[geeks] 3com.com IDS idiot: the DNS straw that broke the camel's back

Greg A. Woods woods at weird.com
Mon Feb 25 13:49:17 CST 2002 

OK, so there are a lot of idiots running intrusion detection systems on
their firewalls now, and many of them don't seem to have a clue about
real threat analysis and risk assesment, so they get all jumpy when
their IDS spots any apparent problem, but they don't know how to
interpret it so they fear for the worst and bury their head in the sand.
Unfortunately some of them work at big companies and some of them even
seem to hold the keys to their company's connectivity.

One of my customers, a small cable modem ISP with about 5000 users, has
recently been firewalled by just such an idiot in IT Security at 3com.com.

A week or so ago we (I get cc's of <abuse> e-mail) got a complaint from
them (looks like an automated report direct from their IDS) saying our
squid servers were "scanning" their network.  They were complaining
about a total of 140 connection attempts over the span of a day (we have
25 /24 nets, with about 3000 of those users on cable modems).  Some
were, as you might imagine, to IP#s on their network where there are no
web servers, and in total it looked a bit like a partial san of some of
their network (and it may very well have been -- we don't care if our
users scan other people's networks).

The next day they turned on more monitoring of packets with a source
address of our squid servers and then complained about all SYN packets
to port-80 anywhere in their entire 161.17/16 for the next 24-hour period.

I replied to the pair of complaints and explained to them that their IDS
was mistaken about the "malicious" intent of our squid servers.  I told
them that even if there were instances of CodeRed or Nimbda or such on
our customer machines there was nothing I could do about it (and I can't
do anything more than tell the user and hope he wants to fix it).  I
also told them that if they were so afraid of people making HTTP
connections to non-existant machines on their network then they'd better
quit their job and go get a real life somewhere more relaxing, like at a
Zen monastery or such.

They responded and got all belligerent, defending their reports and
claiming we were attacking them and that if it didn't stop they'd be
"forced" to firewall our network.  I replied again and basically told
them they were idiots to be so paranoid and that if they should wish to
complain again then they'd damn well better send evidence of actual
attack attempts, fully documented with packet contents.

On the weekend their IDS again reported complaints of about 350 probes
made by our caching nameserver against against the "domain" port of two
of their authoritative nameservers.  Can you believe that!?!?!?  They've
apparently firewalled us now because our nameserver was "attacking"
theirs with DNS queries!  As many as 30 queries per HOUR!  WOW!!!

I'm guessing they turn their IDS monitoring up high for the weekend, and
in particular for our subnet and are now jumping higher and faster every
time they see any kind of packet at all from us!  I wouldn't even be
surprised if this is the effort of one part-time weekend-warrior working
for them and trying to show off in hopes of getting a full-time job or
something.

So now they've firewalled the network containing our caching nameservers
and squid servers, and as you might guess our customers are complaining
that they can't get to www.3com.com.  I've threatened to give out their
IT Security desk phone number to our customers -- too bad it's not 1-800. 

Grrr.  I wish we hosted a site their users needed daily access to so
that I could retaliate in kind (well actually I wouldn't have to --
they'd be cutting their own nose off in that case since the virtual
domains are all on the same firewalled subnet!).

If any of you on this list work at 3com I feel very sorry for you --
your IT department has at least a few complete idiots working in it, and
they seem to have far far too much power and control for the good of
your company.

Thanks for letting me vent!  ;-)

If they don't un-firewall my client I'm going to have to NAT the DNS
queries over onto some other network that doesn't have the same name on
it, and bypass all their networks on the squid servers.  I'll probably
have to NAT the dial-up users around too....  Grrr....

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list