Re: A modest proposal

[Allan Chong <allan () bellsouth net>]

Robert E. Seastrom wrote:
>    From: Allan Chong <allan () bellsouth net>
>
>    Tracking down hacked machines would be quicker.  Sometimes you might
>    be able to track back to the source where you could pull the ANI
>    or callerid information out of the radius accounting logs and have
>    someone knocking on their door.  You only have to do this for 1 in 10
>    attacks before rumors spread around the hacker community and it stops.
>
> This discussion of securing dialup servers is pointless.  I guarantee
> you that the 2000 packet/second SYN attacks we've been seeing are
> coming from a compromised host on a high speed connection and not from
> someone's 28.8k dialup connection.  The hackers just take over a
> machine, use it to launch their attacks, and disappear into the jungle
> if we manage to find the particular machine they're using tonight.

Yes, I realize no one is launching directly from dialup, but often, 
the user is someone originally dialed up and telneted to some box 
(or through multiple boxes).  
Tracking the attack back to the compromised machine quickly is worth it
in my opinion.   Pervasive accounting would at least allow one to
systematically track back step by step to the origination.  Even then
it might be a university cluster (MIT used to give out the root
passwords to workstations since everything was kerberized), but
the cognoscenti at the university can often take care of the problem
given the motivation.  Right now the problem seems to be that the
attack is totally anonymous and the methodology for tracking back to
the source is involved.

Hmmmm.  If I were a hacker, I would be doing my best to make sure that
my route to the victim was taking a path through as many foreign
speaking networks as possible.  You'd have to speak Swahili and 
Cantonese :)


allan
- - - - - - - - - - - - - - - - -