From: Allan Chong <allan@bellsouth.net> Yes, I realize no one is launching directly from dialup, but often, the user is someone originally dialed up and telneted to some box (or through multiple boxes). Tracking the attack back to the compromised machine quickly is worth it in my opinion. Pervasive accounting would at least allow one to systematically track back step by step to the origination. No, pervasive accounting would only allow you to strengthen your position once you arrived at a conclusion. It does not in any way offer help in arriving at that conclusion. Even then it might be a university cluster (MIT used to give out the root passwords to workstations since everything was kerberized), but the cognoscenti at the university can often take care of the problem given the motivation. Right now the problem seems to be that the attack is totally anonymous and the methodology for tracking back to the source is involved. Not likely to be a university cluster in my experience... some local pranks may be launched from university clusters. Dorm rooms and personal boxes, OTOH, seem to be a favorite for the past couple of years; expect that one to get worse. But yes, the problem is finding out who the perp is, not proving who the actual offender was once you've narrowed yourself down to half a dozen possibilities and enlisted the cooperation of their local sysadmin. In any event, once again I exhort everyone to not waste their time filtering the dialups. Filter your customers, filter your own networks; if you incidentally get most of your dialup servers covered by that umbrella, fine. If not, don't lose too much sleep over it -- if you don't believe me, just config up a linux box with the code of your choice, and try to SYNflood someone over a dialup. Hmmmm. If I were a hacker, I would be doing my best to make sure that my route to the victim was taking a path through as many foreign speaking networks as possible. You'd have to speak Swahili and Cantonese :) Not worth the trouble. The far ends of the earth where not even the network admins speak English are on the ends of wet strings; it isn't worth the aggreivation to telnet through them, and launching a source-routed synflood through them would be self-defeating. ---Rob