Domain: mynetwatchman.com
Stories and comments across the archive that link to mynetwatchman.com.
Comments · 17
-
Re:The Storm Center is excellent
I have a set of tabs that I load every morning precisely for this; some of them are:
- ISS GTOC
- myNetWatchman (another perspective on port activity)
- NIPC Critical Infrastructure (updates are spotty but sometimes interesting)
- US-CERT Current Activity (often a tad behind)
ISC is definitely the main one to get but these are useful. I didn't list virus sites but those may be useful as well depending on your environment.
-
dshieldIt's also a good idea to look you ip up on dshield. They aggregate firewall logs from many sources. If your IP is causing someone trouble, it is likely to show up there. Another similar service is mynetwatchman.
-jim
-
Use MyNetWatchman
Q: What is myNetWatchman?
A: myNetWatchman collects, analyzes and reports malicious access attempts to ISPs, who can then take action against the offending machines.
Q: How does it work?
A: A small client-side application runs as a background application on your system; reading your firewall logs, and creating near-real-time reports that are relayed to the myNetwatchman servers for analysis.
Q: How does myNetWatchman know the difference between a threat and a false alarm, and how does it respond?
A: When the analysis routine determines that a legitimate threat exists (based on reports from several agents), an automatic "Escalation Report" is sent to the abuse department of the offender's ISP. Any responses received from the ISP are also tracked. -
Killing other port traffic tooIt seems that whatever Comcast are doing is working.
(On windows,) I run WallWatcher to monitor my Linksys router log, with MyNetWatchman reporting the intrusions (all incoming traffic is firewalled here). Over the last few months, the Linksys has rejected over 1,000 incoming attempts each day, mostly the typical popular target ports 135/137/139/445/1026/1680/5000 (etc. etc.), and mostly from dynamic cable IPs. Now, in just the last day or two, I am seeing maybe 1/3 to 1/2 less incoming zombie-like traffic on these ports.
Hopefully other large residential broadband providers will become as belatedly proactive.
-
Re:So, I suppose the next question is...
Although not quite what you wanted dshield has a page where you can see if your machine has been reported as scanning others.
They also has a banner you can add to your site that shows a warning if the viewers ip is in the list. But if fear that people will ignore that and mistake if for the "Warning, your machine is broadcasting an IP..." ad. that used to run.
also check out mynetwatchman -
Re:Earthlink Abuse Department RejoicesI always send my beer money to the real heroes of this fight, the ones who do it from the goodness of their hearts.
A few of my favorite examples are:
- MyNetWatchman, firewall incident reporting service. Helps to defray spam by finding and reporting compromised hosts internet-wide.
- SpamCon Legal Fund, to help them further the cause.
- TMDA, The GPL spamfilter that actually delivers on the zero spam, zero fasle positive promise.
- SpamHaus, who does a great job keeping lists of both servers and spammers, and is very dedicated
- Your Local Food Bank. courtesy of abuse.net who says: "If you feel that abuse.net has been useful to you, please make a contribution to your local food bank, which needs money a lot more than we ever will. Thanks."
- Distributed Intrusion Detection System, another firewall aggregator, maybe the biggest, free to all
-
Check out
-
UDP 137Innocent Windows looking for a friend, or...
There were some others I found before, but I'm not finding them now, probably need to refine my search, but I don't have the time atm.
Here's some more reading material...
I spent some time reading up on how buffer overflows were used for exploits on this port, UDP packets, and so on. I'm not convinced this is innocent activity, particularly since I do have a firewall configured and don't see any outgoing traffic.
Learning about attacks is an ongoing thing for me and until I have all the facts, or enough of them, I'm leaving it my firewall to keep intruders out. I have seen bursts, usually on weekends when I assume more infected computers have been turned on and the worms are active. At various times I've had as many as 100 hits within 2-3 minutes.
Since I have no current reason for anyone on the internet to access my system, I believe a complete lockdown is a good position to start with. If I put it on a high-speed connection, with fixed IP and fire up services, then I'll allow ports as necessary.
-
Re:Dalnet DDOS Attacks
OH its possible. But you will see more lazyness on it then you could even imagine. Most even have enough wiggle room in their contracts to enforce it. A decent router can log crap. It can look at the IP header. In fact it MUST look at it to route it.
It is beyond me why the ISP's would even want one crap packet come out of their network. Its costing them money. Their upstream connection costs money...
For some interesting numbers go take a look at MyNetWatchman These dudes even TELL the ISP's that there is something wrong. But most just get ignored.
Truth is most people could care less that their computer is doing something wrong. They just want a bit of email and to surf a bit. Hell most just want it to stay up long enough, and be a bit faster. Considering the 300 programs they are running out of the box.
The only way I have ever been able to explain to a person what its about is the apartment analogy. A theif goes into an apartment building and rattles every doorknob. He finds one that opens. He then uses that apartment as a base to sneak around to rattle other doorknobs. Most people get very upset when I tell them someone is basicly trying to break into their house. The next words out of their mouths are usually 'who can I report this to?' All I can tell them is no one. -
Re:"Stealth Spam"
>Is this really possible? If so how?
Why, Windows Messaging, of course.
But let's get to the heart of the matter. As much as you can hate this guy for what he's doing, the reason he's making money (and the same reason telemarketers stay in buisness) is because they're are idiots out there responding to spam with their wallets. If everyone would adhere to the minimum essential committment to never buy anything as a result of unsolicited commercial advertisements, commercial spam would not exist. -
Re:I have a simpler solution
One way to help "keep machines from swinging their fists" is to quickly notify their ISP when they do start attacking. http://www.mynetwatchman.com/vision.htm explains a system of currently 1478 people who submit their Firewall logs using an automated agent to a server which aggregates the data, backtraces the activity to its source, filters false alarms, and automatically sends escalation e-mails to responsible party, often the network abuse contact for the ISP which owns the netblock of the IP address.
-
Large scale correlation
I wonder if the author would credit things like my NetWatchman or Security Focus's Aris as large scale correlation efforts? I know it would probably be tough to get much more specific, as you could generate a huge amount of traffic trying to correlate every wierd package that hit many boxes.
-
Re:Slightly OT but... WRONGThis is not the discussion you are looking for.
Posted by Cliff on Tuesday November 13, @05:50PM
from the deathmatch-in-the-foyer dept.
Mentor asks: "Recently, a very promising young architect asked me to give her some ideas for a design presentation she has to do concerning a new building in Germany. Instead of making another dull non-interactive flyby-drivethrough 3dmax-movie, I suggested using the Halflife or Quake engine to precreate the whole building, and let visitors of the exhibition experience the building firsthand, being a player in it, and interacting with the building (without any actual weapons of course :)). I was wondering whether this has been done a lot already . Does anyone have any tips?" I would think that most 3D engines have evolved enough where something like this might actually be practical. Thoughts?( Read More... | 7 comments )
Are There Risks in Sharing Firewall Logs? Posted by Cliff on Tuesday November 13, @02:33PM
from the looking-before-leaping dept.
FireballDWF asks: "What are the risks in sharing my personal Firewall logs with others? I ask as helping to put a stop to detect and stop attacks at their source by becoming an agent for MyNetWatchman sounds easy and appealing, but I am concerned about the possible risks." The MyNetWatchman service is designed to take a pro-active approach to network security. A network agent sits on a users firewall and forwards log entries to a central server that analyzes the data and warns the user if suspicious activity occurs. Sounds like a good plan, but what dangers (if any) will the users of this service be exposing themselves to by providing such access to their machines, even if they are just log files?( Read More... | 11 comments )
Rolling Your Own Laptop? Posted by Cliff on Tuesday November 13, @10:37AM
from the when-off-the-shelf-isn't-good-enough dept.
rneches asks: "I've been looking around for a Linux friendly laptop, and I've found a couple of reasonable systems. However, there really aren't any laptops out there that really meet the needs of a Linux user. In particular, most laptops are, more or less, desktop replacements. As such, they are loaded with scads of nifty features, beefy processors, and so forth. This is great, I suppose, if you are running Windows or MacOS and want a desktop replacement. If you're a Linux user, and spend most of your time in emacs windows (er, frames), most of that fancy stuff is more of a liability than an asset. In other words, I'm talking about coders, admins and other Linux hackers more than I'm talking about the 'average user'." In short, rneches is looking to find a way to build his own laptop, and if the platform doesn't exist to be able to do this, he's looking for help in creating one. Interested?( Read More... | 4112 bytes in body | 354 comments )
Web Ads with Sound? Posted by Cliff on Tuesday November 13, @07:30AM
from the what-annoying-thing-will-they-think-of-next dept.
Mina asks: "Just noticed that some sites, About.com in particular, started piping sound adds in their pages - one in particular (the Harry Potter themed CocaCola subsidized reading campaign from Reading is Fundamental). This isn't something that can easily be turned off - unlike popups, they can't just be clicked on or elminated by a nifty browser plugin. I'm interested in seeing how the Slashdot community deals with the new, more annoying ads that the more desperate companies are implementing now. Do you just live with them? Are there even niftier plugins to the browsers that I'm just not aware of?" And you thought pop-ups were the worst, now you can get sudden and annoying sounds played as well. Maybe browsers will have volume sliders bundled with them in the near future. God, I hope not, but if such ads become commonplace, it may be a good idea.( Read More... | 35 comments )
Buying Brandname Linux Desktops? Posted by Cliff on Tuesday November 13, @04:21AM
from the penguins-preinstalled dept.
bobstaff asks: "I work for a company producing a highly technical product for export of which a Linux network is a significant part. Usually we build the Linux computers from components using some of the higher end options available (Dual 1Ghz Pentium III, SCSI disk,CD-RW,tape, 512Mb Ram, High End Video card, etc...). Occasionally we have a customer, however, who insists on having a brand name computer (eg. Compaq, HP, etc..) with support in whichever country they are from, regardless of the extra cost and decreased performance. In the past this has always caused problems, from Linux incompatible components to having to fight to get the pre-installed Windows distribution overwritten with Linux. What experiences do Slashdot readers have with buying brand name computers with international support and running Linux on them? Also can anyone recommend companies with international support producing Linux computers?"( Read More... | 11 comments )
Websites for Homebrew Electronic Projects? Posted by Cliff on Monday November 12, @10:25PM
from the home-automation-projects-on-steroids dept.
whiplash asks: "There are regular stories on Slashdot concerning neat homebrew projects, hardware doing things nobody expects it to. I think the homebrew niche is excellent reading and wonder if there are any sites devoted to just that? Archives of articles, HOWTO's, and related material devoted to those folks that are controlling their garage doors with old serial cards and other neat things."( Read More... | 8 comments )
What's It Like Working For Worldcom? Posted by Cliff on Monday November 12, @04:53PM
from the extending-the-feelers dept.
Tetch asks: "I work for a multinational IT company which seems likely to transfer its "network services" team to (MCI-)Worldcom under the terms of a business arrangement (Worldcom's gonna run our company network for us). I'm contemplating transfering from my current position to that network services team but would quite like to know more about Worldcom's corporate culture before taking the plunge (since it seems I'd become a Worldcom employee in fairly short order). Does anyone have any experience of life at Worldcom they could share?" It's always smart to try get an idea of the climate in a company before you you try and sign up.( Read More... | 631 bytes in body | 256 comments )
Does Computer Journalism Have a History? Posted by Cliff on Monday November 12, @11:29AM
from the following-the-paper-and-bit-trail dept.
apanishev asks: "Hi to all /.'ters! I'm a beginner computer journalist in a Russian on- and offline magazine "PL-komp'yutery". One of the recent topics of my interest is: whether the computer journalism itself has a history? Sure it does, but my first investigations revealed nothing. I know there were some Amiga paper magazines and some BBS electronic bulletines before the Internet age, but what was the very first paper (and/or online) magazine about personal computers? About web design and professional computing? About PC games? I would be very grateful for any thoughts about the subject."( Read More... | 13 comments )
Standard Set of Network Diagram Icons? Posted by Cliff on Monday November 12, @08:25AM
from the the-RIGHT-pictures-means-1000-words dept.
Cerebus asks: "I'm taking over administrative and management functions for a network, and one of the tasks is, of course, providing accurate diagrams for the whole shebang. In playing with various tools for this (Dia, Visio, Kvivio, xfig, tgif, etc). I've noticed that each package has it's own idea about what abstract icon to use for various devices (what Visio would call "logical" icons). While there is some overlap, the meaning attached to an icon is sometimes different between applications, and what's worse is that (using the example of Visio) the same application has multiple different icons for the same type of device! Is there any kind of standard for network diagram iconography? Should there be?"( Read More... | 10 comments )
What Would You Load onto a Business Card CD? Posted by Cliff on Monday November 12, @03:20AM
from the taking-your-critical-utils-with-you dept.
tkrabec asks: "I have a few of the Business card sized CD-roms, and I have been toying around about what to put on them. I want to make a utility disk that has stuff I commonly use or would find helpful. These CD's will hold about 50 meg I primarily do work with Win32 but I would also like some helpful linux things. I will probably make 2 disks wo get all data/programs I want. I want to put: dos boot.img 1.4Meg for older machines, rawrite 14K to write .img's to floppy's, putty 695K for secure communications, memtest.img 75K for testing for bad memory, fdisk 65K for HD problems, Winzip 1.2Meg for unzipping things. These are just some idea's and I would like some more with some approximate sizes. Also are there any good references that I could put on there as well?"( Read More... | 37 comments )
-
Not the most clueful company on the planet...
- Visions says, among other things: With TCP and UDP alone there are over 125,000 possible ports that attackers could target.. Uhm, yeah. Portunmbers are 16 bit. So there's 65536 possible ports, times 2 if you count tcp and udp. I'm not so sure why this is relevant to anything though.
- Their link to closed incidents Gives a: Microsoft OLE DB Provider for ODBC Drivers (0x80040E31) [Microsoft][ODBC SQL Server Driver Not very comforting.
- Their domain name is really really dumb.
:) - They claim 1200 active agents, and 87K reported incidents the last 24 hours. This is a really high level, and thus means the agent has to report back home every little detail that happens.
-
Not the most clueful company on the planet...
- Visions says, among other things: With TCP and UDP alone there are over 125,000 possible ports that attackers could target.. Uhm, yeah. Portunmbers are 16 bit. So there's 65536 possible ports, times 2 if you count tcp and udp. I'm not so sure why this is relevant to anything though.
- Their link to closed incidents Gives a: Microsoft OLE DB Provider for ODBC Drivers (0x80040E31) [Microsoft][ODBC SQL Server Driver Not very comforting.
- Their domain name is really really dumb.
:) - They claim 1200 active agents, and 87K reported incidents the last 24 hours. This is a really high level, and thus means the agent has to report back home every little detail that happens.
-
Re:There is some security in obscurity.
Did you happen to read the above, or did you just post hoping to score some quick karma?
... and forwards log entries to a central server ...
As you can see from the MyNetWatchman page, this information is explicitly shown as being sent across the internet.
Regardless of that, MyNetWatchman makes this information public - with some attempt at obscuring sensitive info.
See the FAQ. -
Re:There is some security in obscurity.
Did you happen to read the above, or did you just post hoping to score some quick karma?
... and forwards log entries to a central server ...
As you can see from the MyNetWatchman page, this information is explicitly shown as being sent across the internet.
Regardless of that, MyNetWatchman makes this information public - with some attempt at obscuring sensitive info.
See the FAQ.