[4512] in North American Network Operators' Group
Re: A modest proposal
daemon@ATHENA.MIT.EDU (Robert E. Seastrom)
Tue Sep 17 18:56:35 1996
Date: Tue, 17 Sep 1996 18:51:48 -0400 (EDT)
From: "Robert E. Seastrom" <rs@bifrost.seastrom.com>
To: allan@bellsouth.net
CC: nanog@merit.edu
In-reply-to: <323F25A2.5D7D@bellsouth.net> (message from Allan Chong on Tue,
17 Sep 1996 18:26:42 -0400)
From: Allan Chong <allan@bellsouth.net>
Tracking down hacked machines would be quicker. Sometimes you might
be able to track back to the source where you could pull the ANI
or callerid information out of the radius accounting logs and have
someone knocking on their door. You only have to do this for 1 in 10
attacks before rumors spread around the hacker community and it stops.
This discussion of securing dialup servers is pointless. I guarantee
you that the 2000 packet/second SYN attacks we've been seeing are
coming from a compromised host on a high speed connection and not from
someone's 28.8k dialup connection. The hackers just take over a
machine, use it to launch their attacks, and disappear into the jungle
if we manage to find the particular machine they're using tonight.
Harden your servers, filter on all non-transit ports on your routers,
but let's let the how-to-do-filtering-on-terminal-servers discussion
die, OK?