scripts kiddie sites
For my edjumacation, could someone clarify what a scripts kiddie source network as it's being bandied about here is? I can only *assume*, and I try to avoid doing that (not always successfully). Thanx, Karyn. --------------------------------------------------------------------- Best regards, Karyn Ulriksen Director of Network Operations PublicHost, A SiteStream Company 22 Mauchly, Suite 200 Irvine, California 92618 USA Phone: (949) 743-2000 email: kulriksen@publichost.com URL: http://www.publichost.com
On Thu, 6 Jul 2000, Karyn Ulriksen wrote:
For my edjumacation, could someone clarify what a scripts kiddie source network as it's being bandied about here is? I can only *assume*, and I try to avoid doing that (not always successfully).
A network which hosts machines which are used to root exploit other systems. -Dan
Karyn Ulriksen wrote:
For my edjumacation, could someone clarify what a scripts kiddie source network as it's being bandied about here is? I can only *assume*, and I try to avoid doing that (not always successfully).
A script kiddie is the most common form of system cracker. He attacks remote systems using scripts and programs that were written by other people. He usually does not have the brains to write his own attack scripts/programs. I would assume that a "scripts kiddie source network" is a network where the administrators do not bother to investigate reports of system cracking attempts from their network. This effectively gives these crackers a green light to go and attack people, since they know they won't lose their access. This is in contrast to a responsible network, which will investigate reports of cracking, and will take action against the crackers by terminating their access and/or pressing legal charges. -- David
RoadRunner is such a network. Send them an incident report from tcp_wrappers its not enough they want system logs that don't exist. they basically ignore reports of break-in attempts. More like the Korean networks in that respect. And of course there are several .jp domains that can't be bothered to lock down their mail relays after being notified. Most of the break-in attempts on my server come from .kr and from roadrunner. I may well just blackhole the netblocks for .kr, I don't get legit traffic from them. RoadRunner is another matter. Now, if RR was in something like the RBL where suddenly their customers couldn't get to where they want on the net, RR would have to take action. ----- Original Message ----- From: "David Charlap" <david.charlap@marconi.com> To: <nanog@merit.edu> Sent: Thursday, July 06, 2000 7:06 PM Subject: Re: scripts kiddie sites
Karyn Ulriksen wrote:
For my edjumacation, could someone clarify what a scripts kiddie source network as it's being bandied about here is? I can only *assume*, and I try to avoid doing that (not always successfully).
A script kiddie is the most common form of system cracker. He attacks remote systems using scripts and programs that were written by other people. He usually does not have the brains to write his own attack scripts/programs.
I would assume that a "scripts kiddie source network" is a network where the administrators do not bother to investigate reports of system cracking attempts from their network. This effectively gives these crackers a green light to go and attack people, since they know they won't lose their access.
This is in contrast to a responsible network, which will investigate reports of cracking, and will take action against the crackers by terminating their access and/or pressing legal charges.
-- David
On Thu, 06 Jul 2000 20:22:53 EDT, Dana Hudes <dhudes@hudes.org> said:
Now, if RR was in something like the RBL where suddenly their customers couldn't get to where they want on the net, RR would have to take action.
http://www.orbs.org/hallofshame.html RR is listed there. They're getting their mail black-holed by any ORBS users because of it, so their customers are already unable to get where they want to go, and they're not taking action. On a side note, does anybody have any firm statistics on the actual usage rates of ORBS and/or the RBL/DUL/RSS databases? "7 out of 15 ISP's surveyed" or "They're seeing 15M DNS lookups/day" or anything else like that? -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Fri, 07 Jul 2000 12:31:26 EDT, Valdis.Kletnieks@vt.edu said:
http://www.orbs.org/hallofshame.html
RR is listed there. They're getting their mail black-holed by any ORBS users because of it, so their customers are already unable to get where they want to go, and they're not taking action.
OK.. Following up my own post, so I don't need to clarify this *AGAIN*: I'm not saying RR is a spam house. I'm not sayig that ORBS is good, bad, or indifferent. My point was merely that RR is *already* in a black-hole list, and their customers are *already* unable to get to where they want to go as a result of it (in that a RR customer can't mail to a site that uses ORBS). Therefor, it's probably safe to say that RR won't change their business practices merely because customers can't do what they want - it will require that *enough* customers get *enough* upset that the resulting customer drain to a non-blackholed ISP impacts the bottom line. OK? Got that? RR has it's policies - I'm *NOT* making value judgements on what said policies are. But said policies won't get changed unless their bottom line is threatened. Customer complaints won't do it, unless they swamp the call support center (thus threatening the bottom line) or cause customers to migrate (thus threatening the bottom line). Hopefully, I don't need to explain that *again*. ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
At 19:06 06/07/00 -0400, David Charlap wrote:
I would assume that a "scripts kiddie source network" is a network where the administrators do not bother to investigate reports of system cracking attempts from their network. This effectively gives these crackers a green light to go and attack people, since they know they won't lose their access.
-- David
There is an inherent problem here. Newer Internet phone systems allow anonymous dialin. We have such a system in Israel (2+ years) and I know one like that exists in the UK. The monopoly phone company sets up a special number like "135", users dialin - no authentication, no user/pswd, just PPP to one specific site. The user fires up their browser and connects to the phone company Web portal which has a large table of ISPs and rates. The user clicks on the one they want and all the packets now flow via that ISP. No authentication. Pure anonymous PPP. [Technical side has been over-simplified.] The phone company bills the user on their phone bill and splits the revenues then with the ISP. The ISP no longer needs modems, or any authentication system, just a large leased line to the phone company virtual POPs and a bank account to receive the monthly checks. Script kiddies love this. The only way to stop the kiddie is a court order to track down the phone number from the virtual POP and who called. Not as easy as adding a filter to a net or closing a user's account. So an RBL for script kiddie nets is not as easy as it may sound to some. -Hank
Is there any way to identify these types of providers and not carrying them on the backbone? Hank Nussbacher wrote:
At 19:06 06/07/00 -0400, David Charlap wrote:
I would assume that a "scripts kiddie source network" is a network where the administrators do not bother to investigate reports of system cracking attempts from their network. This effectively gives these crackers a green light to go and attack people, since they know they won't lose their access.
-- David
There is an inherent problem here. Newer Internet phone systems allow anonymous dialin. We have such a system in Israel (2+ years) and I know one like that exists in the UK. The monopoly phone company sets up a special number like "135", users dialin - no authentication, no user/pswd, just PPP to one specific site. The user fires up their browser and connects to the phone company Web portal which has a large table of ISPs and rates. The user clicks on the one they want and all the packets now flow via that ISP. No authentication. Pure anonymous PPP. [Technical side has been over-simplified.] The phone company bills the user on their phone bill and splits the revenues then with the ISP. The ISP no longer needs modems, or any authentication system, just a large leased line to the phone company virtual POPs and a bank account to receive the monthly checks.
Script kiddies love this. The only way to stop the kiddie is a court order to track down the phone number from the virtual POP and who called. Not as easy as adding a filter to a net or closing a user's account. So an RBL for script kiddie nets is not as easy as it may sound to some.
-Hank
-- Thank you; |--------------------------------| | Thinking is a learned process. | | ICANN member @large | | Gigabit over IP, ieee 802.17 | |--------------------------------| Henry R. Linneweh
On Fri, Jul 07, 2000 at 07:14:17AM -0700, Henry R. Linneweh wrote:
Is there any way to identify these types of providers and not carrying them on the backbone?
"Sorry we can't do anything to stop them without a court order as our system isnt able to identify individual users" would be a good clue. -- John Payne http://www.sackheads.org/jpayne/ john@sackheads.org http://www.sackheads.org/uce/ Fax: +44 870 0547954 340% tax? http://www.boycott-the-pumps.com/
On Fri, Jul 07, 2000 at 07:35:52AM +0200, Hank Nussbacher wrote:
There is an inherent problem here. Newer Internet phone systems allow anonymous dialin. We have such a system in Israel (2+ years) and I know one like that exists in the UK. The monopoly phone company sets up a special number like "135", users dialin - no authentication, no user/pswd, just PPP to one specific site. The user fires up their browser and connects to the phone company Web portal which has a large table of ISPs and rates. The user clicks on the one they want and all the packets now flow via that ISP. No authentication. Pure anonymous PPP. [Technical side has been over-simplified.] The phone company bills the user on their phone bill and splits the revenues then with the ISP. The ISP no longer needs modems, or any authentication system, just a large leased line to the phone company virtual POPs and a bank account to receive the monthly checks.
There is a problem here, but it's not *MY* problem. If that becomes a source of too many attack on my systems, I'll block it. If that means disenfranchising Israel, well: 1) You made your bed, now you can lie in it. 2) You've survived disenfranchisement by far more powerful people than me. :-)
participants (9)
-
Dan Hollis -
Dana Hudes -
David Charlap -
Hank Nussbacher -
Henry R. Linneweh -
John Payne -
Karyn Ulriksen -
Shawn McMahon -
Valdis.Kletnieks@vt.edu