[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] T-Online abuse address ignoring complaints

Hash: SHA1

On Saturday 05 June 2004 12:58, Tobias Weisserth wrote:

(You will, I hope, excuse me for following up to both messages here; 
but this *is* getting a bit off-topic, and stopping additional 
subthreads is probably advisable.)

> On Sat, 2004-06-05 at 12:57, Ralph Seichter wrote:
> > Gideon Hallett wrote:
> >  > I've come to the conclusion that t-online (and especially
> >  > t-dialin) users are a wretched hive of scum and villainy; and
> >  > that the company itself simply doesn't care.
> >
> > Nonsense. The T-Com dialin infrastructure is the base of a huge
> > number number of non-permanent internet connections, both for
> > private and for business use (modems, DSL, etc.). T-Online and
> > other German ISPs buy connectivity from T-Com. Among these users
> > are, if you permit the pun, the good, the bad and the ugly --
> > just like everywhere else in the world.
> That's certainly true. But also true is that T-Online doesn not
> react to reports about the bad behaviour of some of their
> customers.

This is the crux. Every network has compromised boxes and malicious 
users from time to time. But as the owner of an infrastructure, you 
have the duty to ensure that your users comply with the AUP; and you 
have the duty to respond to external complaints. If you're not 
prepared to do that, then you shouldn't be in the position of 

(And any company that is too big to discipline its users is a) 
monolithic and b) a danger to the wider 'net.)

> >  > If I could convince my bosses that blocking t-online ranges at
> >  > the border was a good idea, I'd have a much easier job as a
> >  > sysadmin.
> That can't be the solution. Whoever needs to take such measures has
> already failed at setting up and secure a proper network.

Speaking here as the sysadmin for a hosting company, I have to say 
that everything *I* have direct control over has a 100% security 
record. However, as a company, customers give us money to host their 
servers; and customers come in a range of aptitudes. 

A depressingly large number of people have no concept of patching; 
some don't realise that Win2k's FTP server allows anonymous access by 
default; others complain that their hard drive appears to be 
shrinking (usually due to all the warez on it!). It's possible to 
scan our netblocks every night; but a 24-hour gap is long enough for 
a box to be rooted in ugly ways. It's also possible to use an IDS to 
look for evil traffic (and IME it's one of the best ways of detecting 
cracked boxes); but it's still reactive; and clued crackers *don't* 
start attacks with massive portscans.

There is no simple, proactive, way of preventing unauthorised 
intrusion (short of disconnecting the box entirely!); and I work for 
a company - we can hardly start refusing customers on the grounds of 
technical ineptitude (or we'd be cutting 90% of our potential 
customer base out). As such, network security in a hosting company 
has to be mainly reactive; every TCP or UDP socket I want to block at 
the border has to be justified; the security risk of leaving it open 
against the commercial risk of closing it.

> > If you could convice your bosses to do so, I'd very much doubt
> > their intelligence. Why not block China or the USA aswell? 

It's considerably harder to block a country, due to the distribution 
of addresses among the RIRs.

for example - I count 1488 separate CIDR blocks there; some of which 
you could aggregate, but it's still a big job.

Providers, on the other hand, tend to have nice simple CIDR blocks 
(since it makes their routing tables nice and small).

> > Why 
> > not live on an IT island? Millions of people suffer from viruses
> > spoofing sender addresses, and in every country there are
> > infected computers. There is no "realm of evil" that can be
> > isolated.
> So sometimes it would make the job so much easier by just blcoking
> packets from certain operating system types :-o

Yes. And it's tempting, sometimes. However, that sort of behaviour is 
the Redmond Way *g*

> >  > I for one would particularly like to find whoever was
> >  > (pD9EAA70E.dip.t-dialin.net) at 23:53 on
> >  > 14/5/04 and point out to them that what they were doing was
> >  > illegal and punishable by time in prison.
> >Oh boy... I advise you have a beer and get some sleep.

Let's see; the time I spent chasing the customer, advising them that 
their box had been cracked, backing up what data we could, wiping the 
box, reinstalling Windows, putting it back in the datacentre - I 
count some 3 hours spent doing something that was not in itself any 
form of productive work; and stopped me doing productive work 
(upgrading to Postfix 2.1 on our mail servers and tuning SMTP 

That's not including the 30 or so abuse reports I had to deal with.

It's inefficient, it's annoying and it costs us money; and since I 
already work about 50 hours per week, I value my free time quite 

> Maybe in your country. You have to find out whether the person
> actually broke German law. 

I'd be very, *very* suprised if breaking in, rooting a box, installing 
FTP servers, scanning other (German!) networks for weak POP passwords 
and SQL scanning weren't punishable by some time in prison.

> But I have to agree that it's pointless 
> to contact T-Online. They never reacted to my complaints either.

Of course, one of the funny things about the incident above was that 2 
of the abuse reports came *from* T-Online users - I pointed them 
straight back to their own provider and said 'Good luck' (- as well 
as telling them that our customer's box had been disconnected from 
our network).

I had better abuse response from the tiny Indonesian provider I chased 
about their user than *any* of the T-online reports.

(Admittedly, the Indonesian police and prisons are probably a bit 
scarier to script kiddies.)

> I find T-Online addresses to be the common mixture like most other
> providers too. What's really disturbing are those senseless
> university networks where almost every IP from a given range seems
> to be affected by some worm or other and is hammering away against
> my firewall... That's where operating system related packet
> dropping would come in handy...

Agreed. I've been tempted to investigate Snort's flexresp rules on a 
number of occasions; but anything I do that blocks legit traffic 
loses the company money; and is thus Not On.

 best wishes,

Version: GnuPG v1.2.4 (GNU/Linux)


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here