Report Attacks

Discussion in 'other security issues & news' started by YODA, Jul 12, 2002.

Thread Status:
Not open for further replies.
  1. YODA

    YODA Guest

    Hey,

    I haven't been attacked, but i'm just wondering are they ne other sites other than dshield to report attacks or is deshied the best place for that? Another thing is, wut steps must be taken to be able to report to them. I know u need to show ur logs. If ne one knows wuts the best method to report a hacker, plz post a message... thanx
     
  2. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    MyNetWatchman springs to mind. I prefer DSHIELD though. I'm sure others will suggest more organisations too.

    Test: MyNetWatchman

    Paul...why does M.y.N.e.t.W.a.t.c.h.m.a.n come out as MyNethingyman? o_O
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Checkout,

    We are very strict in regard to badmouthing - heuristics used go that far, even dirty thoughs will trigger heuristics! Now, what were you thinking, while typing/posting your replyo_O :D

    LOL! - no kidding: has to do with the "censored word" settings; beats me at the moment, but I'll check..

    regards,

    paul
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Well, let me tell you - the term 'mynetthingy' caused me to crack a grin here! :D Pete
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Detox - LOL! Pete
     
  6. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Re: To Answer Yoda's Question(Report Attacks)

    :) Hi Yoda! If you go to D-Shield's Home Page you will find a bunch of stuff on the left side of the page that will show you how to set-up making reports to them, how to register with them (good idea) etcetera. You can have just about any kind of firewall and still report to them. They are a good outfit. I make reports to them and they have helped me with lots of info needs.
     
  7. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Spy- I was right :D
     
  8. YODA

    YODA Guest

    Hey Thanx Guys for all the info..... ;)


    For u guys who have used Dshield, how effective were they in stopin these attackers? Umm do u have to submit ur reports on a regular bases, or can u just email them when u have attacks? One more other thing, could it be a coincidence if u get ping for subseven port or ne other trojan port that it is an attack, cuz i have been alerted by my firewall before for subseven, and should i be taking attaction?
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    YODA,

    I'm not familiar with DShield personally (eg not using it), so I'll leave that one up to others.

    As for:

    You aren't attacked; it's a port scan - probably not aimed at you, but at an IP range. As it seems, your firewall is doing the job; I wouldn't bother if I were you. Forget about it - and focus on suspicious outbound alerts.

    regards.

    paul
     
  10. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
    Oh...!!! MY!!!!!
     
  11. bubs

    bubs Registered Member

    Joined:
    Apr 28, 2002
    Posts:
    106
    Location:
    Suffolk, England
    Hi Discogail - I was just about to post a very diplomatic answer to your question as it stood 2 minutes ago - when you went all shy........... :oops:
     
  12. It is something like a "thingy"...but you have innies and outies.

    Oh MY goodness ;)
     
  13. discogail

    discogail Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    151
    I never heard that before.......
    Never!!!!
     
  14. YODA

    YODA Guest

    hey paul,

    I've been getting recently and enormous amount of activity lately than i usually do. I've been getting port scan for Subseven 2.1/2.2, and it has happen about 10 times within the last two days. I know wut u said before, that i shouldn't be concern to much, but i'm gettin hella annoyed lol about being alert... some wut i feel like i should be telling Dshield so they will catch these guys. Aren't these guys doing malicious activity, so shouldn't we report them? Some wut i'm disapoint in ur response paul "I wouldn't bother if i were u," as head of this security site i would of thought u would want me to report them lol. Maybe u were thinking about it probably being usesless and to much trouble to go throught with it...

    P.S. Paul i'm not tryin to verbally attack u, i'm am very thankful for ur response to my post the last couple of weeks... they have been very helpful.
     
  15. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi YODA! If you feel concerned about this, by all means report it to D-Shield. If you've registered with them, then you can login and see the results of the reports you have sent and what their danger levels are. If they are dangerous (red) then you can use the Fightback option. D-Shield will then inform the source IP's that they are infected or breaking the rules. ;)

    Paul did say:
    I'm one of the "others." There's a lot of stuff on the Net that is "intrusive" but entirely benign. Paul has a lot of experience and really does know what he's talking about.

    But, like I said, if you are concerned then by all means check it out for your own learning and peace of mind. :)
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi YODA,

    10 times a sub7 portscans are below the average I do get on an hourly basis on this system ;).

    If you feel better reporting these, by all means do so. My point is: merely script kiddies will (possibly) tracked down this way - or compromised systems from system owners who don't have a clue their system is infected with a sub7 server, having their systems abused by the real probers. In that last scenario, it might well be innocent system owners having an sub7 server installed without knowing it, will be targetted by their ISP - possibly loosing their account. The real probers eg running the client part will get away with it, simply hopping to anothing innocent infected system.

    Bottom line: in case of script kiddies probing from their own system, reporting might end up in ISPs having their account ended (and setting a new account up within an hour using another ISP). In case of mor knowledgeable probers: they will never come into the picture.

    Hope this clarifies my previous statement ;)

    No prob here; it takes quite a bit more to attack me - and if it's with reason, I'll learn from it! Never felt your comment as an attack in any way ;).

    regards.

    paul
     
  17. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Here's my take on why you SHOULD report (through Dshield, ARIS or myNetWatchman (me)):

    http://www.mynetwatchman.com/vision.htm


    I don't advise folks to bother reporting issues directly to ISPs...there are just too many false positives and unless you are really interested in investing the time to learn how to do it right, it's just not worth it for anyone involved:

    Here's my Guide to reporting:

    http://www.mynetwatchman.com/scanguide.htm

    I do pretty much what Dshield does, but my focus is on escalating issues...currently I send about 1 escalation a minute, 24x7. Many ISPs have setup priority queues for my alerts because they know I am relentless about minimizing false positives and thus my email is almost certainly real.
     
  18. snowy

    snowy Guest

    MyNetwatchman

    if I may....just being curious....do you have a means of judging your success rate....an if so......could you please advise of its status.

    thank you

    snowman
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Lawrence,

    Waiting for you to reply on this one; what took you so long? :D

    regards.

    paul
     
  20. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    Sorry for the delay..I haven't figured out how to get a list of active posts on this forum...hard to keep track.

    myNetWatchman sends about 75,000 escalation emails/month:

    http://www.mynetwatchman.com/rpt_EscalationsbyDate.asp

    There are two general targets of these messages:

    I. Large ISP abuse departments

    I'd estimate that about 90% of the messages go here as most security abuse issues are due to worm infections of consumer Internet users (Code Red, Nimda, Spida, etc...).

    Some ISPs send auto-replies for all submitted complaints...so you can at least verify that the alerts are *delivered*...but that doesn't necessarily mean they are acted upon. Even if you get an auto-reply in 30 seconds...it can often be 1 - 4 WEEKS before your complaint is reviewed.

    Here's the perfect example:
    http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?IncidentId=4832687

    ..eight WEEKS...but hey...at least they communicated...that's an improvement above many.

    ISPs have a fixed abuse staff size, but highly variable surges in complaints as SPAM and worm infections happen (I expect Spida made a miserable summer for all).

    A very small number (< 5%) of ISPs actually send 'resolution' notices..e.g. Customer has been warned...or 'unspecified action taken'. However, you can't really know if the action that you were told was actually taken...I often see 'customer warned' responses...yet the save source IP will generate 3-4 incidents over the next 2 months. I can only concluded that either the ISP isnt' doing what they say, or (more likely) the user is an idiot and re-infecting themselves.

    I talk regularly with most major ISPs in the US...most DO seem to care and seem to take notifications seriously...they seem intent on taking action and educating their customers. My only dissapointment is that how *long* this process takes doesn't seem to be too important (and thier management gives them no support to do it faster and more efficient). I'm sorry when I tell an ISP that Customer X is infected with Spida, I find it pretty stupid that the customer may not be notified of that until 4 WEEKS later.


    II. Small companies, academic, etc.

    When the ISP Abuse dept is removed from the picture, the system is MUCH more effective. I receive dozens of emails/day from administrators who get our alerts and are extremely appreciative for the heads up...if only every Individual Internet user had their own Whois record!

    On the down side, Whois contact info for small organizations is ridiculously out-of-date...so it is often hard to determine where to send these messages..I expect 50% more of Whois contact emails in these situations are invalid. Often the area-codes for the phone numbers aren't even valid any more. Company acquisitions are not reflected...it's a mess.


    All I know is that some DO get the message and the impact is extremely positive. ISPs love the messages from my system, cause I make it extremely easy for them and make sure I don't send them nonsense incidents. The delays in getting the messages to the end-users is excruciating, but I truely believe that it does help get the word out and reduce the overall infection level.
     
  21. snowy

    snowy Guest

    MyNetW


    thank you for taking the time to reply....appreciated.


    snowman
     
  22. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi MyNetWatchman! Just curious, but who sets up the Whois records? Why aren't these reviewed and updated? Isn't this like the phone books are to phone companies? Addresses to Post Offices? Would it be possible to have a nonprofit outfit setup to do this kind of work? Wouldn't that contribute to the Internet community? As I said, I'm just curious. (Don't kill this cat.)
     
  23. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    I'm most concerned with *domain* Whois records. For North America this is maintained by ARIN (hence whois.arin.net).

    It is ultimately the person who requests IP address space from ARIN to update their whois info...the problem is that the ARIN system has no mechanisms (to my knowledge) to:

    1) Associate an IP address range with a responsible *domain*
    (they sometimes list a contact email address...but figuring out which domain they are associated with is often non-trivial).

    2) Validate info initially submitted

    Some are allowed to submit contact emails of: 'noone@nowhere.net'
    and phone numbers of 123-456-7890

    3) Proactively get updated information as things change


    The real problem is that there are no consequences (e.g. your IPs are dropped from routing tables) if you fail to keep your contact info up to date...as a result many leave stale info there.

    IMHO, this creates a serious security problem as it disrupts attempts to notify system owners when the Internet community detects a security problem with their system.

    Similar problem exist with the other NICs around the world (RIPE, APNIC, KRNIC, etc..)..
     
  24. Rickster

    Rickster Guest

    Excerpt from: http://www.samspade.org/d/firewalls.html

    "But, but, but reporting these alerts to network administrators will help them catch crackers!"

    "Uhm, no. I know a whole bunch of network security and abuse staff. The response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is to close the ticket, usually with an annotation like 'GWF' (Goober with Firewall). 99% of those reports are frivolous, about normal network traffic. In the remainder of cases there's nowhere near enough data in the logfiles to provide any idea of why the end user is upset. If you send frivolous complaints that just wastes the time of the staff receiving them and prevents them from handling real security issues. How do you tell if a complaint is frivolous? If the sender doesn't understand basic networking, it's almost certainly frivolous. If the sender is complaining based on 'personal firewall' logs, it's definitely frivolous.

    The abuse desk staff I talk with hate users of 'personal firewalls' more than they hate spammers. That should tell you something about how useful your complaints will be."

    *****************

    Third party org.'s like D-Shield sort the relevant from the BS, so useful if you’re really concerned – but understanding the concern seems to be the theme in some circles.
     
Loading...
Thread Status:
Not open for further replies.