Comments

Copyright (c), 1996, Management Analytics - All Rights Reserved

Example Audit Trails

Conclusion

I encountered a wide range of responses from systems administrators, and I thought I would share the range with you:

How can we help? - This was the dominant response by far, and these administrators were the ones that ended up tracking down attackers in their sites and helping to track down the high volume intruders.
Why don't you attack back? - Because it's against the law and because two wrongs don't make a right. There is a certain level of frustration involved in not being able to fight back and not being able to take legal recourse, but if you can't take frustration, you should probably not be a systems administrator or an information security professional.
Why do you bother me with this? Don't send me any more mail about this. (primarily from The Netherlands) - I gave two choices. Either I could terminate all access from that site, or continue to send the messages. The unanimous response was to continue to get the emails.
Why don't you give in to their demands and shut down your response to attacks? - If someone breaks a window and you don't try to chase them and fix the window, you'll end up with a lot of broken windows and more crime. If we chase them down, we get less crime. At least that's the theory.
Why not ignore individual attempts and only respond to more persistent attempts? - Because then, attacks such as those in this incident would go completely undetected as a set of independent events. It's only by tracking each attempt that coordinated attacks such as these are detected and stopped.
You're not going after real attackers here, only casual perusers. - I don't know what you call casual, but I consider 2,000 attempted entries involving misuse at several hundred sites, IP forgeries, breakins at several sites, and misleading advertisements to be a pretty serious attack.
Why should I waste my time helping you? - If you act that way, don't count on anyone coming to help you when you're under a similar attack.

Press here for more examples of intentional attacks and an example of an administrator who intentionally telnetted into our site just so he could complain.

Conclusion