I handle the abuse mail & investigation for 12 Class C's and I have to
say its bloody hard
to keep up with worm infected pc's. At any one time I would imagine we'd
have at least
3,000 customers with worm infections, I suspend or contact on average 50
users a day.
I would say I receive about 800 complaints via email
a day, probably about 300 of those are IDS reports for probes on 445
from companys like
D-Shield. Generally most companys consider Network Abuse to be fairly
unimportant and
staff it accordingly, I mean, its not like the role makes the company
money, but a service
provider wouldn't last long without it.
Personally I'd be happy if more people took legal action against us for
it, maybe then management
would be more interested in actually hiring enough people to handle it.
However a friendly letter
to the manager a long with copies of the reports you've sent to their
abuse team would probably do.
There are a few things that would make dealing with these sorts of
things easier,
1. Sending IDS Logs in UTC would be easier, converting GMT -07:00 to GMT
+10:00 requires
a whole lot more thinking that I'd like to put into a single
investigation =P~
2. Sending IDS Reports in a nicely formated way like D-Shield does, so
you know where the data
you actually want is.
3. Not putting so much crap about legalitys at the top of the email,
scrolling is hard work, I get
scroll wheel cramps sometimes.
4. Don't be rude and spout nonsense in your emails, like "STOP YOURS
COMPUTORS HAX0RING ME"
as fun as is sending back canned replys, you get a bit sick of it.
5. Threatening to blacklist my IP's is really not going to get you any
more attention than anyone else.
6. Don't expect a reply unless its a really major issue.
7. Don't send me complaints for other bloody companies IP space godamnit!
Thats all =)
Regards,
Rory
Skip Carter wrote:
Hello,
My company provides outsource security management/monitoring services.
In early March we noticed that several of our clients that are in the
same /16 block were getting persistent port 445 probes from a couple
of systems from a very large corporation's satellite office which is
on the same /16 block.
I have repeatedly called the companies security manager (on the US east
coast) and talked to people at the companies headquarters (on the US
west coast). They take my information (I have shown them firewall logs,
IDS logs, captured packet traces, and honeypot sessions) but nothing is
done about these probes (typically around 1500/day).
We have black-holed connections from the offending network block, but many
of our clients are small and do not have firewalls with the resources to
handle huge lists of blacklisted networks.
It has been over a month now, and nothing has changed. They seem to be
unable or unwilling to fix their own systems when they have all the
information they could ask for in order to track the problem down.
Does anybody have any suggestions on what to do to make Goliath behave
when you are David ?
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
