|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: CCO/cisco.com issues.
Stephen J. Wilcox [10/7/2003 6:06 PM] : You are making assumptions.. Cisco havent said if the source was spoofed or not, as a recent nanog thread indicated a lot of attacks do not use spoofed addresses any more simply because the controllers have access to enough legitimate windows boxes to not care about discovery of source.I did say "for starters". I put it to you that there is still a non trivial amount of attacking going on that does use spoofed traffic. Yes, there are lots of IRC controlled zombies, and yes, there are pissed off teenage skript kiddies who shut down the port of houston's servers trying to bomb someone they had a pissing match with on IRC (don't have more details than what I read on Dave Farber's IP list today). I am increasingly sharing the opinion that many of these high profile attacks are carried out by a small group.. spammers or whoever they are, the only way to tackle them is directly by hunting them down and prosecuting them. Assuming that there is a cash motivation somewhere (eg spam) this also means that there is a very high probability the attackers reside in a country where prosecution would be possible eg US/EuropeEasier said than done. First - prove that the guy did it (or hired a kiddie in china or eastern europe or wherever to do it) Next, prove to the Feds that damage > [what, USD 25K?] was caused. And that is for starters. srs -- Suresh Ramasubramanian <[email protected]> gpg# EDEDEFB9 Security and Antispam Operations Manager, Outblaze Limited
|