Nildram users doing portscanning

Our ISA server is being repeatedly scanned by a variety of Nildram dynamic
ip addresses - anyone else seeing this?

Nildram Abuse team say all we can do is to ensure our server is protected -
do they not have a responsibility to warn their customers (whether they are
deliberate attempts, or attempts due to trojan infection??)

Thanks

On Mon, 8 Dec 2003 11:12:42 -0000, "jann" <(E-Mail Removed)> wrote:

>Our ISA server is being repeatedly scanned by a variety of Nildram dynamic
>ip addresses - anyone else seeing this?

I *am* a Nildram customer, and I get this all the time, mainly because
worms and script kiddies generally start off looking around the IP of
the infected host. So far today, my firewall has bounced (from
Nildram IP space alone):

5575 ICMP ping attempts

909 DCOM probes (port 135)
375 Netbios probes (port 137 and 139)
469 Microsoft DS probes (port 445)
234 MS-SQL probes (ports 1433 and 1434)

Plus numerous other cruft yet to get above 100 hits on the port.

More worryingly I have had 1403 probes from the obviously spoofed
source IP of 127.0.0.1 which would imply that Nildram do not have a
robust anti-spoofing policy on their routers. I sent this to the
abuse team some time ago and have seen no sign of any action; sure
it's only background noise, maybe a few MB a day, but it's still damn
annoying.

>Nildram Abuse team say all we can do is to ensure our server is protected -
>do they not have a responsibility to warn their customers (whether they are
>deliberate attempts, or attempts due to trojan infection??)

That's utter crap. Well, apart from the part about ensuring that you
are protected anyway, but that goes without saying. Any reputable
ISPs Abuse team has a responsibility to try and inform its customers
when they have a possibly compromised box and to protect other ISPs
from the same. It's not rocket science; all you need to do is drop a
few boxes on your IP space that log anomalous traffic, any customer
IPs that generate enough noise get a warning, and if it continues they
get a suspension of service and period of probation, followed by
cessation of service. To avoid over working the Abuse Team you start
with the threshold set high and reduce it as and when you get on top
of the problem and make sure it's all up front in the AUP and T&C.

If an ISP wants to absolve themselves of some responsibility for their
customer's actions, then they should start by putting some more of
their customer's contact details into WHOIS IMHO.

Andy

On Mon, 08 Dec 2003 20:37:11 +0000, Andy Blanchard
<(E-Mail Removed)> wrote:

>More worryingly I have had 1403 probes from the obviously spoofed
>source IP of 127.0.0.1 which would imply that Nildram do not have a
>robust anti-spoofing policy on their routers. I sent this to the
>abuse team some time ago and have seen no sign of any action; sure
>it's only background noise, maybe a few MB a day, but it's still damn
>annoying.

Are you sure about that? :-)

127.0.0.1 is the loopback address, it is your computer that is
generating the packets.

I'm afraid that a sort of automated warning system which automatically
takes action against our customers for generating too much "noise" is
out of the question.

On Tue, 09 Dec 2003 10:10:59 +0000, Dan <(E-Mail Removed)> wrote:

>On Mon, 08 Dec 2003 20:37:11 +0000, Andy Blanchard
><(E-Mail Removed)> wrote:
>
>>More worryingly I have had 1403 probes from the obviously spoofed
>>source IP of 127.0.0.1 which would imply that Nildram do not have a
>>robust anti-spoofing policy on their routers. I sent this to the
>>abuse team some time ago and have seen no sign of any action; sure
>>it's only background noise, maybe a few MB a day, but it's still damn
>>annoying.
>
>Are you sure about that? :-)
>
>127.0.0.1 is the loopback address, it is your computer that is
>generating the packets.

Not on the external interface of the firewall it's not. Loopback was
my first thought too; I thought my Linux proxy was doing something
funny to be precise, but having done some packet capture it's
definately external.

>I'm afraid that a sort of automated warning system which automatically
>takes action against our customers for generating too much "noise" is
>out of the question.

Who said anything about automatic action, (which I agree would be
insane)? The implication was that the Abuse Team gets a report,
weekly say, of all the IPs within their jurisdication that have "hit"
the box more than so many times within that period, maybe even
filtering out ICMP traffic if you want. The Abuse Team can then take
a closer look at those logs and see at a glance that say 10.1.1.1 is
repeatedly scanning for open relays, or NetBIOS and issue the
appropriate notification to the customer.

Andy

What surprises me is that normally when you report this kind of activity to
an ISP, 9 times out of 10 they do stop the abuse. Nildram seem to just shrug
their shoulders (althought I'm glad to see that representatives do post in
these forums).

Is there some problem that would prevent Nildram from speaking to the owner
of the IP address and asking them to check out their PC?

"jann" <(E-Mail Removed)> wrote

>What surprises me is that normally when you report this kind of activity to
>an ISP, 9 times out of 10 they do stop the abuse. Nildram seem to just shrug
>their shoulders (althought I'm glad to see that representatives do post in
>these forums).
>
>Is there some problem that would prevent Nildram from speaking to the owner
>of the IP address and asking them to check out their PC?

I've reported widespread Blaster infections among other Clara (my ISP)
customers and they don't appear to be doing anything about it. I am
getting pinged about once per minute, especially in the evening. I
have even given them some IPs and the times when online so they can
find out who it is.

It would be very easy for an ISP to spot the 92-byte packets and send
an automated email to the person concerned to get their PC checked.
Same with Swen - the 100k attachments stick out like anything and
nowadays must be a real drain an the bandwidth...

Is this what should happen?


Peter.
--
Return address is invalid to help stop junk mail.
E-mail replies to (E-Mail Removed) but remove the X and the Y.
Please do NOT copy usenet posts to email - it is NOT necessary.