As an ISP I am torn. Presently I am garnering IP's of Nimda requests and periodically putting them into our 7206 ACL lists. I regather every day or so, to allow fixed machines back in. This was a purely self defense measure as our own web server was vastly overloaded. By this worm. As an indirect end result howver everyone else on our system, colo's, DSL's, dialups, are also protected from the worm. Don't know if this is a bad thing or not. One person recommended putting in a Redirect *.cmd.exe http://127.0.0.1 or some such to get the offending machines to spin in on themselves. That also seems to work in that it ties up the offending machines without actually blocking them. Ethics issues abound. Homer ------------------------------------------------------------------------ Homer Wilson Smith Clean Air, Clear Water, Art Matrix - Lightlink (607) 277-0959 A Green Earth and Peace. Internet Access, Ithaca NY homerat_private Is that too much to ask? http://www.lightlink.com On Thu, 27 Sep 2001, Tracy Martin wrote: > Let me toss in my perspective as an "end user"... > > I would rather have my ISP call me up and say "You've got something on your > system that's sending out crap - get it off or lose your connection. Call me > back before close of business today and tell me which it's going to be" than > to have them implement filters and possibly mess up my connectivity with > them. > > And, in simple point of fact, the above has happened to me. I got caught out > with something (don't know what it was, don't care what it was) in late June > / early July and got the call above. I took all my local systems off the > network, and formatted and reinstalled them, then put data back from backup > as needed. I told the ISP when they called what I was going to do, and they > were fine with that. So, it took me a weekend of working to get everything > back in place, and updated with all the latest patches (including the ones I > had missed). Small price to pay to learn what I should have already known, > and to keep my connectivity open so that *I* can decide what comes into my > network, not someone who I will never see face-to-face. > > Of course, we all know that "Great Aunt Sadie" will likely not be able or > willing to do this, so providing a choice would be great. But make sure the > choice is available, please. > > > -----Original Message----- > > From: Adcock, Matt [mailto:Matthew.Adcockat_private] > > Sent: Thursday, September 27, 2001 13:57 > > To: 'lucpat_private'; incidentsat_private > > Subject: RE: Nimda et.al. versus ISP responsibility > > > > > > <quote> > > I think we all agree that connecting an unpatched IIS machine to the > > open Internet is acting irresponsibly. Most AUP's already prohibit > > spamming, port scanning etc. (at least on paper). Why not include > > "infection through negligence" as a reason for suspension? Maybe with a > > reasonable grace period the first time. > > </quote> > > > > I agree that the end administrator is ultimately responsible. The ISPs > > could also help by filtering this traffic. It would take an > > infrastructure > > upgrade that would end up costing the consumer, but I personally would be > > willing to pay a little more. Maybe give users a choice between > > being on a > > filtered network or an open network? > > > > > > ------------------------------------------------------------------ > > ---------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 13:45:49 PDT