[28475] in North American Network Operators' Group
Re: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (John Kristoff)
Mon May 1 11:29:44 2000
Message-ID: <390DA260.63557B46@depaul.edu>
Date: Mon, 01 May 2000 10:27:28 -0500
From: John Kristoff <jtk@depaul.edu>
Reply-To: jtk@aharp.is-net.depaul.edu
MIME-Version: 1.0
To: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
"Henry R. Linneweh" wrote:
> My fundamental question here is where is the directory where
> all these new DDoS toyz and other forms of destruction
> located at?
Potentially millions of hosts.
> How are they getting to these programs?
> A solution is system wide scans for code segments in
> programs that spawn attacks and remove them and the
> users who have them without a valid reason.
>
> Search records for ssh, stelnet, telnet connections to
> boxes other than the primary account.
Since the tools can exist on any individual host on the network, every
single owner/user/admin of an IP address would need to scan their
machine. While I agree its a host problem, it's extremely difficult to
fix with host solutions alone. Even if you did, you still won't be able
to stop the creation and dissemination of tools amongst the bad guys.
> Tighten up on hosted domains TOS and force Domain registrars
> to cancel domains involved in criminal activity.
I agree, some form of shunning could help cause people to batten down
the hatches. This assumes you know where the problem is originating
from.
John
