Copyright (c), 1996, Management Analytics - All Rights Reserved
Example Audit Trails
I encountered a wide range of responses from systems administrators,
and I thought I would share the range with you:
- How can we help? - This was the dominant response by far,
and these administrators were the ones that ended up tracking down
attackers in their sites and helping to track down the high volume
- Why don't you attack back? - Because it's against the law
and because two wrongs don't make a right. There is a certain level of
frustration involved in not being able to fight back and not being able
to take legal recourse, but if you can't take frustration, you should
probably not be a systems administrator or an information security
- Why do you bother me with this? Don't send me any more mail
about this. (primarily from The Netherlands) - I gave two choices.
Either I could terminate all access from that site, or continue to send
the messages. The unanimous response was to continue to get the emails.
- Why don't you give in to their demands and shut down your
response to attacks? - If someone breaks a window and you don't try
to chase them and fix the window, you'll end up with a lot of broken
windows and more crime. If we chase them down, we get less crime.
At least that's the theory.
- Why not ignore individual attempts and only respond to more
persistent attempts? - Because then, attacks such as those in this
incident would go completely undetected as a set of independent events.
It's only by tracking each attempt that coordinated attacks such as
these are detected and stopped.
- You're not going after real attackers here, only casual
perusers. - I don't know what you call casual, but I consider 2,000
attempted entries involving misuse at several hundred sites, IP
forgeries, breakins at several sites, and misleading advertisements
to be a pretty serious attack.
- Why should I waste my time helping you? - If you act that
way, don't count on anyone coming to help you when you're under a