I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
The operator advised that I block the specific IP's that are attacking us at my perimeter. When I mentioned the fact that blocking individual addresses will only be as effective as the length of lease for that DHCP pool I get the email equivalent of a shrug.
"Well, maybe you want to ban our entire /15 at your perimeter..."
I'm reluctant to ban over 65,000 hosts as my staff have colleagues
all over the continental US with whom they communicate regularly.
I realize these are tough times and that large ISP's may trim abuse team budgets before other things, but to have NO MECHANISM to audit who has what address at any given time kinda blows my mind.
Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
I think your next step is your lawyer. Put all your missives, your
email, your phone conversations, your logs, your auditing results, your
detection troubleshooting and sleuthing trails etc. in a folder, create
a one page summary including any damages you feel might have been caused
(e.g. time, effort, and money spent on this so far) and a timeline, and
make an appointment with your lawyer.
--Patrick Darden
I wouldn't necessarily believe the response from Covad and try to escalate to someone with a bit more clue there...but what's the point in getting lawyers involved? Whatever access isn't supposed to be open should be filtered. Beyond that, you should expect regular scans from random hosts on the net. That's the way it's been for the past 20 or more years, and it's unlikely to stop just because you don't like it. What effect will your lawers have next week when the 'abusive scans' are coming from Romania, China, Russia, etc.?
If port scans really bother you, then you should setup a system to detect them, and regularly rebuild ACLs/null route lists/etc. to stop them in near real time. AFAIK, Cisco sells such a product, as do other network vendors I'm sure.
but what's the point in getting lawyers involved?
It might convince some pointy-haired person at covad to review the policies and procedures on the abuse desk, maybe.
Whatever access isn't supposed to be open should be filtered.
If you can demonstrate reasonable costs resulting from the behaviour of others, perhaps that's not relevant. Note that in the grand NANOG tradition I say these things without the faintest glimmer of knowledge of the law.
Joe
Brett Charbeneau wrote:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets.
Port scanning is rather common, and shouldn't be considered "attacking" --
unless it's taking a significant amount of bandwidth.
The latter is a Denial of Service (DoS) attack, and should be reported as
such. I understand that a library might have limited bandwidth.
Often port scanning is followed by an actual attack, ssh attempts, etc.
That's what should be reported.
... I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
Now that's just odd, and probably the "operator" at Covad simply doesn't
have access to the logs.
DHCP should be logged. In my experience, the usual practice is to keep
the logs for 3 days, or until the log files roll over.
Does one have to get to the level of a subpoena before abuse teams pull out the tools they need to make such a determination? Or am I naive enough to think port scans are as important to them as they are to me on the receiving end?
While I applaud your taking security seriously, and your active monitoring
of your resources, other folks might be handling huge numbers of Conficker,
Mebroot, and Torpig infections these days. So, they might be rather busy.
Are your library systems all clean?
You don't seem to have your own ARIN allocation for wrl.org, so it's kinda
hard to tell from here....
AS | IP | AS Name
4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc.
While I applaud your taking security seriously, and your active monitoring
of your resources, other folks might be handling huge numbers of Conficker,
Mebroot, and Torpig infections these days. So, they might be rather busy.
Excellent point. And with dwindling staff levels outgoing worm traffic
may be super low priority for them.
I know every operation is different - I just wanted to check with the
group before cranking up my level of indignation. =8^)
Are your library systems all clean?
I believe them to be. I have a Snort-based network intrusion detection
system (using sguil) running with eight taps - and we subscribe to the Snort VRT
rules. That's on top of host-based intrusion (OSSEC) on all of our servers and
critical workstations. And centrallly-manged anti-virus (Kaspersky) on all
desktops.
You don't seem to have your own ARIN allocation for wrl.org, so it's kinda
hard to tell from here....AS | IP | AS Name
4565 | 66.200.204.71 | MEGAPATH2-US - MegaPath Networks Inc.
Yes - while we handle our own DNS our ISP prefers to mask our ARIN
entry for (their) ease of management. I try to be the anti-salmon with this and
go WITH the flow...
I had long discussions on this with a lawyer ~15 years ago. A "tort"
can arise from failure to do something you have a duty to do. Do ISPs
have a duty to filter against port scans? I've never seen consensus on
that here -- quite the contrary, in many cases.
Now -- the courts can rule that you do have a duty to filter, even if
the industry does not do it. Do we really want to be there, where ISPs
are liable for the actions of their users?
Of course, the attacker -- assuming that a scan is really an attack,
which is itself a controversial question -- is liable. Is the OP
really planning on filing suit? Let me play devil's advocate: how does
Covad know that there were really port scans? Perhaps the logs are
fakes, designed to uncover the name of someone doing file-sharing or
criticizing someone on a blog. Maybe the offended site is a front
for the government of Freedonia, which is trying to track down and
harass (or worse) expatriate dissidents. Note that courts have held
that under the DMCA, at least, the RIAA et al. can't learn alleged
infringers' names via mandatory process (i.e., a subpoena) until they
have actually filed suit for infringement. And of course, if Covad has
a privacy policy, they might be liable to a customer for improper
disclosure of identifying information.
Don't neglect another possibility: the net result of a disclosure is
likely to reveal that the scanning machine is really a bot, in which
case the information is useless to the victim.
So -- be careful what you wish for; you might get it.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
Covad telling you they don't keep logs is different from them not
really having the logs... but, if they really don't keep logs, they
are posing a risk that FBI or DHS might not be happy with. The feds
will probably be more persuasive than you, so maybe hinting them about
this situation may change something to better.
Rubens
There is no US legal requirement for keeping logs. The FBI et al. may
want you to, and there is a bill before Congress to mandate retention
(and that has been discussed on NANOG -- look for the Subject:
'Legislation and its effects in our world', or you can find the text
itself at http://thomas.loc.gov/cgi-bin/query/z?c111:H.R.1076:) but
there is no legal obligation to keep DHS happy.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
A quick scan of the reverse mapping for your address space in DNS reveals
that you have basically your entire network on public addresses. No wonder
you're worried about portscans when the printer down the hall and the
receptionists machine are sitting on public addresses. I think you are
trying to secure your network from the wrong end here.
Marcus
It's indeed nice to see people deploying networks the way there were supposed to be built, for once.
Nice troll, though. It has been at least a few weeks since the last "security = NAT" thread exploded in my inbox.
Joe
I apologize to the list for the static - I'm not sure how a question
about log retention morphed into a misinformed critique of my organization's
security posture.
Jon Lewis wrote:
If port scans really bother you, then you should setup a system to detect
them, and regularly rebuild ACLs/null route lists/etc. to stop them in
near real time. AFAIK, Cisco sells such a product, as do other network
vendors I'm sure.
It is pretty easy to do this with pf running on OpenBSD (et al). You can
even set a timeout so that additions to a banned list get removed after
x {hours,days,weeks}
table evil persist {0.0.0.0}
block in log quick from <evil> to any label "evil"
pass in quick proto {tcp,udp} from any to any port 1024:65000 \
synproxy state \
(max-src-conn-rate 5/15, overload <evil> flush global)
Pick a port range and/or ip address range combo that you don't have
anything running on for the rule, then as scans take place the offending
IP will be added to the evil table and blocked. OK, there are some
additional details for expiring the evil IPs, and of course your own
network details. But this has worked quite well for me, and I love
checking the evil table from time to time to see who's been naughty.
My best guess is other firewalls can do something similar.
...
alec
- --
`____________
/ Alec Berry \______________________________
Senior Partner and Director of Technology \
PGP/GPG key 0xE8E9030F |
http://alec.restontech.com/#PGP |
-------------------------------------------|
RestonTech, Ltd. |
http://www.restontech.com/ |
Phone: (703) 234-2914 |
\___________________________________________/
RFC 3514? 
Jeremy L. Gaddis wrote:
RFC 3514?
Ah, but if it was just that easy...
The choice of "evil" for a table name was not random, of course! I do
appreciate that the pf syntax makes for such entertaining configuration
snippets. I have yet to pen a functional haiku, however.
...
alec
- --
`____________
/ Alec Berry \______________________________
Senior Partner and Director of Technology \
PGP/GPG key 0xE8E9030F |
http://alec.restontech.com/#PGP |
-------------------------------------------|
RestonTech, Ltd. |
http://www.restontech.com/ |
Phone: (703) 234-2914 |
\___________________________________________/
William Allen Simpson wrote:
Port scanning is rather common, and shouldn't be considered "attacking" --
unless it's taking a significant amount of bandwidth.
Attempting to gain unauthorised access to a computing system is a crime in
most countries. Port scanning is a tool used to gain unauthorised access.
(Yes, port scanning can be used for other things, but it's difficult to
argue for those when scanning someone else's machines.)
A telecommunications carrier releasing a customer's details without their
permission, to a non-investigatory third party, without a court order.
Hmmm. It's certainly illegal here in Australia. And last I checked wasn't
the US firm Hewlett Packard in trouble for hiring people to do just that?
So your basic problem is that you have a law enforcement problem, and
the law enforcers don't give this priority. Which leads to one of those
vicious circle thingies, where the ISPs don't give a stuff about their
customers running scans, since they aren't seeing any hassle from Mr Plod,
those customers aren't seeing any consequences, and so the amount of scanning
increases, to the extent where people believe it is normal and acceptable.
Why not contact the FBI. Not because it will help. But because if even 1%
of the libraries in the country do that then the FBI will take the path of
least resistance, which is to hassle ISPs with enough warrants until the
ISPs find it economic to clean up their act, at least with regard to their
own customers.
How did a simple thread about network scanning get so derailed....we have
people talking about the legal implications of port scanning, hiring
lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of
NAT as a security policy, etc. Wow just wow.
I'll try to answer you in a more common sense approach as some have tried
to do. First of all no network operator has to hand over their logs or
user information over to you just because you want to know. You can ask
their abuse department to intervene but that is all up to that department.
They may have told you they don't have them just because they didn't want
you pestering them anymore or they may really not have them, who knows.
Don't try to judge them but try to fix this very minute problem in a way
you can control.
The ways you can control this are simple.
1) Block all of covad (not very smart)
2) Block all of covad except for essential ports (25,80,443 or whatever
other common ports they may need)
3) Setup a perimeter protection that blocks hosts that are scanning you
and removes them after a determined amount of time
This trying to shun people in public because they aren't following your
guide to network administration probably isn't going to work very well for
you. If 65000 covad addresses were ddosing you then I would agree that you
have a legitimate gripe but focus on what you can control and not what you
believe others should be doing.
it's nanog, you expect something different?
Ross wrote:
I'll try to answer you in a more common sense approach as some have tried
to do. First of all no network operator has to hand over their logs or
user information over to you just because you want to know.
There seems to be a big misconception that he asked them to "hand over" the info. As I read the OP, he asked Comcast to do something about it and Comcast said "we can't do anything about it because we don't have logs". Here's a quote from the OP:
I've been nudging an operator at Covad about a handful of hosts from his DHCP pool that have been attacking - relentlessly port scanning - our assets. I've been informed by this individual that there's "no way" to determine which customer had that address at the times I list in my logs - even though these logs are sent within 48 hours of the incidents.
IMHO, that's a bunch of BS from whoever he's talking with at Comcast. In the normal course of business they would have logs of which customer had that IP just 48 hours earlier. They *can* do something about their customer. And they *should* do something about their customer who is causing problems on another network, the same as if that customer was spewing spam, or actually attacking (DDoS etc.) another network.
So the question circles back around to how does the OP get Comcast to step up, internally identify and take care of their problem customer? What path should he take to get connected with someone who has more clue about this type of problem so that they can address it in a timely fashion?
Has it come to needing to get a lawyer to write a strongly worded letter just to get this type of thing done today?
jc
JC Dill wrote (on Thu, Mar 12, 2009 at 09:02:25AM -0700):
Ross wrote:
There seems to be a big misconception that he asked them to "hand over"
the info. As I read the OP, he asked Comcast to do something about it
and Comcast said "we can't do anything about it because we don't have
logs". Here's a quote from the OP:>I've been nudging an operator at Covad about a handful of hosts from
>his DHCP pool that have been attacking - relentlessly port scanning -
>our assets. I've been informed by this individual that there's "no
>way" to determine which customer had that address at the times I list
>in my logs - even though these logs are sent within 48 hours of the
>incidents.IMHO, that's a bunch of BS from whoever he's talking with at Comcast.
In the normal course of business they would have logs of which customer
had that IP just 48 hours earlier. They *can* do something about their
customer. And they *should* do something about their customer who is
causing problems on another network, the same as if that customer was
spewing spam, or actually attacking (DDoS etc.) another network.So the question circles back around to how does the OP get Comcast to
step up, internally identify and take care of their problem customer?
What path should he take to get connected with someone who has more clue
about this type of problem so that they can address it in a timely fashion?Has it come to needing to get a lawyer to write a strongly worded letter
just to get this type of thing done today?jc
[Disclaimer - I am a lawyer, and I write strongly worded letters to pay my
bills.]
Not to disagree with any of your points, but the OP (which you quoted!)
was talking about Covad, while you're bashing Comcast.