North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: A modest proposal
Robert E. Seastrom wrote: > > From: Allan Chong <[email protected]> > > Tracking down hacked machines would be quicker. Sometimes you might > be able to track back to the source where you could pull the ANI > or callerid information out of the radius accounting logs and have > someone knocking on their door. You only have to do this for 1 in 10 > attacks before rumors spread around the hacker community and it stops. > > This discussion of securing dialup servers is pointless. I guarantee > you that the 2000 packet/second SYN attacks we've been seeing are > coming from a compromised host on a high speed connection and not from > someone's 28.8k dialup connection. The hackers just take over a > machine, use it to launch their attacks, and disappear into the jungle > if we manage to find the particular machine they're using tonight. > Yes, I realize no one is launching directly from dialup, but often, the user is someone originally dialed up and telneted to some box (or through multiple boxes). Tracking the attack back to the compromised machine quickly is worth it in my opinion. Pervasive accounting would at least allow one to systematically track back step by step to the origination. Even then it might be a university cluster (MIT used to give out the root passwords to workstations since everything was kerberized), but the cognoscenti at the university can often take care of the problem given the motivation. Right now the problem seems to be that the attack is totally anonymous and the methodology for tracking back to the source is involved. Hmmmm. If I were a hacker, I would be doing my best to make sure that my route to the victim was taking a path through as many foreign speaking networks as possible. You'd have to speak Swahili and Cantonese :) allan - - - - - - - - - - - - - - - - -
|