[31870] in North American Network Operators' Group
RE: whois
daemon@ATHENA.MIT.EDU (Karyn Ulriksen)
Tue Oct 24 12:28:46 2000
Message-ID: <0127E258EE29D3118A0F00609765B44847CD8C@dhcp-gateway.sitestream.net>
From: Karyn Ulriksen <kulriksen@publichost.com>
To: "'bmanning@vacation.karoshi.com'" <bmanning@vacation.karoshi.com>
Cc: nanog@nanog.org
Date: Tue, 24 Oct 2000 09:23:48 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1252"
Errors-To: owner-nanog-outgoing@merit.edu
You're kidding, right?
-K
> -----Original Message-----
> From: bmanning@vacation.karoshi.com
> [mailto:bmanning@vacation.karoshi.com]
> Sent: Tuesday, October 24, 2000 7:23 AM
> To: tme@21rst-century.com
> Cc: nanog@nanog.org
> Subject: Re: whois
>
>
>
> Yow! A chance to play devils advocate... Cool :)
>
> If you told me a dialup user on my network did anything, I'd doubt
> your veracity. How do you know I have dialup services in my network?
> The accuracy of your clock and the recorded IP address
> are suspect since I have zero visability into your network structure
> or administrative practice... and you don't have that visability into
> mine. Your clock is hacked and you are forging IP addresses
> in an attempt
> to distract me from providing services. Tell me why this is
> not a simple
> case of harassment? Full and public disclosure of the attack
> profile would
> help build your credibility. And yes, if I have no business
> relationship
> to you and I've never had a relationship with you and you are making
> assertions about my infrastructure and clients, I will prolly want
> some incentive to cover the costs of investigating your outragous
> claims.
>
>
> > Are you really saying that if I tell you that a dial-up
> user on your network
> > hacked into my system at some precise time, from a precise
> IP address
> > (so that you could probably tell easily which user did it),
> and did so
> > in a fashion
> > which suggested an automated "script kiddie" effort, I should only
> > expect a response from you if I PAY for it ?!?
> >
> > This seems pretty close to the "protection" money that I
> hear people with
> > POP's in Moscow have to pay :)
> >
> > (BTW, I said nothing about timeliness
> > or 24x7 availability - a note a week or two later would
> have sufficed.)
> >
> >
> > >
> > > > > The key to an anti-hacker ISP association would be
> > > > > a very special ip address / contact person lookup database.
> > > > > ie: who/how to contact for the 'SWAT' response for a
> particular IP
> > > > > address.
> > > > >
> > > > > --Mike--
> > > >
> > > > Hello;
> > > >
> > > > When we have had attacks such as root exploits, we have
> notified the
> > > > source (at least,
> > > > the ISP hosting the immediate source) as to the date,
> time, IP address, etc.
> > > > (In one case, the attack appeared to come from a
> dial-up address in Germany,
> > > > so I thought we had them.) We have NEVER received a
> response. From
> > > > conversations at meetings, etc., I understand that this
> is typical - almost
> > > > universal - and that it would be naive to expect other
> ISPs to actually
> > > > do anything
> > > > about being a source for attacks.
> > > >
> > > > Maybe a start would be to a BCP for some level of
> minimal response if
> > > > you source
> > > > an attack, and a "web site of shame" listing those
> domains that source
> > > > attacks and do nothing about it when notified.
> > > >
> >
> >
> > --
> >
> >
> > Regards
> > Marshall Eubanks
> >
> >
> > Multicast Technologies, Inc.
> > 10301 Democracy Lane, Suite 201
> > Fairfax, Virginia 22030
> > Phone : 703-293-9624 Fax : 703-293-9609
> > e-mail : tme@on-the-i.com http://www.on-the-i.com
> >
>
>
