On Mon, 1 May 2000, John Kristoff wrote:
"Henry R. Linneweh" wrote:
My fundamental question here is where is the directory where all these new DDoS toyz and other forms of destruction located at?
Potentially millions of hosts.
How are they getting to these programs? A solution is system wide scans for code segments in programs that spawn attacks and remove them and the users who have them without a valid reason.
Search records for ssh, stelnet, telnet connections to boxes other than the primary account.
The idea of scanning every single node on your network is also, well -- absurd. Perhaps someday in the far future when we all have rocket-cars or more unbelievably, we have ipv6 - then we'll be able to do it. It's not like most corps don't try, but lets look at our options here, Tivoli(ick), CA/Unicenter(more ick), even my beloved NetCool/OMNIbus isn't setup to handle such a task(wait, give me a few days), we're talking about programs that can transmit with different protocols, be compiled by differnetly to hide their identity, among other things. Not only the program itself must be considered, but remember these are most likely compromised hosts you're talking about, a simple change of the ps with the cracker's own and poof, that pesky client isn't going to be appear anymore, this change being the lamest and weakest of their options - though the most common. I keep hearing the arguement on here about it being a 'host' problem, lets put this in perspective, its a 'admin' problem, the boxes compromised in most cases are systems that aren't updated and patched as needed, or monitored by admins who either can't perform the most simple maintience, or just don't care. This isn't 'news' to anyone here. However it seems like the only answer is... blackhole any network that attack you! make the networks pay for not admin'ing themselves properly, blackhole every university too, for good measure. wait.. wait.. that won't work.. Perhaps I should re-think this... Rodney Caston SBC Internet Services