Re: find_ddos results

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Sat, 18 Nov 2000, J C Lawrence wrote:

> etc).  Tracking such attempts down was obscenely difficult as you
> instantly ran into a maze of compromised boxes, none of which kept
> even reasonable system logs (as if you could trust them).
>
> Heck, attacks bounced thru open SOCSK proxies are already difficult
> enough to track down.

I'm not so concerned about actually tracking down the attackers in every
case.  Many times, it's appropriate to just redo your box and move on,
especially if you got hit with just the Same Old Thing.  (After you're
satisfied that it's all known stuff of course.)

The majority of my surprise had to do with the fact that the campus
security guy didn't want to play a role in getting a DDoS agent off his
net.  I've been told that UNM has a reputation for lax security, and no
follow-up.  This thread would seem to confirm that.  Such a reputation can
only be self-fullfilling I think, unless a lot of effort is put into
making it otherwise.

Were it I in that situation (not enough manpower) then I think I'd teach
an infosec course, and draft the students.

                                        Ryan