-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 05 June 2004 12:58, Tobias Weisserth wrote: (You will, I hope, excuse me for following up to both messages here; but this *is* getting a bit off-topic, and stopping additional subthreads is probably advisable.)
On Sat, 2004-06-05 at 12:57, Ralph Seichter wrote:
Gideon Hallett wrote:
I've come to the conclusion that t-online (and especially t-dialin) users are a wretched hive of scum and villainy; and that the company itself simply doesn't care.
Nonsense. The T-Com dialin infrastructure is the base of a huge number number of non-permanent internet connections, both for private and for business use (modems, DSL, etc.). T-Online and other German ISPs buy connectivity from T-Com. Among these users are, if you permit the pun, the good, the bad and the ugly -- just like everywhere else in the world.
That's certainly true. But also true is that T-Online doesn not react to reports about the bad behaviour of some of their customers.
This is the crux. Every network has compromised boxes and malicious users from time to time. But as the owner of an infrastructure, you have the duty to ensure that your users comply with the AUP; and you have the duty to respond to external complaints. If you're not prepared to do that, then you shouldn't be in the position of authority. (And any company that is too big to discipline its users is a) monolithic and b) a danger to the wider 'net.)
If I could convince my bosses that blocking t-online ranges at the border was a good idea, I'd have a much easier job as a sysadmin.
That can't be the solution. Whoever needs to take such measures has already failed at setting up and secure a proper network.
Speaking here as the sysadmin for a hosting company, I have to say that everything *I* have direct control over has a 100% security record. However, as a company, customers give us money to host their servers; and customers come in a range of aptitudes. A depressingly large number of people have no concept of patching; some don't realise that Win2k's FTP server allows anonymous access by default; others complain that their hard drive appears to be shrinking (usually due to all the warez on it!). It's possible to scan our netblocks every night; but a 24-hour gap is long enough for a box to be rooted in ugly ways. It's also possible to use an IDS to look for evil traffic (and IME it's one of the best ways of detecting cracked boxes); but it's still reactive; and clued crackers *don't* start attacks with massive portscans. There is no simple, proactive, way of preventing unauthorised intrusion (short of disconnecting the box entirely!); and I work for a company - we can hardly start refusing customers on the grounds of technical ineptitude (or we'd be cutting 90% of our potential customer base out). As such, network security in a hosting company has to be mainly reactive; every TCP or UDP socket I want to block at the border has to be justified; the security risk of leaving it open against the commercial risk of closing it.
If you could convice your bosses to do so, I'd very much doubt their intelligence. Why not block China or the USA aswell?
It's considerably harder to block a country, due to the distribution of addresses among the RIRs. http://www.completewhois.com/statistics/data/ips-bycountry/rirstats/DE-cidr.... for example - I count 1488 separate CIDR blocks there; some of which you could aggregate, but it's still a big job. Providers, on the other hand, tend to have nice simple CIDR blocks (since it makes their routing tables nice and small).
Why not live on an IT island? Millions of people suffer from viruses spoofing sender addresses, and in every country there are infected computers. There is no "realm of evil" that can be isolated.
So sometimes it would make the job so much easier by just blcoking packets from certain operating system types :-o
Yes. And it's tempting, sometimes. However, that sort of behaviour is the Redmond Way *g*
I for one would particularly like to find whoever was 217.234.167.14 (pD9EAA70E.dip.t-dialin.net) at 23:53 on 14/5/04 and point out to them that what they were doing was illegal and punishable by time in prison.
Oh boy... I advise you have a beer and get some sleep.
Let's see; the time I spent chasing the customer, advising them that their box had been cracked, backing up what data we could, wiping the box, reinstalling Windows, putting it back in the datacentre - I count some 3 hours spent doing something that was not in itself any form of productive work; and stopped me doing productive work (upgrading to Postfix 2.1 on our mail servers and tuning SMTP reject). That's not including the 30 or so abuse reports I had to deal with. It's inefficient, it's annoying and it costs us money; and since I already work about 50 hours per week, I value my free time quite highly!
Maybe in your country. You have to find out whether the person actually broke German law.
I'd be very, *very* suprised if breaking in, rooting a box, installing FTP servers, scanning other (German!) networks for weak POP passwords and SQL scanning weren't punishable by some time in prison.
But I have to agree that it's pointless to contact T-Online. They never reacted to my complaints either.
Of course, one of the funny things about the incident above was that 2 of the abuse reports came *from* T-Online users - I pointed them straight back to their own provider and said 'Good luck' (- as well as telling them that our customer's box had been disconnected from our network). I had better abuse response from the tiny Indonesian provider I chased about their user than *any* of the T-online reports. (Admittedly, the Indonesian police and prisons are probably a bit scarier to script kiddies.)
I find T-Online addresses to be the common mixture like most other providers too. What's really disturbing are those senseless university networks where almost every IP from a given range seems to be affected by some worm or other and is hammering away against my firewall... That's where operating system related packet dropping would come in handy...
Agreed. I've been tempted to investigate Snort's flexresp rules on a number of occasions; but anything I do that blocks legit traffic loses the company money; and is thus Not On. best wishes, Gideon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAxB5m9kmEmNaPyk0RAiKPAJ0ZzdfzYkq6qjQdDJla8tXWj3uXrgCdH4eK hQMzW6+vLRfGgDvHdCkuVxg= =fHRX -----END PGP SIGNATURE-----