Re: RPAT - Realtime Proxy Abuse Triangulation

From: Jay D. Dyson (jdyson@treachery.net)
Date: 12/27/02


Date: Fri, 27 Dec 2002 10:21:18 -0800 (PST)
From: "Jay D. Dyson" <jdyson@treachery.net>
To: Incidents List <incidents@securityfocus.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 Dec 2002, Mathias Wegner wrote:

> > I would be very nervous about running this, remote SNMP queries of
> > someone elses system (say a .gov or .mil proxy) may be considered
> > illegal activity in some jurisdictions.
>
> Depending on the SNMP daemon, it would/should be as illegal as opening
> an ssh investigating the system from the command line. Most SNMP offers
> at least some amount of configuration via the read/write community. I
> know that when I see SNMP queries on network hardware that I manage, I
> consider it hostile activity.

        Color me jaded, but if someone has an open proxy and spam is
spewed my way via that avenue, it's a pretty fair bet that the system I'm
scanning is run by an admin who -- whether through ignorance or sloth --
doesn't know or do jack about securing or monitoring his system.
Moreover, open is open; whether a relay, proxy or anonymous FTP server.
It is impossible to be charged with breaking and entering when there's no
breaking involved.

        With that in mind, I would not waste any time or energy worrying
about whether or not my scan would be picked up. Let's face it, a spammer
just spewed through the idiot's proxy. Yet we're supposed to believe that
this otherwise lazy dope now possesses the Eagle Eye of All Intrusion
Detection Systems? Maybe I'm just cynical, but I really doubt it.

        All that said, I should point out that I am not a lawyer. I
prefer to make an honest living.

- -Jay

   ( ( _______
   )) )) .-"There's always time for a good cup of coffee."-. >====<--.
 C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
  `--' `--' `How about a 10-day waiting period on YOUR rights?' `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE+DJooTqL/+mXtpucRAjy+AKCZ9eiSmvKyuSzZuNX9hbXTF9IDRACg4/gN
2Gs+0tVYEQqykUc+/AUgFBg=
=/ofa
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Tunneling SNMP over SSH or UDP over SSH - Solution
    ... particularly if you are searching for SNMP over SSH. ... There were 3 machines involved in this transaction (actually the proxy ... proxy machine (locally accessible from the consumer) ... SSH from proxy machine to snmp producer and forward a TCP port ...
    (comp.security.ssh)
  • Re: Proxy Forwarder apps RFC ?
    ... there is a new security model being developed ... So how would you make SNMP proxy better, ... > poor understanding of SNMP proxies. ...
    (comp.protocols.snmp)
  • Re: RPAT - Realtime Proxy Abuse Triangulation
    ... Is not SNMP used to manage the Internet? ... I would think that queries on ... Breaking into the system into the read/write ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • RE: SNMP security
    ... Subject: SNMP security ... True, but only if you're running a firewall that supports a SNMP proxy, ...
    (Security-Basics)