Report Attacks

Hey,

I haven't been attacked, but i'm just wondering are they ne other sites other than dshield to report attacks or is deshied the best place for that? Another thing is, wut steps must be taken to be able to report to them. I know u need to show ur logs. If ne one knows wuts the best method to report a hacker, plz post a message... thanx

 

MyNetWatchman springs to mind. I prefer DSHIELD though. I'm sure others will suggest more organisations too.

Test: MyNetWatchman

Paul...why does M.y.N.e.t.W.a.t.c.h.m.a.n come out as MyNethingyman?

 

Well, let me tell you - the term 'mynetthingy' caused me to crack a grin here! Pete

 

Detox - LOL! Pete

 

Re: To Answer Yoda's Question(Report Attacks)

Hi Yoda! If you go to D-Shield's Home Page you will find a bunch of stuff on the left side of the page that will show you how to set-up making reports to them, how to register with them (good idea) etcetera. You can have just about any kind of firewall and still report to them. They are a good outfit. I make reports to them and they have helped me with lots of info needs.

 

Spy- I was right

 

Hey Thanx Guys for all the info.....


For u guys who have used Dshield, how effective were they in stopin these attackers? Umm do u have to submit ur reports on a regular bases, or can u just email them when u have attacks? One more other thing, could it be a coincidence if u get ping for subseven port or ne other trojan port that it is an attack, cuz i have been alerted by my firewall before for subseven, and should i be taking attaction?

 

Oh...!!! MY!!!!!

 

Hi Discogail - I was just about to post a very diplomatic answer to your question as it stood 2 minutes ago - when you went all shy...........

 

It is something like a "thingy"...but you have innies and outies.

Oh MY goodness

 

I never heard that before.......
Never!!!!

 

hey paul,

I've been getting recently and enormous amount of activity lately than i usually do. I've been getting port scan for Subseven 2.1/2.2, and it has happen about 10 times within the last two days. I know wut u said before, that i shouldn't be concern to much, but i'm gettin hella annoyed lol about being alert... some wut i feel like i should be telling Dshield so they will catch these guys. Aren't these guys doing malicious activity, so shouldn't we report them? Some wut i'm disapoint in ur response paul "I wouldn't bother if i were u," as head of this security site i would of thought u would want me to report them lol. Maybe u were thinking about it probably being usesless and to much trouble to go throught with it...

P.S. Paul i'm not tryin to verbally attack u, i'm am very thankful for ur response to my post the last couple of weeks... they have been very helpful.

 

Hi YODA! If you feel concerned about this, by all means report it to D-Shield. If you've registered with them, then you can login and see the results of the reports you have sent and what their danger levels are. If they are dangerous (red) then you can use the Fightback option. D-Shield will then inform the source IP's that they are infected or breaking the rules.

Paul did say:

I'm one of the "others." There's a lot of stuff on the Net that is "intrusive" but entirely benign. Paul has a lot of experience and really does know what he's talking about.

But, like I said, if you are concerned then by all means check it out for your own learning and peace of mind.

 

Here's my take on why you SHOULD report (through Dshield, ARIS or myNetWatchman (me)):

http://www.mynetwatchman.com/vision.htm


I don't advise folks to bother reporting issues directly to ISPs...there are just too many false positives and unless you are really interested in investing the time to learn how to do it right, it's just not worth it for anyone involved:

Here's my Guide to reporting:

http://www.mynetwatchman.com/scanguide.htm

I do pretty much what Dshield does, but my focus is on escalating issues...currently I send about 1 escalation a minute, 24x7. Many ISPs have setup priority queues for my alerts because they know I am relentless about minimizing false positives and thus my email is almost certainly real.

 

MyNetwatchman

if I may....just being curious....do you have a means of judging your success rate....an if so......could you please advise of its status.

thank you

snowman

 

Sorry for the delay..I haven't figured out how to get a list of active posts on this forum...hard to keep track.

myNetWatchman sends about 75,000 escalation emails/month:

http://www.mynetwatchman.com/rpt_EscalationsbyDate.asp

There are two general targets of these messages:

I. Large ISP abuse departments

I'd estimate that about 90% of the messages go here as most security abuse issues are due to worm infections of consumer Internet users (Code Red, Nimda, Spida, etc...).

Some ISPs send auto-replies for all submitted complaints...so you can at least verify that the alerts are *delivered*...but that doesn't necessarily mean they are acted upon. Even if you get an auto-reply in 30 seconds...it can often be 1 - 4 WEEKS before your complaint is reviewed.

Here's the perfect example:
http://www.mynetwatchman.com/mynetwatchman/ListIncidentActivity.asp?IncidentId=4832687

..eight WEEKS...but hey...at least they communicated...that's an improvement above many.

ISPs have a fixed abuse staff size, but highly variable surges in complaints as SPAM and worm infections happen (I expect Spida made a miserable summer for all).

A very small number (< 5%) of ISPs actually send 'resolution' notices..e.g. Customer has been warned...or 'unspecified action taken'. However, you can't really know if the action that you were told was actually taken...I often see 'customer warned' responses...yet the save source IP will generate 3-4 incidents over the next 2 months. I can only concluded that either the ISP isnt' doing what they say, or (more likely) the user is an idiot and re-infecting themselves.

I talk regularly with most major ISPs in the US...most DO seem to care and seem to take notifications seriously...they seem intent on taking action and educating their customers. My only dissapointment is that how *long* this process takes doesn't seem to be too important (and thier management gives them no support to do it faster and more efficient). I'm sorry when I tell an ISP that Customer X is infected with Spida, I find it pretty stupid that the customer may not be notified of that until 4 WEEKS later.


II. Small companies, academic, etc.

When the ISP Abuse dept is removed from the picture, the system is MUCH more effective. I receive dozens of emails/day from administrators who get our alerts and are extremely appreciative for the heads up...if only every Individual Internet user had their own Whois record!

On the down side, Whois contact info for small organizations is ridiculously out-of-date...so it is often hard to determine where to send these messages..I expect 50% more of Whois contact emails in these situations are invalid. Often the area-codes for the phone numbers aren't even valid any more. Company acquisitions are not reflected...it's a mess.


All I know is that some DO get the message and the impact is extremely positive. ISPs love the messages from my system, cause I make it extremely easy for them and make sure I don't send them nonsense incidents. The delays in getting the messages to the end-users is excruciating, but I truely believe that it does help get the word out and reduce the overall infection level.

 

MyNetW


thank you for taking the time to reply....appreciated.


snowman

 

Hi MyNetWatchman! Just curious, but who sets up the Whois records? Why aren't these reviewed and updated? Isn't this like the phone books are to phone companies? Addresses to Post Offices? Would it be possible to have a nonprofit outfit setup to do this kind of work? Wouldn't that contribute to the Internet community? As I said, I'm just curious. (Don't kill this cat.)

 

I'm most concerned with *domain* Whois records. For North America this is maintained by ARIN (hence whois.arin.net).

It is ultimately the person who requests IP address space from ARIN to update their whois info...the problem is that the ARIN system has no mechanisms (to my knowledge) to:

1) Associate an IP address range with a responsible *domain*
(they sometimes list a contact email address...but figuring out which domain they are associated with is often non-trivial).

2) Validate info initially submitted

Some are allowed to submit contact emails of: 'noone@nowhere.net'
and phone numbers of 123-456-7890

3) Proactively get updated information as things change


The real problem is that there are no consequences (e.g. your IPs are dropped from routing tables) if you fail to keep your contact info up to date...as a result many leave stale info there.

IMHO, this creates a serious security problem as it disrupts attempts to notify system owners when the Internet community detects a security problem with their system.

Similar problem exist with the other NICs around the world (RIPE, APNIC, KRNIC, etc..)..

 

Excerpt from: http://www.samspade.org/d/firewalls.html

"But, but, but reporting these alerts to network administrators will help them catch crackers!"

"Uhm, no. I know a whole bunch of network security and abuse staff. The response to any complaint with ZoneAlarm, BlackIce etc logfiles in it is to close the ticket, usually with an annotation like 'GWF' (Goober with Firewall). 99% of those reports are frivolous, about normal network traffic. In the remainder of cases there's nowhere near enough data in the logfiles to provide any idea of why the end user is upset. If you send frivolous complaints that just wastes the time of the staff receiving them and prevents them from handling real security issues. How do you tell if a complaint is frivolous? If the sender doesn't understand basic networking, it's almost certainly frivolous. If the sender is complaining based on 'personal firewall' logs, it's definitely frivolous.

The abuse desk staff I talk with hate users of 'personal firewalls' more than they hate spammers. That should tell you something about how useful your complaints will be."

*****************

Third party org.'s like D-Shield sort the relevant from the BS, so useful if you’re really concerned – but understanding the concern seems to be the theme in some circles.