Copyright (c), 1996, Management Analytics - All Rights Reserved

Next Part

After last month's article on zero-tolerance for attacks, our site was attacked because we take this position. This month's article is the story of the attacks and the story behind the story.

To begin at the beginning, we normally encounter about one unauthorized attempted telnet into our site per day. We block it before it gets to the login prompt and send email to the administrator (postmaster) at the site from which the attempted telnet took place. Here's the mail we send:

Some people have commented that this message is accusatory and that it indicates that an attack has taken place when one has not. When I talked to other security administrators from big companies, they told me that people see what they want to see. Some people will call any message abusive. Of the people who called this abusive, at least one of them was also performing port scans of our site (commonly used as a prelude to break-ins) and another was using forged email to convey the message.

After we tracked down one person who attempted some telnets, we got the following response in email:

Subject: Who the Hell are You?

Status: RO

I don't care if you coined "computer virus".  I can telnet into whatever
I want.  Don't be writing me back here again.  I WILL get into your
system.  Feel free to write me back for any other complaints you have to
give to me.  Bee-ach!!!!!

The systems administrator at that site took this seriously and the individual apologized, but within a day of that incident, we started to see an increase in telnets into our site - ten the next day, twenty the next, then between midnight and 6AM on the next day, we got over 800 attempted telnets from sites from all over the world.

Next Part