Brandon Ross wrote:
We report these incidents to the FBI when there is at least a slim chance that the perpetrator might be caught. We get a lot of very short lived attacks (30 minutes or less) that just don't seem to be worth our time to report to the FBI, since there's usually no data that would give them a bit of a clue about who might have done it.
My recommendation is to take all the incidents that you are currently classifying as unlikely to be resolved, and prepare a report on each one with as much data as you can gather about them, and supply that report to the FBI anyway. This will help them understand just what is going on, and may even help them acquire additional budgets and funding to expand their resources to be more effective at investigating more of these incidents. This will allow them to keep better statistics on just what problems are being seen in the Internet, whether they be kids with scripts or terrorists. The line between these groups will be getting fuzzier, so we cannot disregard it at all. It might also be interesting if we can as a group collect and merge the data on these incidents. I know there are some agencies that already do this, and if someone has some detail on that, maybe that will be a good start. I know that I would be interested in comparing not only the list of addresses that smurf incidents are coming from, but also comparing the load balance of these addresses (e.g. do addresses that show up twice as much in one incident also do so in another?). If we can identify the addresses that regularly show up, perhaps that may motivate the FBI to insist on a "wiretap" at the location of the smurf amplifiers frequently seen. Then from there they may be able to begin backtracking attacks and find the real source(s). -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* phil at intur.net * --