From owner-freebsd-isp Sun Jun 2 17:46:22 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA22848 for isp-outgoing; Sun, 2 Jun 1996 17:46:22 -0700 (PDT) Received: from okjunc.junction.net (root@okjunc.junction.net [199.166.227.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id RAA22843 for ; Sun, 2 Jun 1996 17:46:20 -0700 (PDT) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by okjunc.junction.net (8.6.11/8.6.11) with SMTP id RAA06811; Sun, 2 Jun 1996 17:01:39 -0700 Date: Sun, 2 Jun 1996 17:44:54 -0700 (PDT) From: Michael Dillon To: inet-access@earth.com cc: IAP@vma.cc.nd.edu, linuxisp@lightning.com, freebsd-isp@freebsd.org, os2-isp@dental.stat.com Subject: Is your security up to snuff? Here's what other people think... Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ---------- Forwarded message ---------- Date: Sat, 1 Jun 1996 12:45:01 -0400 From: C Matthew Curtin To: Firewalls@GreatCircle.COM Subject: Re: Countermeasures ? >>>>> "Bernd" == eckes writes: Bernd> Automated responses are Bernd> simply too easy to be used for deny of service. And X-Bombs are Bernd> very unsocial on the already overloaded Internet. Agreed. At a previous place of employment, our highly visible web server underwent a denial of service attack. We traced it back to a dialup account from a small ISP in another state. It was kind of interesting, because they were pretty uncooperative until we started getting threatening, wich is exactly what we were trying to avoid: * we had our SA call the ISP's technical contact, but she didn't get to talk to him directly: a message was taken by the receptionist. * after about 15 minutes of nonresponse, our webmaster called and explained AGAIN that this is so-and-so from a big company's R&D org, and one of your users is attacking one of our machines. Not terribly useful, because it was left in another message to the contact, who was in the privy :) * the webmaster called 10 minutes later and finally talked directly with the contact, who explained that he wouldn't be able to get around to dealing with it anytime soon, because he was real busy. It was on the speaker, so the four of us in the room just kinda looked at each other and grinned while the webmaster roasted his butt. * the attack stopped about two minutes after he got off the horn, so the webmaster called back to thank the guy for dealing with it so quickly. Turns out that the attack was coming from a rogue account, and that they suspect it was an ex-employee who was an admin there. They've had their stuff broken into several times, but didn't even do as much as advise their customers to change their passwords. Very strange. We gave him some advice (after prefacing it by saying 'we really can't tell you what to do, but...') and I can only hope that he took it. The story is more than mildly amusing: it helps to underscore a very serious problem with mismanaged (or undermanaged ... or perhaps we should say [mis|under]-administered :) sites, such as ISPs who really ought not be ISPs. I suppose this is another Bad Thing(tm) that has come about because of the explosive growth and popularity of the 'net. It was nice to be able to (until about '93 or early '94) be able to quickly talk to someone clued whenever there was a problem like that and have it immediately dealt with. But I've digressed beyond the scope of firewalls... C Matthew Curtin Chief Hacker Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159 http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred