Thanks for setting that up, J. Honeypots are where it's at for sure.<br><br>BTW speaking of notifying universities, I notice a lot of universities that had in particular problems with<br>tcp port 2967 (and one of you are now showing the 2967 1433 combo that bugged some subnets here).
<br>Unfortunately I never got any details on that bug nor what it was exploiting exactly. <br><br>Is there any point in j average detector of stuff to report these things? (When I say "report" I'm willing to
<br>go as far as send a message to the contact in whois for that IP. I'm assuming that those universities that don't list a contact email in whois care not to hear about these things ever :-) <br><br>So my question is, in general ( I don't know that I personally want to maintain a list of who wants to be notified of things and who doesn't ) do universities want/need to be notified of various detection
<br>data that arbitrary people could compile? I ask because I wonder if they aren't thinking "geez we certainly don't need to get 5,000 arbitrarily formatted emails about a couple IP numbers that had some dumb worm". Maybe they hear about each thing way more than they need to? Or Maybe they don't need to hear about ultra-scanning worms but do need to hear about sneakier hosts? Or maybe they don't want 10,000 emails about udp traffic that represents trying to connect to a peer to peer program behind a stateful, peer to peer hostile firewall? Maybe they don't need to hear about anything ever because they know more about what comes out of their network than the recipients do?
<br><br>One thing that I've found out is there's a very distinct nuke the messenger probability in notifying people of potential security issues. How much hostility someone can muster in this endeavor seems to have a lot to do with their perception of the rank of the sender. If you don't have the rank, you can get fried, at least verbally.
<br><br>Secondly a major issue is distinguishing between reporting for early warning <br>versus reporting for blackholing. When people optimize their "abuse" system to blackhole IP's "because they're attacking people", that specialization has the sideeffect that it causes them to not be interested in early warning.
<br><br>For example what if I detected that some IP ping scanned my subnet and they sent a tcp syn to port 22 on one host. If I reported this, in my experience, I'd get a reaction that "pings aren't attacks and
<br>one syn packet is not a scan!." They would not only not want the information, but be annoyed they got it. This is because their system is optimized for blackholing attackers. (They don't want grayish info in their
<br>blackhole system.) But what if that report did get to the actual admin of the network? It might be useful. They might think "no way that server should've been ping scanning someone else's subnet, I never tried to
<br>connect to that machine with ssh". So in that case it would be a valuable warning to the admin that<br>something was going on. I think that's a big problem currently that most systems are not even conceptually able to handle "mini info" like that. ( Also the blackhole solution doesn't deal with subnets that have "gateways" in front of them such that all traffic out of there comes from one IP number. If the gateway represents for example a plethora of NAT clients, the gateway tends to not get blackholed because it's not the "attacker", the attacker is some long gone dhcp client, and then it's rather giving the effect that that subnet has a license to bug the world. This is the unfortunate security downside of NAT.
<br><br>(BTW I am not labeling J's brute force info as "mini info" however. That would definitely be in the maxi-info bin but again might not fit well into the blackhole-IP's box.)<br><br><br><div><span class="gmail_quote">
On 2/20/07, <b class="gmail_sendername">J. Oquendo</b> <<a href="mailto:email@example.com">firstname.lastname@example.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Greetings all. For those who I've dealt with before many thanks on the<br>help you'd given. For the past three months I've been compiling<br>information from hosts that have been brute force ssh attacking servers
<br>that are running a program I have written called "Shapener".<br>(<a href="http://www.infiltrated.net/scripts/sharpener">http://www.infiltrated.net/scripts/sharpener</a>) I have sorted out the<br>information and traced back those IP address that fall under
<br>Academialand and have compiled the following list of Universities which<br>have possible compromised machines.<br><br>Rather than post those address (to avoid having misguided individuals<br>who may be on this list), I am posting the Universities in hopes
<br>admins/engineers of these institutions will contact me back for the<br>information on the host that is attacking, along with the date and<br>timestamps of the attacks. My hopes are to minimize intrusions, malware,<br>
spyware, etc., and solely inform other engineers of issues coming out of<br>their networks. I sincerely hope those contacted will assist. The entire<br>list of attacking IP addresses is in the 47k range with 38 host<br>reporting on a 5 minute basis to a repository I've set up. Here are the
<br>Universities.<br><br>Some folks may have been contacted already so apologies in advance. I<br>will give the Universities 15 business days to respond for those that<br>don't they will continue to be listed as threats and their networks will
<br>be blocked from 38 individual networks 8 of which are /17's. For those<br>who respond, I will promptly remove the addresses.<br><br>California State University at Fresno<br>Carnegie Mellon University<br>Carroll College
<br>Emory University<br>Florida Atlantic University<br>Florida Information Resource Network<br>Georgia Institute of Technology<br>Gonzaga University<br>Howard University<br>Illinois Institute of Technology<br>Indiana University - Purdue University Fort
<br>Louisiana State University<br>Marquette University<br>Massachusetts Institute of Technology<br>NTT America, Inc.<br>New York University<br>Ohio State University<br>Purdue University<br>SUNY College at Fredonia<br>San Diego County Office of Education
<br>San Francisco State University<br>Stanford University<br>State University of New York at<br>Texas A&M University<br>The Drexel University Campus<br>Universite Laval<br>University of California, Los Angeles<br>University of Georgia
<br>University of Illinois<br>University of Lethbridge<br>University of Massachusetts<br>University of Medicine and Dentistry of<br>University of Michigan<br>University of Missouri-Columbia<br>University of Mobile<br>University of Oklahoma
<br>University of Pennsylvania<br>University of Puerto Rico<br>University of Rhode Island<br>University of Texas at Austin<br>University of Texas at San Antonio<br>University of Virginia<br>University of Washington<br>University of Wyoming
<br>Vanderbilt University<br>Walla Walla College<br>Washington University<br>Westnet<br>York University<br><br><br>Respectfully,<br>Jesus Oquendo / sil<br><br>====================================================<br>J. Oquendo
<br>GPG Key <a href="http://www.infiltrated.net/sil.key">http://www.infiltrated.net/sil.key</a><br>The happiness of society is the end of government.<br>John Adams<br><br>_______________________________________________<br>
unisog mailing list<br><a href="mailto:email@example.com">firstname.lastname@example.org</a><br><a href="https://lists.sans.org/mailman/listinfo/unisog">https://lists.sans.org/mailman/listinfo/unisog</a><br><br></blockquote>