256
Logo

Gray Watson Personal Thoughts 2001.03.21
Greennet Irresponsible Behavior

<flame>

This is a quick rant against Greennet ISP. On March 12, a user on their network probed my entire network on UDP port 22. Since I only advertise one of my addresses, it was pretty obvious that this was a network probe made by some script kiddie. I had gotten another 5 or 6 that week from various sites all over the net. So I send off one of my standard notes to admin@greennet.net.

Last week (March 12, 2001) at 22:53 EST someone at
termq033.greennet.net (208.192.5.37) probed all of the ssh ports on my
network X.X.X.X/29.  I only publish via forward and reverse 1 of my
IPs so this definitely was a network probe.

I have included excerpts from my packet filtering log.  If you have
any question, please don't hesitate to ask.

From: termq033.greennet.net (208.192.5.37)
Mar 12 2001 22:53:04.993794 EST -> X.X.X.X,22 udp len 20 30
Mar 12 2001 22:53:05.003307 EST -> X.X.X.X,22 udp len 20 30
...

In general, ISPs have policies against such probes which are analogous to walking up to all of the front doors in your neighborhood and trying the door knob to see if it opens. Usually, I get back a response such as this from NTT Communications in Japan:

From: "NTT Communications (OCN)" ...

That site is one of our customers [X.X.X.X].  We've advised the
administrator of the site to deal with this problem as soon as
possible.  Thank you for your patience.

Sincerely yours,
NTT Communications(OCN)

or this from T-Online in Germany:

From: T-online abuse ...

The user will be detected and we'll give him a warning.

With kind regards
XXX
T-Online International AG

Instead, I got this strange response from Greennet:

From: "Nelson Valverde" 

Yes, it would appear that someone using 208.192.5.37 (one of our
dynamically assigned dialup IP addresses) probed. It was probably a
IRC attempt.

What would you like us to do?

-Nelson

What would I like them to do? I want them to at least warn the individual in question and if they have already been warned, revoke their internet account. I was a little surprised that their acceptable use policies wouldn't be common knowledge. Also, I have no idea why he says IRC. There is a udp component to IRC but not on port 22. And this is not some application misbehaving since this IP hit all of my network numbers in under a second. So I sent back this note:

Huh?  You don't have policies against such behavior?  The account
should be terminated or at the very least warned and the next time
terminated.  Do you track which account was logged into the IP at that
time?

I figured that this Nelson dude was probably a first level support engineer who didn't understand how important security is on the Net and how imperative it is that we protect our own turf and police our own users. To my surprise I get this response back from Greennet.

Nope and Nope.  We are not the Internet Cops.
You can talk to them directly if you prefer.

-Nelson

This letter indicates that:

  1. they don't have acceptable uses policies or network probing was acceptable to them
  2. they don't track which account was logged into which IP

Since there are no "Internet Cops", I assume that Nelson is plain just being rude. So I decided to give them a call to talk to Nelson's boss about this and to explain the importance of self policing the Net. ISPs, if they aren't already, will certainly in the future be held responsible for the actions of their users if they have done nothing about prior inappropriate behavior. However, when I pulled up their contact page, it turns out that I probably have been conversing with one Nelson Valverde - President & CEO. So no need to waste a phone call.

Turns out after surfing some more that they do have acceptable use policies labeled "Prohibited Activities". These include storage of illegal material and spam mail and:

Violations of system or network security are prohibited and may result in criminal and civil liability.

I can't tell if this only applies to Greennet systems or if this includes outside systems as well.

</flame>

Free Spam Protection   Android ORM   Simple Java Zip   JMX using HTTP   Great Eggnog Recipe