RE: SNMP Scans 02/17/02

From: Dmitri Smirnov (Dmitri.Smirnovat_private)
Date: Wed Feb 20 2002 - 14:35:58 PST

Next message: Chris Adams: "Distributed MSADC/root.exe scans"

Previous message: Rune Kristian Viken: "dtspcd and /tmp/.fakex , anyone got a copy?"
Maybe in reply to: Peter Johnson: "SNMP Scans 02/17/02"
Next in thread: Eric Brandwine: "Re: SNMP Scans 02/17/02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aha,

for last 200 reports we've got 3(!) replies back with confirmation of investigation 
or with requests for additional log files.
I have a feeling that ISPs just ignore alerts/reports until you have a legal/criminal case
against them.
This is why I'm using ARIS to report (hope it help everybody/someone to see a global picture) and hope one
day federal government will such global DB to prosecute attackers/ISPs.

Dmitri.

-----Original Message-----
From: Security Coordinator [mailto:securityat_private]
Sent: Tuesday, February 19, 2002 6:51 AM
To: Peter Johnson; incidentsat_private
Subject: Re: SNMP Scans 02/17/02

On Sunday 17 February 2002 23:23, Peter Johnson wrote:
>
> Do you think we should be reporting snmp scans to ISPs
> or just a waste of time?

Well, one way or another ISPs need to be fingered. I don't see other people 
in the security community saying much, so maybe its time someone started. 
ISPs ARE RESPONSIBLE for a lot of the security problems on the net today. How 
could someone do SNMP scans of a network unless ISPs let them get away with 
it? Actually this is a bad example, there is legitimate SNMP traffic and it 
would be hard for them to know, but then why is it we see so many spoofed 
packets around? There should be ZERO of them on the net. Every router knows 
what addresses to expect to be inside vs outside. 

I won't belabour the point, but YES, you should not just report it to the 
ISP, you should let everyone know where attacks come from. What we REALLY 
need is a database and system good enough to understand the topology of the 
net and processes attack reports in a sophisticated enough way that we can 
say things like "if this router was filtering like thus, this would be 
impossible" and if an ISP won't configure their equipment properly, then they 
can be held liable. 
> ==================================================================
>
> Peter

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Adams: "Distributed MSADC/root.exe scans"
Previous message: Rune Kristian Viken: "dtspcd and /tmp/.fakex , anyone got a copy?"
Maybe in reply to: Peter Johnson: "SNMP Scans 02/17/02"
Next in thread: Eric Brandwine: "Re: SNMP Scans 02/17/02"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 04:52:56 PST