It is interesting what you skipped.
I didn't say you needed to show logs, but your coyness with the logs is,
well, interesting. But you do need to describe what happened, and what
steps you took. And you did describe it. However, the description isn't
sufficient to justify any of the conclusions you assert. None of your 4
assertions hold water.
Whether you _talked_ to a few or not makes no difference. A few might have
been compromised. They all _might_ have been compromised. So what. That a
few are compromised doesn't mean _all_ were compromised. Each has to be
handled separately. It is quite reasonable for them to call you. Yet you
assert it was unreasonable, and proof of their incompetence. And I
_doubt_ very much that you were pleasant or reasonable with any of them:
You think they are spammers complaining about getting ICMP unreachables.
If you thought they were compromised, there would be no point in asking
them for logs. You would simply ask them to check to see if they are
sending you SYNs. But you didn't do that. No, you asked them to see their
logs: "what? I can't possibly be sending you unreachables. Send me your
logs." Helpful? Hardly. But you wouldn't want to be helpful to a spammer
complaining about getting unreachables, now, would you? No.
And if several _were_ compromised and attacking the same machine (it would
take more than a few to generate the traffic you describe), it suggests
that they were exploited by a botnet. When multiple sites are exploited,
and all attack the same host, that's a good sign of a botnet operation. So
your assertions that no botnet was involved is just completely, willfully,
obstinately unsupportable. Botnet's change tactics once in while. That's
one reason you have to treat case separately. It may send SYNs today, and
forged packets tomorrow.
And there is _still_ no evidence that any of the people that contacted you
had any network misconfiguration. To the contrary, your assertion that
blocking ICMP Unreachables means network misconfiguration is untrue.
Your railing against them is simply unreasonable and irrational.
But, of course, there is no way that you can be convinced you are wrong.
Just like Chris Neill and many other ultra-radical extremists: You never
admit wrongness, no matter how overwhelming the evidence. Even when Chris
Neill was FIRED for his abuse and investigated by the FBI as a result,
Neill __still__ didn't think he was wrong. Evidence of wrongness doesn't
get much more overwhelming than that.
So, there is little point in further discussion: You aren't or willing to
rationally address any issues. That's fine: Think what you want. But I
have to jump in once in a while to debunk such claims.
--Dean
On Thu, 9 Jun 2005, Alan DeKok wrote:
Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
4) It is possible that their system is compromised.
When I talked with these people, the SYN's & ICMP's all stopped
after they claimed to have fixed their systems.
This would lead any reasonable person to conclude that their system
was compromised (as I said), that the source and destination of SYN's
& ICMP's was exactly what they appeared to be (as I said), and that no
botnet was involved (as I said).
[now we have some options, depending on what Alan finds]
In those options, you leave out the one option I've been telling you
repeatedly is what happened: their machine really was compromised, and
all of the traffic was exactly as it appeared, with no botnets or
forgeries.
To demonstrate his own due diligence, he would need to report what
he found.
I have no responsibility to show my logs to you, or to anyone else
on the planet.
Whether or not you actually have that data is irrelevant. You
didn't use it to make your case to them,
I didn't need to. They could independently verify for themselves
that their machine was compromised, was sending spam, and that their
machine was sending loads of TCP SYN's to my machine. They aren't
spammers because they aren't *intending* to send spam, it's a
side-effect of their network misconfiguration.
I'm surprised that the one realistic interpretation of the events is
the only one you cannot admit might have happened.
I won't respond to the rest of your comments about competence and
credibility. The evidence speaks for itself.
Alan DeKok.
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000