RE: My First Denial of Service Attack..... (fwd)
Date: Sun, 6 Oct 1996 11:40:25 -0400 From: Dave Van Allen <dave@fast.net> To: "'inet-access@earth.com'" <inet-access@earth.com> Subject: RE: My First Denial of Service Attack..... [...] and we had the name of the user, their ISP, and other info in less than 15 minutes.
Just out of curiosity, what is the penalty for this sort of activity? Note that people didn't seem to take software piracy very seriously until the Software Publishers Association was able to extract some fairly heavy fines from some large corporations. Up until that time, there was, in effect, no penalty for software piracy. (This sounds like a good NANOG topic for some adventuresome soul...) -tjs
I think that there are appropriate (and possibly over-harsh depenidng on what combination of laws are applied) laws on the books to cover SYN-storm-type DoS attacks. I pity the first few who get caught... Avi
Date: Sun, 6 Oct 1996 11:40:25 -0400 From: Dave Van Allen <dave@fast.net> To: "'inet-access@earth.com'" <inet-access@earth.com> Subject: RE: My First Denial of Service Attack..... [...] and we had the name of the user, their ISP, and other info in less than 15 minutes.
Just out of curiosity, what is the penalty for this sort of activity?
Note that people didn't seem to take software piracy very seriously until the Software Publishers Association was able to extract some fairly heavy fines from some large corporations. Up until that time, there was, in effect, no penalty for software piracy.
(This sounds like a good NANOG topic for some adventuresome soul...)
-tjs
On Mon, 7 Oct 1996, Avi Freedman wrote:
I think that there are appropriate (and possibly over-harsh depenidng
Shouldn't it be dependent on what type of money was lost during an attack? Somewhat comparable to injury compensation? -B
I think that there are appropriate (and possibly over-harsh depenidng
Shouldn't it be dependent on what type of money was lost during an attack? Somewhat comparable to injury compensation?
Here's a non-relevant anecdote you reminded me of: I once worked one summer for a construction company that was extending a mass-transit train line northeast of Washington, D.C. The tracks of an existing rail line parallel to our new line was laid upon about 6' of small rocks. Along those rocks for several yard/meters, a very thick metal-foil shielded cable jutted out from its rocky protection. I asked another crew member, "What's that?" "Oh, that's Sprint's fiber up the northeast corridor, " he replied. "It shouldn't be lying out there, should it? What if I or someone else took a shovel to it?" The foreman commented, "We'd be sued for $100,000 for every 10 minutes the line was cut." Being good at math, I was awestruck, "That's 6 million dollars per hour!" "Yeah, you'd likely be fired before the rest of us would be laid off," added our foreman. It gave me new-found respect for loose cables and later for Wiltel's gas pipe right-of-ways. IMHO, I'd say it's up to an ISP to calculate how much an attack costs them if they catch a hacker and then take them to trial. You don't hear of ISPs taking people to trial, though, just cutting off their access. If hackers know that they'll be sued if they're caught, it might deter them (from being caught at least ;^). -- Eric Ziegast
Here's a non-relevant anecdote you reminded me of:
Your anecdote reminded me of a story someone told me recently about AT&T. I am not going to type it all out here, but I will summarize. Company A hires Company B to do some trenching along the highway to install new fiber for Company A. Company B's backhoe operator accidentally cuts a major AT&T backbone causing serious outages. AT&T not only sues the backhoe driver, but Company B and Company A, forcing them both to declair chapter 11. My point is here, if we start taking hackers to court, what happens in this scenario: Hacker is from badguy.com telnets to compromised.jumpoff.com then SYN floods att.com? [Disclaimer: the hosts above were for demonstrative purposes only, the hosts are fictional, bearing no direct correlation to any living or dead] Who gets sued? Both providers, neither, or just the hacker? It brings up some interesting questions. Ben
In message <Pine.BSI.3.91.961007142537.18460A-100000@fig.leba.net>, Tersian wri tes:
Here's a non-relevant anecdote you reminded me of:
Your anecdote reminded me of a story someone told me recently about AT&T.
I am not going to type it all out here, but I will summarize.
Company A hires Company B to do some trenching along the highway to install new fiber for Company A. Company B's backhoe operator accidentally cuts a major AT&T backbone causing serious outages. AT&T not only sues the backhoe driver, but Company B and Company A, forcing them both to declair chapter 11.
My point is here, if we start taking hackers to court, what happens in this scenario:
Hacker is from badguy.com telnets to compromised.jumpoff.com then SYN floods att.com?
[Disclaimer: the hosts above were for demonstrative purposes only, the hosts are fictional, bearing no direct correlation to any living or dead]
Who gets sued? Both providers, neither, or just the hacker?
It brings up some interesting questions.
Ben
It sort of depends on whether the providers contracted the hacker to do the work on adjacent property (their computers) and strayed onto AT&T property (AT&T's computers) and did damage as in the backhoe case. If so, you'd have a similar case. An analogous case would be something like provider.A hires consulting-firm.B and their programmer attacks AT&T's network. Companies need to have written "thou shalt not hack" policies and take reasonable precautions to insure that their employees or contractors are not hacking. Back to your example. IMO: The providers would be at a liability risk if they did not provide reasonable measures to insure that they did not contribute to the damages done to another party. This is like other liabilities where if someone is injured you are at risk unless you did everything reasonable to prevent putting other people in harms way. Given this interpretation, compromised.jumpoff.com would be at risk if they could be shown negligent in the administration of their site. If they left the door wide open to hackers, IMO they'd be at risk. If they were warned due to prior incidents and continued to leave the door wide open, they'd be very seriously at risk. #include <not-a-lawyer.std-disclaimer> Curtis
Back to your example. IMO: The providers would be at a liability risk if they did not provide reasonable measures to insure that they did not contribute to the damages done to another party. This is like other liabilities where if someone is injured you are at risk unless you did everything reasonable to prevent putting other people in harms way.
The only problem I forsee with this is the means for security measures. We are talking about corporate America and not the military. The only way I can see taking appropriate steps it to come up with a book such as the DoD Orange Book (Trusted Systems Security) for commercial hosts. It would be quite a task to come up with such a book that would take in account all the loopholes and liabilities, and even then, who would enforce the regulations? Given this interpretation, compromised.jumpoff.com would be at
risk if they could be shown negligent in the administration of their site.
I agree, but what if compromised.jumpoff.com was simply lacking the manpower or the skills to completely secure their systems to the best of current security knowledge? If they believed that they had a secure site, and no one could prove that they were negligent(besides not hiring the best security consultant avaiable) then who is at fault? If they left the door wide open to hackers, IMO they'd be at
risk.
How does one do this? %cat /etc/motd ************** BrokenOS 2.1 Beta Hello hackers! Welcome to compromised.jumpoff.com, please use us for hacking purposes only! ************** :))) If they were warned due to prior incidents and continued to
leave the door wide open, they'd be very seriously at risk.
And they would also be very stupid :) The community needs to come up with a set security standards for different types of hosts, where it be a NAP, a NOC or an IAP or ISP. It needs to be comprehensive and contain software and support for early detection and audit, as well as wrapping and hacker deterrent mechanisms. Ben
Is "Denial Of Service" what "DOS" has stood for all along? Cool. It all makes sense now after all these years... On Mon, 7 Oct 1996, Avi Freedman wrote:
I think that there are appropriate (and possibly over-harsh depenidng on what combination of laws are applied) laws on the books to cover SYN-storm-type DoS attacks.
participants (6)
-
Avi Freedman -
Curtis Villamizar -
Ed Morin -
Eric Ziegast -
salo@msc.edu -
Tersian