Hey gang,
Some ISPs, such as RR, appear to be implementing what I personally would consider quite aggressive approaches to guarding their network by implementing “proactive” scanning of non-customers, similar to what’s described at
http://security.rr.com/probing.htm
In this case, sending email to @rr.com appears to trigger this scanning business (mind you, this is not about the scanning their subs biz; I don’t care to get into that in this thread).
But, the question is… How many people here are doing this sort of thing? And where does this stop, short of nmapping the entire box?
Some time ago, when Code Red first came around, discussions raged as to how to deal with it and other infestations of customer owned/operated equipment. And this kind of is a different slant on the same issue. Except that it goes quite a bit further than your own prefixes.
I’m not looking to start a flamewar, I’m interested in a discussion or consensus discovery of how far “proactive” tasks can/should/shouldn’t go.
Regards,
Christian
*****
"The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers."
Proactive = scanning for open systems before they come to you.
Reactive = scanning the IPs that connect to you to see if they're open.
They spell this out very clearly on the page referenced above and say that
they're doing proactive scanning of their own network and reactive
scanning of the rest of the internet. Do you have any reason to believe
they're not doing as they say?
Is it time for the monthy nanog spam debate again already? 
Unfortunately, what they're looking for is only a small sub-set of the
commonly used ports by various proxy software typically installed wide
open on broadband connected systems. If they're serious about reactive
scanning, they ought to either update the ports tested or just ally with
one of the various dnsbls that does this sort of testing (less/more
effective testing would be the result).
The last time this topic came up, it was suggested by others that either
trojan or virus software was installing/creating open proxies. I wrote
that off as people being overly paranoid. I'm sorry to say that I now
know this to be true and have seen many installations of at least one
strain of such proxy software.
According to a study by America Online, 89% of the computers with
broadband connections are not safely configured. 91% of the computers had
what AOL categorized as spyware installed. In reality, the connection
method isn't the determining factor.
http://www.staysafeonline.info/press/060403.pdf
Although firewalls and anti-virus helps, it doesn't prevent a determined
user from infecting his own system. Honeypots and passive detection
systems aren't picking up the whole story. The user is an important
part of evaluating the security equation.
According to a study by America Online, 89% of the computers with
broadband connections are not safely configured. 91% of the computers had
what AOL categorized as spyware installed. In reality, the connection
method isn't the determining factor.
http://www.staysafeonline.info/press/060403.pdf
Although firewalls and anti-virus helps, it doesn't prevent a determined
user from infecting his own system. Honeypots and passive detection
systems aren't picking up the whole story. The user is an important
part of evaluating the security equation.
so where is the authoritative web site
<http://make-your-stinkin-windoze-system-safe.clue>
to which we can point all our friends (and use to lock down
our kids' machines/sites)?
randy
Date: Sat, 14 Jun 2003 21:59:29 -0700
From: Randy Bush
so where is the authoritative web site
<http://make-your-stinkin-windoze-system-safe.clue>
Plenty of *ix idiots running vulnerable systems and "servers",
too. Follow a Cobalt mailing list and live in fear.
to which we can point all our friends (and use to lock down
our kids' machines/sites)?
You can lead a horse to water...
Eddy
so where is the authoritative web site
<http://make-your-stinkin-windoze-system-safe.clue>
Plenty of *ix idiots running vulnerable systems and "servers",
too. Follow a Cobalt mailing list and live in fear.
for which there are system-specific sites telling you how to
lock it down, e.g., as david lesher just pointed out,
<http://www.bastille-linux.org>
that fools don't use the resources is another matter. "a fool
and their data are soon parted." -- monty williams
but where is the equivalent for windoze, the very common and very
vulnerable opsys?
randy
Date: Sat, 14 Jun 2003 22:22:50 -0700
From: Randy Bush
> Plenty of *ix idiots running vulnerable systems and "servers",
> too. Follow a Cobalt mailing list and live in fear.
for which there are system-specific sites telling you how to
lock it down, e.g., as david lesher just pointed out,
<http://www.bastille-linux.org>
that fools don't use the resources is another matter. "a fool
Perhaps. That doesn't make the problem any less severe, though.
One even could argue that's worse -- people running vulnerable
systems despite the availability of lockdown information.
and their data are soon parted." -- monty williams
but where is the equivalent for windoze, the very common and very
vulnerable opsys?
Google search for something like
securing windows lockdown
is a reasonable start.
Eddy
How could you have missed Dewie the Internet Security Turtle?
http://www.ftc.gov/bcp/conline/edcams/infosecurity/index.html
Microsoft has a consumer oriented page with some operating specific
items (although open file shares isn't give as much attention as I would)
http://www.microsoft.com/security/articles/steps_default.asp
Most major ISPs have an online security web site for their customers.
There are lots of technical how-to's available with a Google search.
However, in a country where VCR's still flash 12:00, users are not
going to read the manual or a web site or anything else. Despite
liking to pick on Microsoft, as soon as you get the operating system
secure, users load all sorts of other applications. And don't forget
other things connected to your home network, such using good passwords on
your router/firewall, networked home entertainment centor or snmp-enabled
refrigerator.
warning: there are no IOS configuration commands in this thread. hit D now.
�
sean@donelan.com (Sean Donelan) writes:
However, in a country where VCR's still flash 12:00, users are not
going to read the manual or a web site or anything else. Despite
liking to pick on Microsoft, as soon as you get the operating system
secure, users load all sorts of other applications. ...
"reading e-mail" should not be the same thing as "loading applications",
and for that matter "loading applications" should not be the same thing
as "install background malware". i still have to pick on microsoft
because their model (from outlook on up) is insecure *by design* and if
they had not used their monopoly power to blunt the market effects of
java and os/2 and wordperfect and mac/os and who knows what else, then
we would at least have genetic diversity, and we might even have some
kind of qualitative improvement somewhere due to successful mutations.
And don't forget other things connected to your home network, such using
good passwords on your router/firewall, networked home entertainment
centor or snmp-enabled refrigerator.
i agree that the most dangerous part of the car is the nut behind the
steering wheel, and that no technological force will ever change that
fact. but that's not an excuse to design a car without brakes and then
use monopoly power to put other carmakers out of business.