Tracking stealth portscan/pepsi attacks

Dear collagues,

The traffic on this list has increased rapidly since we started to discuss
various security details. Regrettably, almost no persons from various
CERTs are subscribed to this list, while they deal with day-to-day
requests for intrusion and attack coordination.

Therefore, a security-related RIPE WG might really be needed. Its aims
would be to:

* enhance incident coordination among ISPs;
* ensure exchange of ideas and experiences in network and systems security;
* issue security-related recommendations and BCP documents;
* establish tighter relatioship between the ISPs and the CERTs.

The group should be open to any interested party.

The group should also elect a representative who would participate in
activities of the CERT and IRT community (meetings, workshops, mailing
lists etc.) and/or provide continuous input from various CERTs and IRTs.

Few days ago, I received an interesting message from Karel Vietsch,
Secretary General of TERENA, related to the subject we're talking about.
I'm forwarding it, hoping it would be interesting for wider community
(NOTE: the meeting, mentioned in Mr Vietsch's message is closed - only
CERT community memebers can participate, but if we find time to create
the Security-WG, a representative of the WG can apply to attend it):

-------------------------- Begin included message --------------------------
Date: Fri, 03 Sep 1999 22:43:51 +0200
From: Karel Vietsch <vietsch at terena.nl>
Subject: European collaboration between CERTs
To: Berislav Todorovic <BERI at etf.bg.ac.yu>
Cc: B.Gilmore at ed.ac.uk, dyer at terena.nl, demchenko at terena.nl

Dear Mr. Todorovic,

A colleague drew my attention to your message below.

Indeed, almost three years ago Daniel Karrenberg posted a proposal for a
SIRCE service to be provided by the RIPE NCC but he could not realise this
plan due to lack of financial commitments. Perhaps you are not aware that
Daniel's initiative was actually a proposed response to a call for tender
for the SIRCE pilot service, organised by TERENA. As mentioned above, the
RIPE NCC was not able to put forward a proposal, but some other
organisations did, the best proposal was selected and the SIRCE pilot
service started in May 1997. It is currently being provided by UKERNA. See
the SIRCE Web site <www.sirce.net> for further details on the current pilot
service.

The pilot will come to an end later this month, and a meeting has been
organised to discuss plans for future collaboration between CERTs in
Europe, following on from the SIRCE pilot. This meeting will take place in
Amsterdam on Friday 24 September 1999, immediately following the next RIPE
meeting. See the invitation below. If you are interested in attending this
meeting, please let me know.

Best regards,

Karel Vietsch
TERENA Secretary General

+++++++++++++++++++++++++++

Dear colleagues,

It is my pleasure to invite you to a meeting to discuss the future
collaboration of CERTs in Europe. The meeting will be held

         on Friday 24 September 1999, 11:00 - 15:00 hours,

              at the TERENA Secretariat in Amsterdam.


Background

Collaboration and co-ordination between CERTs in Europe has been under
discussion at least since 1992. The report of the TERENA Task Force "CERTs
in Europe" (1995) led to a pilot ("SIRCE") for a European CERT
co-ordination service. This pilot, which started in May 1997 and is
currently being provided by UKERNA, will come to an end later this month.
In general the responses to the pilot service have been positive, and many
have expressed their appreciation for the work done and the experiences
gained during the past 2.5 years. Nevertheless, it has become clear that it
will not be possible to establish a permanent operational European CERT
co-ordination service at the end of the pilot phase. This is mainly because
the needs of the various networks in Europe and their CERTs are so
different that it is not possible to collect a sufficient critical mass to
provide the (substantial) funds that would be needed to fund such a
professional permanent service.


Still there is a clear need for and willingness of CERTs in Europe to
collaborate on issues of common interest. Such collaboration can take the
form of exchange of information, limited work provided by one or more CERTs
for the entire European CERT community and joint activities of CERTs who
are interested in jointly solving a particular common problem. Rather than
a model of a centrally provided service, one would then adopt a model of
collaborative activities in one or more working groups, task forces and/or
small projects. This thought has been put forward by a number of CERTs in
the final discussions on SIRCE, and several examples of possible joint
activities have been given.
Now that the SIRCE pilot is being completed this month, the time seems ripe
to discuss these suggestions in more detail and to agree on future activities.

Purpose of the meeting

The purpose of the meeting on 24 September 1999 is to identify issues that
can be addressed, (information) services that can be provided, activities
that can be undertaken and problems that can be jointly solved, through
collaborative actions of CERTs in Europe. It is the intention to identify
for each of these: which CERTs (and possibly other parties) are interested
in the issue, how they feel the issue should be addressed and what they can
commit (in manpower or other resources) to joint work on the issue.
Agreements should then be reached as to when and how to start such work,
and how to organize it. We would hope that the meeting will lead to one or
more joint working groups, task forces and/or projects that can be started
very soon.

Who should attend the meeting?

The envisaged participants in the meeting will be the (leading) staff
members of CERTs  in Europe. Many of the current active CERTs in Europe are
attached to Research and Education Networks (NRENs), but representatives of
other CERTs who are interested in collaboration with the NREN CERTs are
most welcome to participate in the meeting.

The host

Having been instrumental in European CERT collaboration in recent years
(e.g. through the TERENA Task Forces and by making the arrangements for the
SIRCE pilot), TERENA feels it as its responsibility to facilitate the best
possible future collaboration between CERTs in Europe now that the SIRCE
pilot is nearing its completion. Hence TERENA , in consultation with the
contributors to the SIRCE pilot, has taken the initiative to organize and
host the meeting on 24 September to discuss future plans. The meeting will
be chaired by Brian Gilmore, member of TERENA's Executive Committee.

Meeting preparation

An agenda and other documents for the meeting will be sent out during the
next two weeks. Obviously it will help people to prepare for the meeting if
those who have specific suggestions for collaborative activities of CERTs
in the coming years, could briefly describe their ideas and circulate them
to the other meeting participants. Please send your suggestions by e-mail
to me at <vietsch at terena.nl>.

Logistics

The address of the TERENA Secretariat is: Singel 468, 1017 AW Amsterdam,
The Netherlands. Phone: +31 20 5304488. Please see
http://www.terena.nl/info/secretariat/location.html  for a description of
how to reach our office.

The meeting on 24 September is scheduled to follow immediately on a RIPE
meeting which will take place in Amsterdam during the preceding days, for
the convenience of those who would be interested to attend both meetings.
For others it is important to note that with the meeting starting at 11:00
and finishing before 15:00 hours it will be possible for most people in
Europe to make this a one-day trip, travelling to Amsterdam early in the
morning and back in the late afternoon.

In case you will nevertheless need to spend one or more nights in
Amsterdam, TERENA's Secretary Ms. Carol de Groot <secretariat at terena.nl>
can help you find  suitable accommodation. Since hotels in Amsterdam are
extremely full, you are urged to make your hotel arrangements (either
directly with the hotel or via Carol de Groot) ** as soon as possible **.


Finally, in order to help us prepare for the meeting, please let me know as
soon as possible whether you will be able to attend the meeting. My e-mail
address is: <vietsch at terena.nl>. We will then include you in further
mailings and send you the documents for the meeting.


I am looking forward to seeing you in Amsterdam on Friday 24 September and
I hope that we will have a very fruitful meeting!


Best regards,

Karel Vietsch
TERENA Secretary General


PS. : In case not you yourself but one of your colleagues will be the
appropriate person to participate in the meeting: please pass on this
invitation!

++++++++++++++++++++++++++++++++++++++++++++++
Karel Vietsch
TERENA Secretary General
Singel 468, 1017 AW Amsterdam, The Netherlands
phone: +31 20 5304488             fax: +31 20 5304499   
e-mail: <vietsch at terena.nl>     WWW: http://www.terena.nl

.-------.
| --+-- |  Berislav Todorovic, B.Sc.E.E.     | E-mail: BERI at etf.bg.ac.yu
|  /|\     Hostmaster of the YU TLD          | 
|-(-+-)-|  School of Electrical Engineering  | Phone:  (+381-11) 3221-419
|  \|/     Bulevar Revolucije 73             |                   3218-350
| --+-- |  11000 Belgrade SERBIA, YUGOSLAVIA | Fax:    (+381-11) 3248-681
`-------' --------------------------------------------------------------------