On Tue, 17 Oct 2000, Michael Weiser wrote: > I'm administering some Linux machines permanently connected to the > internet which I'm trying to protect reasonably. Therefore I > disable unneeded services, keep software up-to-date, run a packet > filtering firewall and use a intrusion detection and protection > tool (snort). You probably also want to add PortSentry to that list, so that any detected scans automatically result in the source IP being completely blocked by the firewall, and LogWatch, so that you get notified of problems. > No problem so far but unfortunately a lot of sysadmins don't seem > to feel responsible until someone sues them. That can be the case with smaller ISPs or one-person domains, where the domain contact owns the scanning system and is doing the scanning. Unless the domain from which the scans originate is recognizable as being a large (i.e. responsible - we hope) ISP, then also send a complaint to their upstream provider. There are two tools that can allow you to determine this fairly easily: netblock WHOIS lookups, and traceroute. For netblock WHOIS lookups, visit http://www.arin.net/ and follow the WHOIS links. Type the offending IP address into the query and you'll be told who the registered owner is - you may be redirected to RIPE (EU), APNIC, JPNIC, etc. This will typically report a big ISP or backbone provider owning a large (class-A or class-B) block, and possibly also a smaller ISP or company that owns the class-C or smaller netblock containing the address. Notify both, using <[EMAIL PROTECTED]> and any contact addresses given in the netblock registrations. If the notification bounces, forward it to <[EMAIL PROTECTED]> and politely suggest that they add an "abuse" alias. (And set one up now for whatever domains *you* control.) Run traceroute to the offending address (or its off-by-one neighbor if your firewall has blocked it) and note the hostnames just before the end of the trace. If they match what appears to be a major ISP (e.g. some.router.uu.net) then send a copy of the complaint to their abuse address as well (e.g. [EMAIL PROTECTED]). The WHOIS stage may have covered this, but it's a good cross-check. US and EU ISPs have the contact information readily available and are generally cooperative in shutting the offenders down. It gets annoying when you try to track down some bozo in China or Korea; APNIC for many Chinese domains and especially KRNIC is ... unhelpful ... at least, they assume you want to telephone rather than send email to the domain contacts. > Therefore I'd like to send out a carefully researched mail filled > with some paragraphs to make 'em think. But since I'm a complete > idiot at legal issues I don't want to do it myself and prefer some > already better done work of someone who knows what she is speaking > about. :) > > So my (frequently asked, I fear) question is: Can someone help me > out with such a text, some facts or a starting point for a search? > I'd especially be interested in German and American law since I > and the machines in question are situated in Germany and most > attacks come from American networks. Legal threats in the first contact message are a good way to get your complaint ignored. Instead, your first contact should be written from the assumption that the administrators of the remote network aren't aware the scanning is happening, and would really like to hear about it so they can correct the problem, fix a security hole in *their* network, and punish the offender. It's much better to start off with a cooperative stance than a confrontational stance, and in the long run it's the only way to make things really work - we're all cooperating to make sure the Internet is reliable and secure for everyone, y'know? And if a little guy ignores you, talk to his backbone provider. You may get his service terminated for TOS violations... (evil grin) I have a boilerplate message (attached) that I use in complaints. It says I don't enjoy being scanned and consider it a prelude to an attack. I give some backgound information in case the guy at the other end isn't as familiar with this activity as I am, and I politely ask that they investigate the problem and educate the offender (remember, it *may* be a college freshman trying out his new toy, in which case polite education is better than a flame). There are some paragraphs I snip if they aren't appropriate to the particular situation (i.e. if the port scan originates from ports above 1024 I snip the privileged-port paragraph), and some bits (e.g. RPC vs. DNS scans) that I change depending on what's being scanned. I forward a portion of the log showing the scans along with this message to the domain contacts that I glean using the above methods. One last thing: for the logs to be useful to anyone else, or useful to you should you decide to prosecute, your firewall's system clock *must* be synchronized to a reliable, accurate time source. Learn about and install xntpd; ntpdate or some other one-time sync tool run daily from crontab is not good enough. Anybody else have any suggestions? -- John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/ [EMAIL PROTECTED] pgpk -a finger://gonzo.wolfenet.com/jhardin 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter da Silva in a.s.r ----------------------------------------------------------------------- 12 days until Daylight Savings Time ends
...etc. ad nauseum. I do not appreciate being scanned for RPC servers, and I consider it a prelude to an attack. Please contact the administrator of this system and educate them about proper network etiquette and Terms of Service. Further, there has been a large amount of server scanning recently. Please notify the administrator of this system that it is possible they have been cracked and are now being used without their knowledge to scan for other vulnerable systems. The fact that this scan originates from a privileged port strongly indicates that the system has been cracked, or is being administered by a rogue. All times are synchronized U.S. Pacific time zone. My system logs are available to you upon request. The following pages may be of interest: http://www.cert.org/current/current_activity.html http://www.cert.org/advisories/CA-2000-17.html http://www.cert.org/advisories/CA-2000-03.html http://www.cert.org/advisories/CA-99-14-bind.html http://www.cert.org/advisories/CA-98.05.bind_problems.html http://www.cert.org/advisories/CA-99-16-sadmind.html http://www.cert.org/advisories/CA-99-12-amd.html http://www.cert.org/advisories/CA-99-08-cmsd.html http://www.cert.org/advisories/CA-99-05-statd-automountd.html http://www.cert.org/advisories/CA-98.12.mountd.html http://www.cert.org/advisories/CA-98.11.tooltalk.html http://www.cert.org/vul_notes/VN-98.03.WinGate.html All traffic from the scanning system is being blocked. If the scanning system happens to be your email gateway you will not be able to send email to the aproposretail.com domain. In that case, please contact me at <[EMAIL PROTECTED]>, which is my personal email address. Thank you.
