[Dshield] Why???

Ian Carter ianc at internode.net
Wed Oct 2 01:37:50 GMT 2002


> >From what I understand, most ISPs have a staff working full-time tracking
> down hackers and infected machines.

Ahhh...no, most ISPs have overworked sysadmins who will go out of their way
to look into hacking issues or infected machines only if it effects over all
system (ISP) stability.

"> The thing to keep in mind is that ISPs are large organizations and large
> organizations act in weeks not days.  (On complex issues, large
> organizations act in years.)"

Ahh..no, the majority of ISPs are still small companies who don't have the
staff or resources to resolve complex issues in days, so it takes weeks.
Larger ISPs (& cableco's) solve issues in their own time based on what they
deem as a priority.

If you are very concerned with scans, hack attempts and exploits - then the
only solution is to move to an ISP who shares your concerns. Never assume
the ISP will resolve issues like this, just because they are an ISP - they
are just as likely to put the responsibility on you as a system user. If the
ISP sounds like it does not care about your concerns, it probably doesn't -
and you won't know this until it is an issue.

-Ian


----- Original Message -----
From: "KeithTarrant" <KeithTarrant at spamcop.net>
To: <list at dshield.org>
Sent: Tuesday, October 01, 2002 7:14 PM
Subject: Re: [Dshield] Why???


> Pep -
>
> >From what I understand, most ISPs have a staff working full-time tracking
> down hackers and infected machines.  It is just there are so many viri,
> and the scriptkiddies have so much fun, and the average Internet user is
> so innocent of the precautions to take, and the profit margines so slim
> (because of the constant need to upgrade hardware), that the volume of
> abuse complaints is vast.
>
> These abuse departments are the main reason why abuse from an IP address
> continues for an average 2 weeks on good ISPs and an average 2 months on
> the worst ISPs.  (2 months = the scriptkiddie got bored, or his/her IP
> address changed)
>
> Typically people don't get responses to abuse complaints even if the
> complaint is acted upon (unless their complaint is to a very "small" IT
> organization).  Large ISPs wait for multiple complaints, so they aren't
> bothering people with false alarms, which would be very embarassing.  Of
> course many times they wait a lot longer.
>
> By the time they act, the abuse departments are acting on logs extracted
> from the original complaint letters -- the original email and the email
> addresses of the original complainants are gone.
>
> The thing to keep in mind is that ISPs are large organizations and large
> organizations act in weeks not days.  (On complex issues, large
> organizations act in years.)
>
> So don't be discouraged that abuse complaints aren't answered.  Focus on
> whether the abuse continues or stops.
>
> It would be interesting to have a DShield Award for the ISP with the
> longest outstanding Fightback incident of  a type where it is obvious
> abuse (say sub 7 scanning).
>
> - Keith
> ----- Original Message -----
> From: "Per-Erik Persson" <pep at hemmapc.com>
> To: <list at dshield.org>
> Sent: Tuesday, October 01, 2002 7:51 PM
> Subject: [Dshield] Why???
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I've quite new to use this feature, but my site (quite private) allready
> got
> > 10 issues in my "fightback"-summary. Only one of those has answered (and
> > that's by a autoreply (in which i'm told that they really dosn't got
> time for
> > my, or dshields, observation)) to me. It's not ok if the abuser does
> not
> > reply. He or she maybe not be aware what their computer create on the
> net.
> >
> > He or she maybe do not have an smtp-server running while they almost
> surley do
> > not get any notification from dshield which would be bad for them as
> they
> > don't get any notification that they made some dumb things on the
> Internet or
> > that they have a corrupted computer making bad things. As I could read
> the
> > functions with dshields, a message goes both to the ip-address that,
> > hopefully, created the scene and to their ISP. Shouldn't anyone of those
> two
> > feel any sorts of responsability to elliminate or decrease such an act?
> >
> > Hope that the ISP do not create new rules fore what goes in and out from
> their
> > firewall. A censured activity would not be right to all of those
> ISP-users
> > which know how to use their computer. But shouldn't the ISP be
> responsible to
> > tell their customers that they maybe got som trouble that they propably
> not
> > aware about?  I'd would apprechiate that as an customer and I'm surely
> > apprechiate an answer from the ISP that  they try to do something about
> it!
> > Or dosn't the ISP feel any responsability beside making money???
> > - --
> > (excuse somewhere bad spelling, got into sleep when my englishteacher
> went
> > talking ;-) )





More information about the list mailing list