What Can We Do About It?


Copyright (c), 1996, Management Analytics - All Rights Reserved

Following the CERT and Government and University Sites: Our site was following the CERT guidelines for protecting Internet sites. Other US sites including at least one major University and a large government department follow the same procedures. Some people claim the we created the incident by responding to attempted breakins, but our perspective is that the people who break in create the incidents, and when they get upset at our defenses, that means we're doing our job.

Law Enforcement and Legal Implications: In case you didn't already know it, at least in the US, you're on your own. Unless you can show a financial loss (not including employee costs) of at least $40,000 in any one site (no adding up the costs of different sites), law US enforcement is not interested. In my case, you could blow up all of our Internet-connected equipment and the loss wouldn't total half of the necessary amount to get the FBI involved.

Administrative Action: If you are lucky enough to encounter an administrator at the other end who cares, your best bet is that they will act to mitigate the problem. We encountered many administrators who were quite helpful, and many of them found that breakins at their sites had been used to perpetrate the attack.

Back off: A commonly suggested alternative is to simply back off of the idea of community response. Defend yourself as well as you can and don't ask for or give any assistance. This, in my opinion, is a recipe for disaster, but it's the most common solution to attacks, and if that's the policy in your organization, look forward to a lifetime of employment as an information security specialist dealing with Internet attacks.

Turn Force on Itself The best solution we've been able to come up with so far, was to turn attack into advertisement. When there are a large number of Web-based attempted entries to our site (which we can detect by the protocol used in the connection), we switch over to a pre-login message that is interpreted by browsers so as to redirect them into our Web pages. As the attackers notice this, they remove their pointers, and as the number of attempts go down, we return to emailing administrators. Then they increase their attacks and we switch back to get more free advertising. This has the net effect of turning the attack into advertising. We now have a program that automates much of this process so that high volume attempts on any port are automatically turned into advertising via our secure Web server.