North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Rodney L Caston
  • Date: Mon May 01 11:58:31 2000

On Mon, 1 May 2000, John Kristoff wrote:

> "Henry R. Linneweh" wrote:
> > My fundamental question here is where is the directory where
> > all these new DDoS toyz and other forms of destruction
> > located at?
> Potentially millions of hosts.
> > How are they getting to these programs?
> > A solution is system wide scans for code segments in
> > programs that spawn attacks and remove them and the
> > users who have them without a valid reason.
> > 
> > Search records for ssh, stelnet, telnet connections to
> > boxes other than the primary account.

The idea of scanning every single node on your network is also, well --
absurd. Perhaps someday in the far future when we all have rocket-cars or
more unbelievably, we have ipv6 - then we'll be able to do it. It's not
like most corps don't try, but lets look at our options here, Tivoli(ick),
CA/Unicenter(more ick), even my beloved NetCool/OMNIbus isn't setup to
handle such a task(wait, give me a few days), we're talking about
programs that can transmit with different protocols, be compiled by
differnetly to hide their identity, among other things. Not only the
program itself must be considered, but remember these are most likely
compromised hosts you're talking about, a simple change of the ps with the
cracker's own and poof, that pesky client isn't going to be appear
anymore, this change being the lamest and weakest of their options -
though the most common. I keep hearing the arguement on here about it
being a 'host' problem, lets put this in perspective, its a 'admin'
problem, the boxes compromised in most cases are systems that aren't
updated and patched as needed, or monitored by admins who either can't
perform the most simple maintience, or just don't care. This isn't 'news'
to anyone here. However it seems  like the only answer is... blackhole any
network that attack you! make the networks pay for not admin'ing
themselves properly, blackhole every university too, for good measure. 
wait.. wait.. that won't work.. Perhaps I should re-think this...

Rodney Caston
SBC Internet Services