North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

A modest proposal

  • From: Allan Chong
  • Date: Tue Sep 17 18:35:06 1996

Currently, anyone can program their computer to repeatedly dial a 
given business phone line and fill up a company's inbound phone lines,
making a denial of service attack.  Why isn't the phone system about
to die because of it?

The phone company keeps a record of every incoming and outgoing call
on every line, and performs all sorts of analysis on time of day and
carrier, and who gets paid for it.  I think that 50% of the cost of
providing phone service is the accounting and billing.  However, anytime
one has a problem with obscene callers, war dialers, etc, you call
the police and bingo, the men in blue are knocking on the door of the
perpetrator.  The caller could dial from a payphone, etc, but what 
you've essentially done is make it more dangerous/expensive to conduct
this activity than what it is worth.   People that do this sort of
activity are usually cowards, because they're not bold enough to
park a truck bomb outside the object of their hatred.  Up the ante,
and they're out of the game.

I've been following some of the activity on various IP accounting
schemes and the size of those nifty matrices, but frankly, ISPs need
to spend the money to make this a reality and keep accounting data
for at least several days or a week.  

Now I'm a systems guy rather than a router guy,
so I'm not going to even propose that this take place in the router
or somebody will be lecturing me about silicon switched route
processors or something similar.  I used to do it with ip accounting
on a cisco and perl scripts to yank the information off.  This is
still a reasonable approach for small sites.  It seems to me that a 
good workstation setup for accounting on the segments attached to the 
interexchange points could do all of this adequately.  You'd need a 
good freeware software package and preferably a web interface that 
could be accessed by the right people at the right time.  The web
interface would take 10 times as long to write as the collection
software.  Once a few of the large carriers make this a prequisite for
peering, it would be widespread.

Tracking down hacked machines would be quicker.  Sometimes you might
be able to track back to the source where you could pull the ANI
or callerid information out of the radius accounting logs and have
someone knocking on their door.  You only have to do this for 1 in 10
attacks before rumors spread around the hacker community and it stops.


allan
[email protected]
And no, I'm not volunteering for anything yet :)
- - - - - - - - - - - - - - - - -