Keep in mind, that even if that ANI was obtainable that it still doesnt solve the problem at hand. Denial Of Service attacks have just as much political infastructure problems as they do technical ones. A majority of the DoS attacks that MCI assists in tracing originate from "Jump" points; comprimised shell accounts that offer high bandwidth capascity. These shell accounts ("T3 Eggdrop Shells") are high commodity items on hacker trading grounds, like IRC (eg; #shells). DoS attacks usually involve several hub points; traversing several ISPs (reducing response times), Jump Off points (needing coordination), and then their is the final hop; usually a dialup account - either stolen, or created using a stolen credit card, making ISP subscriber information useless. Even if the magical ANI information can be obtained (eg; ANI and CLID can actually be part of the accounting stream for some NASes), this data isn't typically provided to the victim, or victim's ISP without a court order, requiring law enforement assistance. Despite the fact that a majority of customers we deal with do not want Law Enforcement assistance ("I just want the attack to stop"), the ones who do want it have to deal with jurisdictional office politics and heavy case loads. A majority of Denial Of Service Attacks do not fit the minimum jurisdictional-specific dollar loss, nor Felony class baseline to be considered a worthwhile case to pursue. Additionally, since a majority of these attacks are sourced from minors (read; High Dweeb Factor), prosecution of these individuals is also not usually an option (unless, of course, you are in Texas). Civil remidies, however, should not be ruled out; as their effects are sometimes greater felt than criminal prosecution; loss of computer equipment and heavy fines that involve garnished wages for the next 5-10 years typically equate to "Gee, if I do this again, I won't be able to buy Doom". Rather than the criminal prosecution, which results in probation and a now "professional" history that allows the hacker to pursue a carrer in security consulting ("He MUST know what he's talking about, he's a convicted computer hacker"). :sigh: The social/political issues need to be addressed just as strongly as the technology issues. Speed bumps don't prevent speeding, radar traps do. Not wanting to get into an analogy war here, you get the point. I would recommend that ISPs obtain NOC and Security contacts for all that they peer with,and I would recommend that customers of ISPs obtain NOC and Security Team telephone and pager numbers of their ISPs. If your ISP doesn't have such information, nag them until they get it, or move to another ISP. Pre-Plan for these attacks; on-the-fly coordination just doesn't cut it when you dealing with high-impact, fast cycle time attacks. Security teams at ISPs should also obtain contact information for their local and federal law enforcement offices. Such contacts should be tested regularly, (eg; monthly) to ensure they are accurate. You can also ask Law Enforcement to provide you with a briefing on the types of computer investigations they are working on and seeing, which may help you plan your method of attack or compensation, or help you justify your continued existance with your upper management. Other source of information/contact would be NCSA'a ISPSEC team (http://www.ncsa.com), IPOS team, CERT (http://www.cert.org), and FIRST (http://www.first.org). Also, MCI has released a Denial Of Service "tracking" program called DoStracker that helps to automate detection and tracing of these types of attacks through large backbone networks. DoSTracker is freely available to the public and can be found at: ftp://ftp.mci.net/outgoing/dostrack742812.tar ================================================================ Dale Drew MCI Telecommunications Sr. Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335 At 10:40 AM 10/7/97 -0300, James_deleskie wrote:
I would not be surprised if the caller's phone number were logged, most modern modem banks talk ANIS and DNIS, which if I'm remembering correctly is basically caller ID. I'm thinking of putting this on our POP, as there doesn't seem to be an extra charge to get the data from the telco.
I would have to disagree, in Canada anyway, the telco charges extra for
the modemracks will support it few if any ISP are gonna spend the $$$ for it. Until of course they are attacked and loose business and then the VP's the cost of NOT having it.
-Jim
Charles
~~~~~~~~~ ~~~~~~~~~~~ Charles Sprickman Internet Channel INCH System Administration Team (212)243-5200 spork@inch.com access@inch.com
On Mon, 6 Oct 1997, Phil Howard wrote:
Date: Mon, 6 Oct 1997 21:30:11 -0500 (CDT) From: Phil Howard <phil@charon.milepost.com> To: steve@nwnet.net Cc: nanog@merit.edu Subject: Re: Denial of service attacks apparently from UUNET Netblocks
Steve Mansfield writes...
[snip snip snip]
S'okay. Have the feds subpoena UUNET for the connect logs for these max'es. UUNET keeps the logs and is capable, given the exact time
of the
attack(s), of going through the logs, identifying exactly who it was, and if it's one of their customers, giving the personal info to the feds. If it's a reseller's customer, they can get the user info and forward it to the reseller and inform the feds who they need to talk to for the
info. Whoever it was is as good as nailed.
Unless it was a stolen account. With more and more "naive" users coming online, the chance of this kind of thing happening is greater and greater. You can shut off the account. Feds can visit the home of whoever owns
account. They can even be blocked from ever getting any account at any ISP for life. But if this possibility is fact, you won't have the perp and they can attack again.
Now if the telco has records of all the phone calls you can find out where the calls actually came from. Maybe that's the perp. Maybe not.
What is ultimately needed is some better real time detection of this kind of thing sufficiently deployed so that it is present on all routers where the exposure exists. You may not catch the perp, but you might reduce
these features, andand while personal the the
damage it causes.
How to encourage this to be done is left as an exercise for the reader.
-- Phil Howard +-------------------------------------------------------------+ KA9WGN | House committee changes freedom bill to privacy invasion !! | phil at | more info: http://www.news.com/News/Item/0,4,14180,00.html | milepost.com +-------------------------------------------------------------+