Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] T-Online abuse address ignoring complaints
From: Gideon Hallett (diogenesfreeuk.com)
Date: Mon Jun 07 2004 - 02:50:54 CDT
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 05 June 2004 12:58, Tobias Weisserth wrote:
(You will, I hope, excuse me for following up to both messages here;
but this *is* getting a bit off-topic, and stopping additional
subthreads is probably advisable.)
> On Sat, 2004-06-05 at 12:57, Ralph Seichter wrote:
> > Gideon Hallett wrote:
> > > I've come to the conclusion that t-online (and especially
> > > t-dialin) users are a wretched hive of scum and villainy; and
> > > that the company itself simply doesn't care.
> > Nonsense. The T-Com dialin infrastructure is the base of a huge
> > number number of non-permanent internet connections, both for
> > private and for business use (modems, DSL, etc.). T-Online and
> > other German ISPs buy connectivity from T-Com. Among these users
> > are, if you permit the pun, the good, the bad and the ugly --
> > just like everywhere else in the world.
> That's certainly true. But also true is that T-Online doesn not
> react to reports about the bad behaviour of some of their
This is the crux. Every network has compromised boxes and malicious
users from time to time. But as the owner of an infrastructure, you
have the duty to ensure that your users comply with the AUP; and you
have the duty to respond to external complaints. If you're not
prepared to do that, then you shouldn't be in the position of
(And any company that is too big to discipline its users is a)
monolithic and b) a danger to the wider 'net.)
> > > If I could convince my bosses that blocking t-online ranges at
> > > the border was a good idea, I'd have a much easier job as a
> > > sysadmin.
> That can't be the solution. Whoever needs to take such measures has
> already failed at setting up and secure a proper network.
Speaking here as the sysadmin for a hosting company, I have to say
that everything *I* have direct control over has a 100% security
record. However, as a company, customers give us money to host their
servers; and customers come in a range of aptitudes.
A depressingly large number of people have no concept of patching;
some don't realise that Win2k's FTP server allows anonymous access by
default; others complain that their hard drive appears to be
shrinking (usually due to all the warez on it!). It's possible to
scan our netblocks every night; but a 24-hour gap is long enough for
a box to be rooted in ugly ways. It's also possible to use an IDS to
look for evil traffic (and IME it's one of the best ways of detecting
cracked boxes); but it's still reactive; and clued crackers *don't*
start attacks with massive portscans.
There is no simple, proactive, way of preventing unauthorised
intrusion (short of disconnecting the box entirely!); and I work for
a company - we can hardly start refusing customers on the grounds of
technical ineptitude (or we'd be cutting 90% of our potential
customer base out). As such, network security in a hosting company
has to be mainly reactive; every TCP or UDP socket I want to block at
the border has to be justified; the security risk of leaving it open
against the commercial risk of closing it.
> > If you could convice your bosses to do so, I'd very much doubt
> > their intelligence. Why not block China or the USA aswell?
It's considerably harder to block a country, due to the distribution
of addresses among the RIRs.
for example - I count 1488 separate CIDR blocks there; some of which
you could aggregate, but it's still a big job.
Providers, on the other hand, tend to have nice simple CIDR blocks
(since it makes their routing tables nice and small).
> > Why
> > not live on an IT island? Millions of people suffer from viruses
> > spoofing sender addresses, and in every country there are
> > infected computers. There is no "realm of evil" that can be
> > isolated.
> So sometimes it would make the job so much easier by just blcoking
> packets from certain operating system types :-o
Yes. And it's tempting, sometimes. However, that sort of behaviour is
the Redmond Way *g*
> > > I for one would particularly like to find whoever was
> > > 220.127.116.11 (pD9EAA70E.dip.t-dialin.net) at 23:53 on
> > > 14/5/04 and point out to them that what they were doing was
> > > illegal and punishable by time in prison.
> >Oh boy... I advise you have a beer and get some sleep.
Let's see; the time I spent chasing the customer, advising them that
their box had been cracked, backing up what data we could, wiping the
box, reinstalling Windows, putting it back in the datacentre - I
count some 3 hours spent doing something that was not in itself any
form of productive work; and stopped me doing productive work
(upgrading to Postfix 2.1 on our mail servers and tuning SMTP
That's not including the 30 or so abuse reports I had to deal with.
It's inefficient, it's annoying and it costs us money; and since I
already work about 50 hours per week, I value my free time quite
> Maybe in your country. You have to find out whether the person
> actually broke German law.
I'd be very, *very* suprised if breaking in, rooting a box, installing
FTP servers, scanning other (German!) networks for weak POP passwords
and SQL scanning weren't punishable by some time in prison.
> But I have to agree that it's pointless
> to contact T-Online. They never reacted to my complaints either.
Of course, one of the funny things about the incident above was that 2
of the abuse reports came *from* T-Online users - I pointed them
straight back to their own provider and said 'Good luck' (- as well
as telling them that our customer's box had been disconnected from
I had better abuse response from the tiny Indonesian provider I chased
about their user than *any* of the T-online reports.
(Admittedly, the Indonesian police and prisons are probably a bit
scarier to script kiddies.)
> I find T-Online addresses to be the common mixture like most other
> providers too. What's really disturbing are those senseless
> university networks where almost every IP from a given range seems
> to be affected by some worm or other and is hammering away against
> my firewall... That's where operating system related packet
> dropping would come in handy...
Agreed. I've been tempted to investigate Snort's flexresp rules on a
number of occasions; but anything I do that blocks legit traffic
loses the company money; and is thus Not On.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here