[unisog] Cleaning up those networks

power less absolutelynopower at gmail.com
Wed Feb 21 16:02:05 GMT 2007

Thanks for setting that up, J. Honeypots are where it's at for sure.

BTW speaking of notifying universities, I notice a lot of universities that
had in particular problems with
tcp port 2967 (and one of you are now showing the 2967 1433 combo that
bugged some subnets here).
Unfortunately I never got any details on that bug nor what it was exploiting

Is there any point in j average detector of stuff to report these things?
(When I say "report" I'm willing to
go as far as send a message to the contact in whois for that IP. I'm
assuming that those universities that don't  list a contact email in whois
care not to hear about these things ever :-)

So my question is, in general ( I don't know that I personally want to
maintain a list of who wants to be notified of things and who doesn't ) do
universities want/need to be notified of various detection
data that arbitrary people could compile? I ask because I wonder if they
aren't thinking "geez we certainly don't need to get 5,000  arbitrarily
formatted emails about a couple IP numbers that had some dumb worm". Maybe
they hear about each thing way more than they need to? Or Maybe they don't
need to hear about ultra-scanning worms but do need to hear about sneakier
hosts? Or maybe they don't want 10,000 emails about udp traffic that
represents trying to connect to a peer to peer program behind a stateful,
peer to peer hostile firewall? Maybe they don't need to hear about anything
ever because they know more about what comes out of their network than the
recipients do?

One thing that I've found out is there's a very distinct nuke the messenger
probability in notifying people of potential security issues. How much
hostility someone can muster in this endeavor seems to have a lot to do with
their perception of the rank of the sender. If you don't have the rank, you
can get fried, at least verbally.

Secondly a major issue is distinguishing between reporting for early warning

versus reporting for blackholing. When people optimize their "abuse" system
to blackhole IP's "because they're attacking people", that specialization
has the sideeffect that it causes them to not be interested in  early

For example what if I detected that some IP ping scanned my subnet and they
sent a tcp syn to port 22 on one host. If I reported this, in my experience,
I'd get a reaction that "pings aren't attacks and
one syn packet is not a scan!." They would not only not want the
information, but be annoyed they got it. This is because their system is
optimized for blackholing attackers. (They don't want grayish info in their
blackhole system.) But what if that report did get to the actual admin of
the network? It might be useful. They might think "no way that server
should've been ping scanning someone else's subnet, I never tried to
connect to that machine with ssh".  So in that case it would be a valuable
warning to the admin that
something was going on. I think that's a big problem currently that most
systems are not even conceptually able to handle "mini info" like that. (
Also the blackhole solution doesn't deal with subnets that have "gateways"
in front of them such that all traffic out of there comes from one IP
number. If the gateway represents for example a plethora of NAT clients, the
gateway tends to not get blackholed because it's not the "attacker", the
attacker is some long gone dhcp client, and then it's rather giving the
effect that that subnet has a license to bug the world. This is the
unfortunate security downside of NAT.

(BTW I am not labeling J's brute force info as "mini info" however. That
would definitely be in the maxi-info bin but again might not fit well into
the blackhole-IP's box.)

On 2/20/07, J. Oquendo <sil at infiltrated.net> wrote:
> Greetings all. For those who I've dealt with before many thanks on the
> help you'd given. For the past three months I've been compiling
> information from hosts that have been brute force ssh attacking servers
> that are running a program I have written called "Shapener".
> (http://www.infiltrated.net/scripts/sharpener) I have sorted out the
> information and traced back those IP address that fall under
> Academialand and have compiled the following list of Universities which
> have possible compromised machines.
> Rather than post those address (to avoid having misguided individuals
> who may be on this list), I am posting the Universities in hopes
> admins/engineers of these institutions will contact me back for the
> information on the host that is attacking, along with the date and
> timestamps of the attacks. My hopes are to minimize intrusions, malware,
> spyware, etc., and solely inform other engineers of issues coming out of
> their networks. I sincerely hope those contacted will assist. The entire
> list of attacking IP addresses is in the 47k range with 38 host
> reporting on a 5 minute basis to a repository I've set up. Here are the
> Universities.
> Some folks may have been contacted already so apologies in advance. I
> will give the Universities 15 business days to respond for those that
> don't they will continue to be listed as threats and their networks will
> be blocked from 38 individual networks 8 of which are /17's. For those
> who respond, I will promptly remove the addresses.
> California State University at Fresno
> Carnegie Mellon University
> Carroll College
> Emory University
> Florida Atlantic University
> Florida Information Resource Network
> Georgia Institute of Technology
> Gonzaga University
> Howard University
> Illinois Institute of Technology
> Indiana University - Purdue University Fort
> Louisiana State University
> Marquette University
> Massachusetts Institute of Technology
> NTT America, Inc.
> New York University
> Ohio State University
> Purdue University
> SUNY College at Fredonia
> San Diego County Office of Education
> San Francisco State University
> Stanford University
> State University of New York at
> Texas A&M University
> The Drexel University Campus
> Universite Laval
> University of California, Los Angeles
> University of Georgia
> University of Illinois
> University of Lethbridge
> University of Massachusetts
> University of Medicine and Dentistry of
> University of Michigan
> University of Missouri-Columbia
> University of Mobile
> University of Oklahoma
> University of Pennsylvania
> University of Puerto Rico
> University of Rhode Island
> University of Texas at Austin
> University of Texas at San Antonio
> University of Virginia
> University of Washington
> University of Wyoming
> Vanderbilt University
> Walla Walla College
> Washington University
> Westnet
> York University
> Respectfully,
> Jesus Oquendo / sil
> ==========================
> J. Oquendo
> GPG Key http://www.infiltrated.net/sil.key
> The happiness of society is the end of government.
> John Adams
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070221/fbf09266/attachment.htm 

More information about the unisog mailing list