[Micronet] Central reporting for origin IPs of network attacks?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Central reporting for origin IPs of network attacks?

Bill Clark
I just received an alert from my host firewall regarding a portscan attack
originating from 222.79.245.86 (an IP in China) which was successfully
blocked.  Attacks of this sort are pretty much a daily occurrence, and
while they are (so far as I know) never successful thanks to my host
firewall, it still bothers me that I know the IP address of either a
compromised server or outright attack platform, and can do nothing about
it.

On rare occasions I'll go to the trouble of notifying the responsible ISP,
but it's simply too much effort to do this on a case-by-case basis, since
they all have different methods of reporting, and often expect too much
follow-up on my part.  I want a place where I can report the IP address
and forget about it, and let somebody else aggregate the reports and
notify the responsible parties (or at least track the information.)

I've gone so far as to suggest this idea to just about any appropriate
government agency I can think of (you'd think this would be just the thing
for the cyber-homeland security type folks) but never get so much as an
automated form letter in response.

I'm wondering if any of the network security folks on campus would be
interested in tracking this information (behind a CalNet-authenticated
reporting system) and possibly making it available to any network
administrators who might like to use the information to keep their own
firewall rules updated, or actually go to the trouble of notifying ISPs
about potentially compromised servers.  Or (as is too often the case) if
there ALREADY IS such a reporting system, and I just don't know about it.

-Bill Clark
Systems Unit
Graduate Division


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Central reporting for origin IPs of network attacks?

Michael Sinatra-2
On 08/05/10 09:54, Bill Clark wrote:
>Or (as is too often the case) if
> there ALREADY IS such a reporting system, and I just don't know about it.

Bingo!

https://kb.berkeley.edu/jivekb/entry.jspa?externalID=2385

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Central reporting for origin IPs of network attacks?

Rune Stromsness
In reply to this post by Bill Clark
On 05-Aug-10 09:54, Bill Clark wrote:
[...]
> I'm wondering if any of the network security folks on campus would be
> interested in tracking this information (behind a CalNet-authenticated
> reporting system) and possibly making it available to any network
> administrators who might like to use the information to keep their own
> firewall rules updated, or actually go to the trouble of notifying ISPs
> about potentially compromised servers.  Or (as is too often the case) if
> there ALREADY IS such a reporting system, and I just don't know about it.
[...]

Something to track them on our campus and help people block them is
already available.  It is described on the campus IT security homepage at:
https://security.berkeley.edu/

(Look for "Aggressive IP Distribution" in the middle of the page, or
follow the deeper link to
https://kb.berkeley.edu/jivekb/entry.jspa?externalID=2385
)

Rune


 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.

signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Central reporting for origin IPs of network attacks?

Bill Clark
In reply to this post by Michael Sinatra-2
That's close, but not quite what I'm asking for -- I want a place where I
can report aggressive IPs, since I may have knowledge of an attack that
wouldn't otherwise be noticed.  Clearly there'd need to be some
verification of the data so that the AID list wasn't populated with bogus
entries, but if dozens of people on campus all reported attacks from the
same IP, that would be a good indication that the attack was genuine.

...or is our campus IDS so good that it will always notice any incoming
portscan, regardless of what target machines are being scanned?

-Bill Clark

> On 08/05/10 09:54, Bill Clark wrote:
>>Or (as is too often the case) if
>> there ALREADY IS such a reporting system, and I just don't know about
>> it.
>
> Bingo!
>
> https://kb.berkeley.edu/jivekb/entry.jspa?externalID=2385
>



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Central reporting for origin IPs of network attacks?

Michael Sinatra-2
On 08/05/10 10:21, Bill Clark wrote:
> That's close, but not quite what I'm asking for

Actually, it is.  You should talk to SNS.

> ...or is our campus IDS so good that it will always notice any incoming
> portscan, regardless of what target machines are being scanned?

Yes.  An IDS doesn't need to be particularly good to do that.  It just
needs to be in the right place.

michael



 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.