Date: Mon, 19 Oct 98 11:47:08 EDT From: "CERT(R) Coordination Center" <cert@cert.org> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Darren Reed <avalon@coombs.anu.edu.au>, grimace <grimace@ns.nternet.net>, security@FreeBSD.ORG, "CERT(R) Coordination Center" <cert@cert.org>, Brett Glass <brett@lariat.org> Subject: INFO#98.35960 Re: Spoofed connections on port 13223?? Message-ID: <199810191604.MAA18105@unix1.cert.org> In-Reply-To: <Pine.BSF.3.96.981013172613.20108A-100000@fledge.watson.org> from Robert Watson on Tue, 13 Oct 1998 17:31:16 -0400 (EDT) References: <Pine.BSF.3.96.981013172613.20108A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hello Robert, >On Tue, 13 Oct 1998, Brett Glass wrote: >> CERT? Don't bother. They'll respond several months after it's too late >> and say, "Oh, dear." Because of the high volume of incidents we receive (now averaging about 100 per week) and the number of people we have dedicated to incident response, it is not possible for us to provide personal guidance to every site reporting incidents to us as we did in the early years of CERT. The benefit in reporting incidents to us is for us to understand the current activity. This has direct impact on the issuing of advisories and other documents. We are working to produce more documents because our release of a document benefits a significantly larger number of people and sites than spending the equivalent amount of time helping a single site. We do assist sites directly when large incidents occur especially if they threaten the Internet infrastructure, if new types of attacks are involved, if people's lives are at risk, etc. We also encourage and assist in the formation of new incident response teams. Being a constituent of a response team with a focused constituency allows you to have a response team that can meet your specific needs. >This does not seem to meet with the experiences I have had with CERT. >Last year someone attempted to attack one of my machines by corrupting DNS >cache entries on a caching name server at another location -- when I >reported this to CERT, they called me that evening and offered to manage >communications between me and the other site being spoofed, etc. While >they did not offer much in the way of technical advice, this was not a >problem as I am fairly experienced in this area. My only real problem >with the CERT process is their incredibly long form that must be submitted >by email. It is inappropriate for use (or was last time I looked) in >situations where more than one machine might be involved, or in situations >where there is an ongoing attack but no successful breakin. A more >flexible (and simple) form would go a long way. I am certain that there >are far fewer reports to CERT because of the complexity of the reporting >process. We are in the process of developing several new reporting mechanisms, including a shorter incident reporting form. However, it is not necessary to use the reporting form to report an incident to us. Sending an email message to us with the relevant information. Regards, jeff - --- Jeffrey J. Carpenter Technical Coordinator _____________________________________________________________________________ CERT* Coordination Center | Internet E-mail: cert@cert.org Software Engineering Institute | Telephone: +1 412 268-7090 24-hour hotline Carnegie Mellon University | Answered by CERT, 8:30-17:00 EDT (GMT-4) Pittsburgh, PA 15213-3890 | On call for emergencies, 24 hours/day. - ----------------------------------------------------------------------------- *Registered U.S. Patent and Trademark Office. The Software Engineering Institute is sponsored by the U.S. Department of Defense. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNitjEnVP+x0t4w7BAQETPgQAmmWIn/d2LXubgf0kr29UqNME1i65APmO 4GgPv2wlT8IOHP06trdXEFlxjF6VqzTr8J5B1go1AyzxKYgym91nMLEyGhPJIPc0 oRzeJxlX6AnAiQZn9ckKQxFXGZrpKJmvGZYAHzLt6QSPLUT6CzxzwTJpCSx3M26v dGLg7Rd6LXc= =3z5q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199810191604.MAA18105>