Date: Sun, 2 Jun 1996 17:44:54 -0700 (PDT) From: Michael Dillon <michael@memra.com> To: inet-access@earth.com Cc: IAP@vma.cc.nd.edu, linuxisp@lightning.com, freebsd-isp@freebsd.org, os2-isp@dental.stat.com Subject: Is your security up to snuff? Here's what other people think... Message-ID: <Pine.BSI.3.93.960602174311.2932F-100000@sidhe.memra.com>
next in thread | raw e-mail | index | archive | help
---------- Forwarded message ----------
Date: Sat, 1 Jun 1996 12:45:01 -0400
From: C Matthew Curtin <cmcurtin@fahlgren.com>
To: Firewalls@GreatCircle.COM
Subject: Re: Countermeasures ?
>>>>> "Bernd" == eckes <ecki@lina.inka.de> writes:
Bernd> Automated responses are
Bernd> simply too easy to be used for deny of service. And X-Bombs are
Bernd> very unsocial on the already overloaded Internet.
Agreed. At a previous place of employment, our highly visible web
server underwent a denial of service attack. We traced it back to a
dialup account from a small ISP in another state.
It was kind of interesting, because they were pretty uncooperative
until we started getting threatening, wich is exactly what we were
trying to avoid:
* we had our SA call the ISP's technical contact, but she didn't
get to talk to him directly: a message was taken by the
receptionist.
* after about 15 minutes of nonresponse, our webmaster called and
explained AGAIN that this is so-and-so from a big company's R&D org,
and one of your users is attacking one of our machines. Not terribly
useful, because it was left in another message to the contact,
who was in the privy :)
* the webmaster called 10 minutes later and finally talked
directly with the contact, who explained that he wouldn't be able to
get around to dealing with it anytime soon, because he was real
busy. It was on the speaker, so the four of us in the room just kinda
looked at each other and grinned while the webmaster roasted his butt.
* the attack stopped about two minutes after he got off the horn,
so the webmaster called back to thank the guy for dealing with it so
quickly. Turns out that the attack was coming from a rogue account,
and that they suspect it was an ex-employee who was an admin
there. They've had their stuff broken into several times, but didn't
even do as much as advise their customers to change their
passwords. Very strange. We gave him some advice (after prefacing it
by saying 'we really can't tell you what to do, but...') and I can
only hope that he took it.
The story is more than mildly amusing: it helps to underscore a very
serious problem with mismanaged (or undermanaged ... or perhaps we
should say [mis|under]-administered :) sites, such as ISPs who really
ought not be ISPs. I suppose this is another Bad Thing(tm) that has
come about because of the explosive growth and popularity of the
'net. It was nice to be able to (until about '93 or early '94) be able
to quickly talk to someone clued whenever there was a problem like
that and have it immediately dealt with.
But I've digressed beyond the scope of firewalls...
C Matthew Curtin Chief Hacker
Fahlgren, Inc. 655 Metro Pl S, Ste 700, Box 7159 Dublin OH 43017-7159
http://users1.ee.net/cmcurtin/ cmcurtin@fahlgren.com PGP Mail Preferred
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.93.960602174311.2932F-100000>