constant attacks - whom to contact?

Hi,

For nearly two months now I see constant attacks by a
certain host in the US. Sending mail to the responsible
persons and providers abuse address didn't change a
things. The attacks continue. The next hop upwards
leads over the ocean to Europe, so it is not likely
that anything is going to happen here.
Is there any official address where people can turn
to, when a provider doesn't react? After all there is
a good chance that the host in question is compromised.

Sure, I can set a filter on my side to block the traffic
but that does not solve the initial problem.

Cheers,

Chris.

Re: constant attacks - whom to contact?

Chris Kronberg wrote:

> For nearly two months now I see constant attacks by a
> certain host in the US.

What kinds of attacks?

> Sending mail to the responsible
> persons and providers abuse address didn't change a
> things.

Even if there actually is something to change, why do you expect any
reaction? Welcome the real world!

> Is there any official address where people can turn
> to, when a provider doesn't react?

ICANN

> After all there is
> a good chance that the host in question is compromised.

Uuuh... if I was to complain about any compromised host trying to
compromise me, I'd need to write an extensive script and setup an
dedicated server just for keeping up.

> Sure, I can set a filter on my side to block the traffic
> but that does not solve the initial problem.

Well, what about describing your problem a bit more detailed?

Re: constant attacks - whom to contact?

On 2006-06-22, Sebastian Gottschalk wrote:
> Chris Kronberg wrote:
>
>> For nearly two months now I see constant attacks by a
>> certain host in the US.
>
> What kinds of attacks?

Webbased.

>> Sending mail to the responsible
>> persons and providers abuse address didn't change a
>> things.
>
> Even if there actually is something to change, why do you expect any
> reaction? Welcome the real world!

That's an irresponsible attitude.
The answer to your question is because I habe managed to address
problems like that more than once. I hold responsible people
responsible. Turning away is no solution to security issues.

>> Is there any official address where people can turn
>> to, when a provider doesn't react?
>
> ICANN

Definitely not. That concerns dns only. Btw., stated from their webseite:
"Other issues of concern to Internet users, such as the rules
for financial transactions, Internet content control, unsolicited
commercial email (spam), and data protection are outside the range
of ICANN's mission of technical coordination."

>> After all there is
>> a good chance that the host in question is compromised.
>
> Uuuh... if I was to complain about any compromised host trying to
> compromise me, I'd need to write an extensive script and setup an
> dedicated server just for keeping up.

So even more expenses on your side with an unsure outcome.
With no reaction on the other side this yields nothing.

>> Sure, I can set a filter on my side to block the traffic
>> but that does not solve the initial problem.
>
> Well, what about describing your problem a bit more detailed?

There is an isp, located in the US, not reacting to reports
about compromised hosts. I'm looking for additional (legal)
means (i.e. contacts) to clear this case. That's all.

I'm not looking for advices how to secure my server. I know
how to do that. Neither is filtering an issue.

Cheers,

Chris.

Re: constant attacks - whom to contact?

Chris Kronberg wrote:

>> What kinds of attacks?
>
> Webbased.

More specifically? What services are tried to be exploited in which way?
There are a lot of stupid people out there who think about the most
normal things to be attacks.

>> Even if there actually is something to change, why do you expect any
>> reaction? Welcome the real world!
>
> That's an irresponsible attitude.

Of the responsible abuse department. Of course it is. Now change the law
to you can actually enforce something. Until them, accept the fact that
they usually don't care.

> I hold responsible people responsible.

In median this fails.

> Turning away is no solution to security issues.

Eh... what does abuse support have to do with security? It's a
management issue.

>>> Is there any official address where people can turn
>>> to, when a provider doesn't react?
>> ICANN
>
> Definitely not. That concerns dns only.

Wrong. ICANN concerns internet actitivity as well. They have exclusive
rights to enforce disconnection for everyone who a) doesn't follow 9
relevant RFCs about internet protocols b) disturbs the infrastructure.

> With no reaction on the other side this yields nothing.

Right. You really don't know BR-CERT, do you?

> There is an isp, located in the US, not reacting to reports
> about compromised hosts. I'm looking for additional (legal)
> means (i.e. contacts) to clear this case. That's all.

There is none. They are responsible, but you won't get anyone forcing
them holding up their responsibility in real life. Welcome to the
internet of 2006.

BTW, could it be that you're totally wrong here? I guess
news.admin.net-abuse.misc could help you more.

Re: constant attacks - whom to contact?

On 2006-06-23, Sebastian Gottschalk wrote:
>
> BTW, could it be that you're totally wrong here? I guess
> news.admin.net-abuse.misc could help you more.

Or could it be that you can't take anyone calling you out on anything without
your dummy being launched from your pram ?

P_A.

Re: constant attacks - whom to contact?

On 2006-06-23, Sebastian Gottschalk wrote:
> Chris Kronberg wrote:
>
*irrelevant and pointless ranting deleted*

>> There is an isp, located in the US, not reacting to reports
>> about compromised hosts. I'm looking for additional (legal)
>> means (i.e. contacts) to clear this case. That's all.
>
> There is none. They are responsible, but you won't get anyone forcing
> them holding up their responsibility in real life. Welcome to the
> internet of 2006.

I don't agree. There is always a way. There has been with others
there will be with this one.
It's interesting that you give so much effort in the attempt to
prevent me from looking for it.

> BTW, could it be that you're totally wrong here? I guess
> news.admin.net-abuse.misc could help you more.

Could it be that you know nothing about incidents handling?
It's a part of security. A very much neglected part I must
admit.

Chris.

Re: constant attacks - whom to contact?

Chris Kronberg wrote:

> I don't agree. There is always a way. There has been with others
> there will be with this one.

Now get a grip on reality. It seems like no one cares and hardly anyone
enforces it.

> It's interesting that you give so much effort in the attempt to
> prevent me from looking for it.

Prevent? I'm just suggesting to understand that abuse doesn't work like
you want.

>> BTW, could it be that you're totally wrong here? I guess
>> news.admin.net-abuse.misc could help you more.
>
> Could it be that you know nothing about incidents handling?

No, can't be.

> It's a part of security.

Huh? It's part of abuse handling.

Re: constant attacks - whom to contact?

On 23 Jun 2006, in the Usenet newsgroup comp.security.misc, in article
<4g1dvhF1lfb63U1@individual.net>, Chris Kronberg wrote:

>Sebastian Gottschalk wrote:

>> Chris Kronberg wrote:
>>
>>> For nearly two months now I see constant attacks by a
>>> certain host in the US.
>>
>> What kinds of attacks?
>
> Webbased.

Oh, that's a real accurate description of the problem. Is someone
constantly clicking on your URL but blocking cookies? Look - either
describe the supposed attack, or just filter the entire domain.

>>> Sending mail to the responsible
>>> persons and providers abuse address didn't change a
>>> things.

Seeing as how you don't want to provide any definitive information, one
has to wonder what information you provided in your abuse report. Did
you get a response from the ignore-bot most large ISPs use? Did you
look to see if there are similar reports in the Usenet newsgroup
news.admin.net-abuse.sightings? Ten seconds typing in the ISP domain
name into the search engine at groups.google.com and searching the
news.admin.net-abuse.* hierarchy might provide clues.

>>> Is there any official address where people can turn
>>> to, when a provider doesn't react?

Only if there is criminal activity - as defined by (in this case) US
law. Your opinion may not match what's in the laws.

> There is an isp, located in the US, not reacting to reports
> about compromised hosts. I'm looking for additional (legal)
> means (i.e. contacts) to clear this case. That's all.

BFHD. Providers like comcast, road-runner, veriszon, and the group of
providers under SBC don't care. They look at themselves as "Common
Carriers" (look up the legal definition yourself) and claim they are not
responsible for the packets that transit their wires any more than the
post office or an airline is responsible for what may be contained in a
package they a carrying from "A" to "B".

Read the Usenet newsgroups news.admin.net-abuse.sightings,
news.admin.net-abuse.misc, and news.admin.net-abuse.usenet where you
may get some reasonable (and unreasonable) suggestions. Posting log
information there may help, but you'd better be sure you have a real
case, and know that these are real attacks and not just noise.

Old guy

Re: constant attacks - whom to contact?

Chris Kronberg wrote:
> Hi,
>
> For nearly two months now I see constant attacks by a
> certain host in the US. Sending mail to the responsible
> persons and providers abuse address didn't change a
> things. The attacks continue. The next hop upwards
> leads over the ocean to Europe, so it is not likely
> that anything is going to happen here.
> Is there any official address where people can turn
> to, when a provider doesn't react? After all there is
> a good chance that the host in question is compromised.
>
> Sure, I can set a filter on my side to block the traffic
> but that does not solve the initial problem.
>
> Cheers,
>
> Chris.

Could you post logs or a data capture of the attack?
Bear in mind if you are sending PFW logs or router logs to someone as a
complaint they will just laugh and hit delete.

If it is a compromised host sending out the scans try and put them on a
compromised host blacklist. That *may* get their attention.
E.

Re: constant attacks - whom to contact?

On 2006-06-24, E. wrote:
> Chris Kronberg wrote:
>>
>> For nearly two months now I see constant attacks by a
>> certain host in the US. Sending mail to the responsible
>> persons and providers abuse address didn't change a
>> things. The attacks continue. The next hop upwards
>> leads over the ocean to Europe, so it is not likely
>> that anything is going to happen here.
>> Is there any official address where people can turn
>> to, when a provider doesn't react? After all there is
>> a good chance that the host in question is compromised.
>>
>> Sure, I can set a filter on my side to block the traffic
>> but that does not solve the initial problem.
>
> Could you post logs or a data capture of the attack?

If I wanted to disclose the details I've had already
done so. The provider in question has a hard struggle
to get back a somewhat good reputation after some really
nasty spam problems. As a matter of fact there was only
one complaint in the public in the last 12 months. Unless
that provider proves to be back on the rogue side I will
not badmouth him more than necessary. ;-) Public disclosure
is the last refuge I want to take.

Anyhow, the problems seems to have been solved finally.
Some providers seem to be veeeeerryyyyy slow.

> Bear in mind if you are sending PFW logs or router logs to someone as a
> complaint they will just laugh and hit delete.

Sure. I would not laugh but hit delete anyway in that case.

> If it is a compromised host sending out the scans try and put them on a
> compromised host blacklist. That *may* get their attention.

That is a way to go. Thank you, I'll note that for the
future. :-)

Cheers,

Chris.

Re: constant attacks - whom to contact?

On 2006-06-23, Moe Trin wrote:
> On 23 Jun 2006, in the Usenet newsgroup comp.security.misc, in article
><4g1dvhF1lfb63U1@individual.net>, Chris Kronberg wrote:
>
>>Sebastian Gottschalk wrote:
>
>>> Chris Kronberg wrote:
>>>
>>>> For nearly two months now I see constant attacks by a
>>>> certain host in the US.
>>>
>>> What kinds of attacks?
>>
>> Webbased.
>
> Oh, that's a real accurate description of the problem. Is someone
> constantly clicking on your URL but blocking cookies? Look - either

Nope. Blocking cookies would never qualify an attack to me.
I have never seen someone clicking on URLs constantly over
two months. That would rise some questions but unless the
"clicks" come in very short time frames, I don't see an attack
there, more an annoyance.

> describe the supposed attack, or just filter the entire domain.

As I said before, I don't want to filter that domain.

>>>> Sending mail to the responsible
>>>> persons and providers abuse address didn't change a
>>>> things.
>
> Seeing as how you don't want to provide any definitive information, one
> has to wonder what information you provided in your abuse report. Did

The provider got all details.
In the past I learned that disclosing details to anyone else
but the people in charge details yield nothing.
People tend to say "oh, that's nothing, you can ignore that".
One of those to-be-ignored incidents turned out to be the setup
and test run of an ddos network. There was no way to tell that
from the beginning. There were only a surprising number of 404
file not found entries in the logfiles. Who would ever link that
to something like ddos? Yet that was behind. That time tought me
may things. So nowadays I'm far more suspicious and far more
careful (I may have scared that person away by disclosing
information to early).
The second reason for non disclose is given in my other posting.

> you get a response from the ignore-bot most large ISPs use? Did you

No resonse at all. But that's not unique. If the activity
stops I close the case.

> look to see if there are similar reports in the Usenet newsgroup
> news.admin.net-abuse.sightings? Ten seconds typing in the ISP domain

Yes, I did that on an early stage of my investigations after the
first complaints didn't show any effect. Result: Just one complaint
in twelve months and a statement of the provider that they are
reorganizing to be able to better handle the (spam) problems (again
that was last year).

> name into the search engine at groups.google.com and searching the
> news.admin.net-abuse.* hierarchy might provide clues.
>
>>>> Is there any official address where people can turn
>>>> to, when a provider doesn't react?
>
> Only if there is criminal activity - as defined by (in this case) US
> law. Your opinion may not match what's in the laws.

I know. But the law in the US don't allow attacking other computers,
does it? That a european outsider has no high priority - well, I know
that, too.

>> There is an isp, located in the US, not reacting to reports
>> about compromised hosts. I'm looking for additional (legal)
>> means (i.e. contacts) to clear this case. That's all.
>
> BFHD. Providers like comcast, road-runner, veriszon, and the group of
> providers under SBC don't care. They look at themselves as "Common

With road-runner and verizon I agree. With SBC I had some good
experiences. Comcast, well, has a very bad past. Not sure about
what is going on now.

Cheers,

Chris.

Re: constant attacks - whom to contact?

On 28 Jun 2006, in the Usenet newsgroup comp.security.misc, in article
<4gg9drF1mmsftU1@individual.net>, Chris Kronberg wrote:

> In the past I learned that disclosing details to anyone else
> but the people in charge details yield nothing.

There is very little that a single individual can do. On the other hand,
when enough people realize that an entity is a problem, together they can
do something about it. Look up "Usenet Death Penalty" in your spare time.

> So nowadays I'm far more suspicious and far more careful (I may have
> scared that person away by disclosing information to early).

On the 15 of this month, there were 73466 IPv4 networks in the world,
totalling 2318449458 IP addresses - that's 2.32 billion. Do you really
think that your system stands out above that mass?

> Yes, I did that on an early stage of my investigations after the
> first complaints didn't show any effect. Result: Just one complaint
> in twelve months and a statement of the provider that they are
> reorganizing to be able to better handle the (spam) problems (again
> that was last year).

Well, if people have your attitude of "I've been attacked, but I won't
tell whose IP space it came from", you should't expect to find large
numbers of postings. A lot of network admins are taking the stance that
abuse complaints are pretty much ignored, and the solution is simply to
block the offending domain. If they feel generous, they may post the
details to something in the news.admin.net-abuse.* hierarchy, so that
others can be warned. Eventually enough people are blocking a domain
that even the most dense management types finally recognize that they
have a problem - there have been several entire countries where the
authorities _finally_ saw the light.

>> Only if there is criminal activity - as defined by (in this case) US
>> law. Your opinion may not match what's in the laws.
>
> I know. But the law in the US don't allow attacking other computers,
> does it?

There are several sets of laws, some enacted at the 'state' level, some
at the national level. The problem is one of priorities. The crime has
to be serious enough for the authorities to see it worth the time and
expense. It has been reported in the past that the federal authorities
(US Federal Bureau of Investigation - the FBI) won't get actively involved
unless the monetary damage is over US$5000, or it involves national
security.

> That a european outsider has no high priority - well, I know that, too.

Just as a non-european has no high priority in European jurisdictions. Do
you find this surprising?

> With road-runner and verizon I agree. With SBC I had some good
> experiences. Comcast, well, has a very bad past. Not sure about
> what is going on now.

SBC has been a thorn in my side for years - that's why about 11.5 million
addresses (the equivalent of about 175 /16s) are blocked here. My users
haven't complained about the blockage, and I really don't care what SBC
might think. As for comcast, I'm blocking even more netblocks - about
the equivalent of 364 /16s. I no longer have much of a problem with either.

Old guy