[31856] in North American Network Operators' Group
Re: What TO DO and what NOT TO DO [Re: DOS Attacks - Almost CaughtOne!]
daemon@ATHENA.MIT.EDU (Marshall Eubanks)
Tue Oct 24 08:52:16 2000
Message-ID: <39F58732.EDCAADE3@21rst-century.com>
Date: Tue, 24 Oct 2000 08:57:22 -0400
From: Marshall Eubanks <tme@21rst-century.com>
Reply-To: tme@21rst-century.com
MIME-Version: 1.0
To: Quark Physics <meuon@highertech.net>
Cc: Alexei Roudnev <alex@relcom.net>, nanog@nanog.org
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Quark Physics wrote:
>
> > Btw - I am thinking it will end in some kind of _anty hacker_ ISP assotiation which wove to prosecute any attempt to hack every
> > if it is harmless itself. Just again, it's the only way. Do you remember why in ansient culture any attempt to forbid the rules
> > was prosecuted - not because it was very important, but to stop another ones from going this way.
> >
> > Technically, it's not big deal to found the hacker - but it's a big work.
>
> The hard part is not the technology, it's the customer(s)
> They want their box back operational ASAP, yet complain
> when you tell them the must use SSH (putty.exe rocks!)
> and such. I have gotten less than no help when I find
> the persons box they hacked to get to the box I found.
>
> The key to an anti-hacker ISP association would be
> a very special ip address / contact person lookup database.
> ie: who/how to contact for the 'SWAT' response for a particular IP
> address.
>
> --Mike--
Hello;
When we have had attacks such as root exploits, we have notified the
source (at least,
the ISP hosting the immediate source) as to the date, time, IP address, etc.
(In one case, the attack appeared to come from a dial-up address in Germany,
so I thought we had them.) We have NEVER received a response. From
conversations at meetings, etc., I understand that this is typical - almost
universal - and that it would be naive to expect other ISPs to actually
do anything
about being a source for attacks.
Maybe a start would be to a BCP for some level of minimal response if
you source
an attack, and a "web site of shame" listing those domains that source
attacks and do nothing about it when notified.
Regards
Marshall Eubanks
Multicast Technologies, Inc.
10301 Democracy Lane, Suite 201
Fairfax, Virginia 22030
Phone : 703-293-9624 Fax : 703-293-9609
e-mail : tme@on-the-i.com http://www.on-the-i.com
