If your privacy standards are less, I'll make sure not to do business with you.
If you think my bitching is a futile attempt to spread dirt, collapse Exodus, and impoverish Ellen Hancock and pals, think again...
Your next paragraph seems to indicate otherwise.
Bear in mind that, for every one clueful NANOG reader, there are thousands of clue-deprived droids, looking for a colocation/transit shop to house their p0rn servers and whatnot. As long is this continues to be the case, Exodus will manage to rake in vict^H^H^H^Hcustomers easily.
On Tue, 17 Nov 1998, Jon Green wrote:
As for the current situation, if *I* were an Exodus customer I sure as hell wouldn't want them releasing information about me to some random person that requests it. You provide Exodus with a court order and I'm sure they'll be happy to give you whatever information you want. I always thought that was standard practice for an ISP. If your privacy standards are less, I'll make sure not to do business with you.
Looks like the phraseology of my original post may be to blame for this misunderstanding. For the record: I do *not* think Exodus should reveal any private customer-specific information, unless authorized to do so by the customer. Call me idealistic, but, at the same time, I think Exodus (or *ANY NOC* for that matter), when contacted, should try to offer some assistance (especially given the huge widespread nature of this event), even if the machine jeopardized is not their own. Then again, SWIP'ed customer assignments would be of some assistance, too. According to Exodus's abuse@exodus.net autoresponder: "We will investigate to determine if there has been a violation. If there has, we will contact our customer and require that the violating activity cease. If a violation does not cease, we will terminate our customer's service pursuant to our rules of service." It's been ~ 48 hours, AFAIK. And, according to a post to inet-access, the tickling from 209.67.50.0/24 has not stopped. C'est not so good.
According to Exodus's abuse@exodus.net autoresponder: "We will investigate to determine if there has been a violation. If there has, we will contact our customer and require that the violating activity cease. If a violation does not cease, we will terminate our customer's service pursuant to our rules of service."
It's been ~ 48 hours, AFAIK. And, according to a post to inet-access, the tickling from 209.67.50.0/24 has not stopped. C'est not so good.
BTW: As originator of the first email begging for clueful contact at Exodus......And after sending requested information.............. I've yet to see an email from them even saying "We got your logs, thanks". Tuc/TTSG
Oh, sorry, we should excuse to Exodus for exploiting their name in this subject. Real subject should have name 'Unix troyans' --- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
From an operational professional standpoint I agree with this approach and we should keep it this way between all of us in the future on all like issues.
Henry R. Linneweh alex@relcom.EU.net wrote:
Oh, sorry, we should excuse to Exodus for exploiting their name in this subject.
Real subject should have name 'Unix troyans'
--- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
-- ¢4i1å
Or, Re: Exodus' inability to care if other people on the net are hacked by our customers. On Wed, 18 Nov 1998 alex@relcom.EU.net wrote:
Oh, sorry, we should excuse to Exodus for exploiting their name in this subject.
Real subject should have name 'Unix troyans'
--- Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Atheism is a non-prophet organization. I route, therefore I am. Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member Father of the Network and Head Bottle-Washer Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834 Don't choose a spineless ISP; we have more backbone! http://www.nac.net -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Hi, Given that it was a sunday night, the fact that the customer was contacted and the "compromized" machine was taken offline in about 3 hours leads me to believe otherwise. Maybe in your idealistic world things are 'instantly' taken care of, but in mine it normally takes 3-5 DAYS or longer to get things like this resolved. Do you think if some other large site was scanning like this that iti would have taken any less time to resolve? I was once hit by a tucows machine and after repeated mails, calls and such it was still up weeks later.. I was also hit by sites off of icon.net and while they were VERY responsive, it still took a few days to get the sites fixed.. On Wed, Nov 18, 1998 at 08:47:50AM -0500, alex@nac.net wrote:
Or,
Re: Exodus' inability to care if other people on the net are hacked by our customers.
-- --------------------------------------------------------------------------------- : Steven O Noble / Network Janitor / Be free my soul and leave this world alone : : My views = My views != The views of any of my past or present employers : ---------------------------------------------------------------------------------
---Reply on mail from Adam Rothschild about Exodus Customer Security
FYI-
"There was something with one of our customers, however it was a customer machine, and as such, we aren't at liberty to discuss the issue unless they specifically allow us to." - quoth Exodus
So, in other words, they can't discuss abuse issues with the victim, unless the *offender* (client) gives them permission to? I'll sleep much better tonight knowing this.
I dont have much of a problem with this policy, if law enforcement calls, they will proly give out the info, if joe blow calls and claims to be a victim, they have a hard time to prove that joe blow is really a victim, so they either have to spend payroll $$ on people proving that joe really is a victim, OR give out info to joe when he may not be a victim (thus increasing exposure to their customer).. It wouldnt be that difficult to fake some logs to get info on a certain customer for whatever reason.. If they have this policy, it protect exodus from libaility, espically if one of their clients got broken into and an attack was launched from there (how many companies would see a fall in their stock or a loss of consumer confidence if the fact they got broken into was made public??) It seems to be known that in this instance people were breaking into boxes and using those boxes as launching pads, what is to say that the exodus box wasnt also a launching pad? to say that the offender was the client, may be a bit harsh.. I think I am done ranting for now :) -- Bret McDanel http://www.rehost.com Realistic Technologies, Inc. 973-514-1144 These opinions are mine, and may not be the same as my employer
It's 100% true!!
It seems to be known that in this instance people were breaking into boxes and using those boxes as launching pads, what is to say that the exodus box wasnt also a launching pad? to say that the offender was the client, may be a bit harsh..
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Ask yourself this: Can you (as an NSP) guarantee me that *none* of your boxes, or *customer* boxes, have been infected ? "He who is without sin (and an *NSP*, as is Exodus), cast the first stone." Now, the High Priests of Exodus were, perhaps, a little hard to reach.. But, I heard they were in meeting, trying to ascertain how many angels can dance on the head of a pin...... :\ Alex P. Rudnev wrote:
It's 100% true!!
It seems to be known that in this instance people were breaking into boxes and using those boxes as launching pads, what is to say that the exodus box wasnt also a launching pad? to say that the offender was the client, may be a bit harsh..
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
On Wed, 18 Nov 1998, Richard Irving wrote:
Ask yourself this: Can you (as an NSP) guarantee me that *none* of your boxes, or *customer* boxes, have been infected ?
That's a bit extreme, and should not be expected of any NSP. All I want is, when such obvious and widespread abuse is coming from their (Exodus's) customers, they step in and do *something* (that something being contacting the customer, and severing connectivity if the problems do not cease in a reasonable amount of time), rather than just ignoring this entirely. Am I being too idealistic here? I guess this is more an issue of NSP policy/responsibility/expectations than of Exodus suckage...
You are wrong.
All I want is, when such obvious and widespread abuse is coming from their (Exodus's) customers, they step in and do *something* (that something
^^^^^^^^^ - should be BOXES! It's a matter. Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Hello, Lets go through this... On Wed, Nov 18, 1998 at 08:53:04AM -0500, Adam Rothschild wrote:
All I want is, when such obvious and widespread abuse is coming from their (Exodus's) customers, they step in and do *something* (that something being contacting the customer, and severing connectivity if the problems do not cease in a reasonable amount of time), rather than just ignoring this entirely. Am I being too idealistic here?
Lets see.. you don't count hours of time put in by the NOC and the Engineering teams to assemble logs, consult other parts of the company, contact the customer and get permission to disconnect his machine doing something? I'm trying to figure out exactly what you want, and I'm having a lot of trouble. Its been VERY clearly stated here that the machine was offline reletivly soon after the first contact was made to the Exodus NOC, I guess you think this is magic, the machine simply disconnected itself and the problem resolved? Exodus will not reveal anything else about this situation, just like they would not reveal anything else if this had been you, or any other customer who had been compromized. If the customer feels the need to comment, that is fine. The fact of the matter is, I've been on the other side of WAY TOO MANY attacks to think that Exodus did nothing. The sheer number of compromized machines on the Internet at this time is mind boggling. I personally easily shut down 10 to 20 machines a week, on my own time, by contacting and educating system admins. But there are machines that have been compromized for months and are STILL active, now THAT I would call not doing something. I'm noticing you are not commenting on the other machines that are/were hitting you, maybe its time to turn to an operational view on these postings and talk about how well those are/have been handled. I'd like to see exactly how responsive everyone else is, and if you have been able to get machines shut down in less then 3 hours.
I guess this is more an issue of NSP policy/responsibility/expectations than of Exodus suckage...
-- ------------------------------------------------------------------------------- : Steven Noble / Network Janitor / Be free my soul and leave this world alone : : My views = My views != The views of any of my past or present employers : -------------------------------------------------------------------------------
Adam Rothschild wrote:
All I want is, when such obvious and widespread abuse is coming from their (Exodus's) customers, they step in and do *something* (that something being contacting the customer, and severing connectivity if the problems do not cease in a reasonable amount of time), rather than just ignoring this entirely. Am I being too idealistic here?
I guess this is more an issue of NSP policy/responsibility/expectations than of Exodus suckage...
If an NSP refuses to do anything about a problem, I'm sure you would want to take technical steps yourself (if you haven't already). In many cases the steps you can do are limited and cannot full correct the problem. For instance, if the problem is bandwidth consuming the line in, it may still do that even if you filter. What my question is, is what do you consider to an appropriate level of black-holing in the case of a customer of an NSP or ISP being the source, but you cannot find any info about the source, and the NSP or ISP won't cooperate. Is it appropriate to black-hole the whole NSP or ISP and tell your customers that the problem is at the other end and they (the other NSP/ISP) refuse to address the issue? What I am wondering is, what does it take to make them pay attention. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
participants (11)
-
Adam Rothschild
-
Alex P. Rudnev
-
alex@nac.net
-
alex@relcom.EU.net
-
Bret McDanel
-
Henry Linneweh
-
Jon Green
-
Phil Howard
-
Richard Irving
-
Steve Noble
-
TTSG