Re: What TO DO and what NOT TO DO [Re: DOS Attacks - Almost Caught One!]
Btw - I am thinking it will end in some kind of _anty hacker_ ISP assotiation which wove to prosecute any attempt to hack every if it is harmless itself. Just again, it's the only way. Do you remember why in ansient culture any attempt to forbid the rules was prosecuted - not because it was very important, but to stop another ones from going this way.
Technically, it's not big deal to found the hacker - but it's a big work.
The hard part is not the technology, it's the customer(s) They want their box back operational ASAP, yet complain when you tell them the must use SSH (putty.exe rocks!) and such. I have gotten less than no help when I find the persons box they hacked to get to the box I found. The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a particular IP address. --Mike--
Quark Physics wrote:
Btw - I am thinking it will end in some kind of _anty hacker_ ISP assotiation which wove to prosecute any attempt to hack every if it is harmless itself. Just again, it's the only way. Do you remember why in ansient culture any attempt to forbid the rules was prosecuted - not because it was very important, but to stop another ones from going this way.
Technically, it's not big deal to found the hacker - but it's a big work.
The hard part is not the technology, it's the customer(s) They want their box back operational ASAP, yet complain when you tell them the must use SSH (putty.exe rocks!) and such. I have gotten less than no help when I find the persons box they hacked to get to the box I found.
The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a particular IP address.
--Mike--
Hello; When we have had attacks such as root exploits, we have notified the source (at least, the ISP hosting the immediate source) as to the date, time, IP address, etc. (In one case, the attack appeared to come from a dial-up address in Germany, so I thought we had them.) We have NEVER received a response. From conversations at meetings, etc., I understand that this is typical - almost universal - and that it would be naive to expect other ISPs to actually do anything about being a source for attacks. Maybe a start would be to a BCP for some level of minimal response if you source an attack, and a "web site of shame" listing those domains that source attacks and do nothing about it when notified. Regards Marshall Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
Er, begging to differ. Only when electrodes are implanted in peoples brains and the activation circuits are accessable via paging (or something similar) will you get the types of response you think you want. Either that or if their is a business relationship w/ your "SWAT" team, e.g. they are paid to be a your beck/call on a 24/7/365 basis.
The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a particular IP address.
--Mike--
Hello;
When we have had attacks such as root exploits, we have notified the source (at least, the ISP hosting the immediate source) as to the date, time, IP address, etc. (In one case, the attack appeared to come from a dial-up address in Germany, so I thought we had them.) We have NEVER received a response. From conversations at meetings, etc., I understand that this is typical - almost universal - and that it would be naive to expect other ISPs to actually do anything about being a source for attacks.
Maybe a start would be to a BCP for some level of minimal response if you source an attack, and a "web site of shame" listing those domains that source attacks and do nothing about it when notified.
Regards Marshall Eubanks
Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
bmanning@vacation.karoshi.com wrote:
Er, begging to differ. Only when electrodes are implanted in peoples brains and the activation circuits are accessable via paging (or something similar) will you get the types of response you think you want. Either that or if their is a business relationship w/ your "SWAT" team, e.g. they are paid to be a your beck/call on a 24/7/365 basis.
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!? This seems pretty close to the "protection" money that I hear people with POP's in Moscow have to pay :) (BTW, I said nothing about timeliness or 24x7 availability - a note a week or two later would have sufficed.)
The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a particular IP address.
--Mike--
Hello;
When we have had attacks such as root exploits, we have notified the source (at least, the ISP hosting the immediate source) as to the date, time, IP address, etc. (In one case, the attack appeared to come from a dial-up address in Germany, so I thought we had them.) We have NEVER received a response. From conversations at meetings, etc., I understand that this is typical - almost universal - and that it would be naive to expect other ISPs to actually do anything about being a source for attacks.
Maybe a start would be to a BCP for some level of minimal response if you source an attack, and a "web site of shame" listing those domains that source attacks and do nothing about it when notified.
-- Regards Marshall Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
On Tue, 24 Oct 2000 09:53:16 EDT, Marshall Eubanks <tme@21rst-century.com> said:
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!?
Umm... would you be satisfied with a "We've referred it to the appropriate people" response? At least here, and probably many other universities, we're stuck not being able to say much more than that due to student confidentiality rules... Yes, we take action. No, we usually can't say what we did. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Tue, 24 Oct 2000 Valdis.Kletnieks@vt.edu wrote: :Umm... would you be satisfied with a "We've referred it to the appropriate :people" response? : :At least here, and probably many other universities, we're stuck not being :able to say much more than that due to student confidentiality rules... :Yes, we take action. No, we usually can't say what we did. A general incident response capability would be usefull, but unfortunately this requires more cooperation than most companies are willing to give. Would it be worthwhile to include security incident handling policies and procedures in peering agreements? i.e a peering agreement also includes a testable disaster recovery plan, and a security incident response plan. It is fairly obvious by now that a peering agreement is more than simply an agreement on a router configuration. I'm wondering if anyone would consider something like this a little more robust than the centralized CIRTs and industry associations, as it would be relative to local policy, and the participants have a direct existing relationship with each other. This, as opposed to dependance on a neutral co-ordinating centre which may be dealing with other problems. -- batz Reluctant Ninja Defective Technologies
As a general rule, a response of any sort is preferable to nothing, at least it means somebody bothered to read the complaint, which is quite a stretch from the truth in quite a few places.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Valdis.Kletnieks@vt.edu Sent: Tuesday, October 24, 2000 10:12 AM To: tme@21rst-century.com Cc: nanog@nanog.org Subject: Re: whois
On Tue, 24 Oct 2000 09:53:16 EDT, Marshall Eubanks <tme@21rst-century.com> said:
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!?
Umm... would you be satisfied with a "We've referred it to the appropriate people" response?
At least here, and probably many other universities, we're stuck not being able to say much more than that due to student confidentiality rules...
Yes, we take action. No, we usually can't say what we did. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Valdis.Kletnieks@vt.edu wrote:
On Tue, 24 Oct 2000 09:53:16 EDT, Marshall Eubanks <tme@21rst-century.com> said:
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!?
Umm... would you be satisfied with a "We've referred it to the appropriate people" response?
At least here, and probably many other universities, we're stuck not being able to say much more than that due to student confidentiality rules...
Yes, we take action. No, we usually can't say what we did. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Sure, even a one-liner would generally be enough. If you receive no response, you assume that you are being ignored. (People with a lot more experience in this than I have have told me that having such reports ignored is indeed the norm.) It takes work to identify as much as you can about an attack and send it to the source ISP (or whoever). If they consistently receive no response, most people will eventually stop doing this work. I think that most recognize that, many times, such reports won't lead to any specific results - the ISP at the other end also has to prioritize their time. But if they aren't made, how can these people ever be nailed ? Regards Marshall Eubanks Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
Yow! A chance to play devils advocate... Cool :) If you told me a dialup user on my network did anything, I'd doubt your veracity. How do you know I have dialup services in my network? The accuracy of your clock and the recorded IP address are suspect since I have zero visability into your network structure or administrative practice... and you don't have that visability into mine. Your clock is hacked and you are forging IP addresses in an attempt to distract me from providing services. Tell me why this is not a simple case of harassment? Full and public disclosure of the attack profile would help build your credibility. And yes, if I have no business relationship to you and I've never had a relationship with you and you are making assertions about my infrastructure and clients, I will prolly want some incentive to cover the costs of investigating your outragous claims.
Are you really saying that if I tell you that a dial-up user on your network hacked into my system at some precise time, from a precise IP address (so that you could probably tell easily which user did it), and did so in a fashion which suggested an automated "script kiddie" effort, I should only expect a response from you if I PAY for it ?!?
This seems pretty close to the "protection" money that I hear people with POP's in Moscow have to pay :)
(BTW, I said nothing about timeliness or 24x7 availability - a note a week or two later would have sufficed.)
The key to an anti-hacker ISP association would be a very special ip address / contact person lookup database. ie: who/how to contact for the 'SWAT' response for a particular IP address.
--Mike--
Hello;
When we have had attacks such as root exploits, we have notified the source (at least, the ISP hosting the immediate source) as to the date, time, IP address, etc. (In one case, the attack appeared to come from a dial-up address in Germany, so I thought we had them.) We have NEVER received a response. From conversations at meetings, etc., I understand that this is typical - almost universal - and that it would be naive to expect other ISPs to actually do anything about being a source for attacks.
Maybe a start would be to a BCP for some level of minimal response if you source an attack, and a "web site of shame" listing those domains that source attacks and do nothing about it when notified.
--
Regards Marshall Eubanks
Multicast Technologies, Inc. 10301 Democracy Lane, Suite 201 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@on-the-i.com http://www.on-the-i.com
Er, begging to differ. Only when electrodes are implanted in peoples brains and the activation circuits are accessable via paging (or something similar) will you get the types of response you think you want. Either that or if their is a business relationship w/ your "SWAT" team, e.g. they are paid to be a your beck/call on a 24/7/365 basis.
Although I really like the electrode idea, the business relationship idea is not out of the question. We have been willing to pay for a response on originating or relay points of problems. CERT is great for many things, but paying for a cert level response is very expensive. Paying a few hundred or even a few thousand dollars is not out of the question in some cases though. --Mike--
participants (6)
-
batz
-
bmanning@vacation.karoshi.com
-
Brett L. Hawn
-
Marshall Eubanks
-
Quark Physics
-
Valdis.Kletnieks@vt.edu