Robert E. Seastrom wrote:
From: Allan Chong <allan@bellsouth.net>
Tracking down hacked machines would be quicker. Sometimes you might be able to track back to the source where you could pull the ANI or callerid information out of the radius accounting logs and have someone knocking on their door. You only have to do this for 1 in 10 attacks before rumors spread around the hacker community and it stops.
This discussion of securing dialup servers is pointless. I guarantee you that the 2000 packet/second SYN attacks we've been seeing are coming from a compromised host on a high speed connection and not from someone's 28.8k dialup connection. The hackers just take over a machine, use it to launch their attacks, and disappear into the jungle if we manage to find the particular machine they're using tonight.
Yes, I realize no one is launching directly from dialup, but often, the user is someone originally dialed up and telneted to some box (or through multiple boxes). Tracking the attack back to the compromised machine quickly is worth it in my opinion. Pervasive accounting would at least allow one to systematically track back step by step to the origination. Even then it might be a university cluster (MIT used to give out the root passwords to workstations since everything was kerberized), but the cognoscenti at the university can often take care of the problem given the motivation. Right now the problem seems to be that the attack is totally anonymous and the methodology for tracking back to the source is involved. Hmmmm. If I were a hacker, I would be doing my best to make sure that my route to the victim was taking a path through as many foreign speaking networks as possible. You'd have to speak Swahili and Cantonese :) allan