[Dshield] standards question

Doug White doug at clickdoug.com
Sat Aug 23 16:18:34 GMT 2003

Another thing to consider is that you can pretty well assume that the abuse
desks of the major ISPs are literally swamped due to the thousands upon
thousands of compromised systems that currently exist.

Your report most likely will be just added to a queue, that may never be read,
given the current circumstances.

As an example, I am on SBC, and my snort logs have recorded over 16K IP numbers
in the past 24 hours, just within this ISP space.  How much staff would be
required to contact each customer to get machines cleaned up?  Or how much staff
would be needed to key in the settings to pull the plug on those customers?

Is it the better option to wait a few days until the customer's machines crash,
and then forcing them to update, cleanup, etc.?

I don't really know what the correct approach should be, what with all the
publicity among security channels, plus extensive coverage in newspapers,
national TV, etc. and yet there are still thousands upon thousands of people
that have allowed themselves to be vulnerable.  Those of us that have diligently
re-configured firewalls, updated operating systems, updated virus definitions on
a regular basis still must suffer the consequences, I guess.

In my case, I have successfully defended against the compromise, however my
precious bandwidth is negatively impacted from the probes.

Stop spam on your domain, use our gateway!
For hosting solutions http://www.clickdoug.com
ISP rated: http://www.forta.com/cf/isp/isp.cfm?isp_id=772
Suggested corporate Anti-virus policy: http://www.dshield.org/antivirus.pdf
If you are not satisfied with my service, my job isn't done!

----- Original Message ----- 
From: "Jonathan Rickman" <jonathan at xcorps.net>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Saturday, August 23, 2003 10:29 AM
Subject: Re: [Dshield] standards question

| On Saturday 23 August 2003 10:49, DAN MORRILL wrote:
| > So my quesiton is, should I notify? Or will I get in trouble for
| > notifying, will they get upset, will I be held responsible in any way. Or
| > am I doing a community service by notifying?
| You are certainly under no obligation to notify anyone of anything, but it
| is the right thing to do. I do my best to notify those who have suffered
| compromises when time permits, but I feel no guilt for failing to notify
| them when I just do not have the time. Will they get upset? Sometimes they
| might not understand what you are trying to tell them. Some will get
| defensive. Others may level accusations against you. Most are grateful.
| There is simply no way of predicting what the response will be. I'll say it
| again though, you have no obligation to notify and you should not feel
| guilty if you decide it's not worth your time, but it is most definitely
| the right thing to do.
| -- 
| Jonathan Rickman
| X Corps Security
| http://www.xcorps.net
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list