Re: RPAT - Realtime Proxy Abuse Triangulation
From: Stephen Friedl (steve@unixwiz.net)
Date: 12/24/02
- Previous message: alfaentomega: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Maybe in reply to: Stephen Friedl: "RPAT - Realtime Proxy Abuse Triangulation"
- Next in thread: Jay D. Dyson: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Dec 2002 10:33:19 -0800 From: Stephen Friedl <steve@unixwiz.net> To: bt@seifried.org
> I would be very nervous about running this, remote SNMP queries of someone
> elses system (say a .gov or .mil proxy) may be considered illegal activity
> in some jurisdictions.
People would be out of their minds to run RPAT without /really/
understanding what they were doing, for exactly this reason. You have
to be pretty confident in your approach to pull this off, and a number
of organizations who say they could have benefited from it won't run it.
But in practice this has not been an issue for me. Since the hostile
attacks of interest were *clearly* distinguishable from regular traffic
prior research had shown us that these were always from open proxies.
Open proxies are almost by definition "insecure machines", so they are
not likely to be associated with cluefull security staff for monitoring.
People with their act together generally don't run open proxies.
Second, the RPAT daemon makes at most three tries to fetch the SNMP data,
and if it times out, it never asks that IP again even if more attacks
are seen. Three SNMP packets may well be considered "below the radar"
in terms of characterizing hostile activity.
But this is a very valid point, and if you make a mistake in
characterizing your "hostile" attacks in order to query SNMP, you'll be
banging on doors where somebody unfriendly might answer.
Be careful.
Steve
---
Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561
www.unixwiz.net | I speak for me only | KA8CMY | steve@unixwiz.net
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Charles.Fasching@milestonesystems.com: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Previous message: alfaentomega: "RE: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second"
- Maybe in reply to: Stephen Friedl: "RPAT - Realtime Proxy Abuse Triangulation"
- Next in thread: Jay D. Dyson: "Re: RPAT - Realtime Proxy Abuse Triangulation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
