Re: RPAT - Realtime Proxy Abuse Triangulation

From: Stephen Friedl <steve(at)unixwiz.net>
Date: Tue Dec 24 2002 - 13:33:19 EST

> I would be very nervous about running this, remote SNMP queries of someone

People would be out of their minds to run RPAT without /really/ understanding what they were doing, for exactly this reason. You have to be pretty confident in your approach to pull this off, and a number of organizations who say they could have benefited from it won't run it.

But in practice this has not been an issue for me. Since the hostile attacks of interest were *clearly* distinguishable from regular traffic prior research had shown us that these were always from open proxies.

Open proxies are almost by definition "insecure machines", so they are not likely to be associated with cluefull security staff for monitoring. People with their act together generally don't run open proxies.

Second, the RPAT daemon makes at most three tries to fetch the SNMP data, and if it times out, it never asks that IP again even if more attacks are seen. Three SNMP packets may well be considered "below the radar" in terms of characterizing hostile activity.

But this is a very valid point, and if you make a mistake in characterizing your "hostile" attacks in order to query SNMP, you'll be banging on doors where somebody unfriendly might answer.

Be careful.

Steve

---
Stephen J Friedl | Software Consultant | Tustin, CA | +1 714 544-6561 www.unixwiz.net | I speak for me only | KA8CMY | steve@unixwiz.net

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Dec 27 12:16:34 2002