From: iw@all.net
Subject: IW Mailing List iw/960311
---------------------------------------------
From: fc (Fred Cohen)
Subject: Incident underway at all.net
Date: Mon, 11 Mar 1996 19:01:30 -0500 (EST)

I thought the list members might be interested in an incident of IW
started in the last few days against all.net in response to our policy
of responding to attempted telnets as attempts to gain illicit access
to our systems and (presumably) a recent article advocating a zero
tollerance approach to responding to such incidents.

I call it IW because it is using IT as the weapon, the objective, and
the target, and it is designed to cause us to lower our detection
threshold, presumably so that we will not catch as many people trying to
break in.

I will start with some background.

Last week, we detected an attempted telnet into our site (in the usual
way) and out automated response system sent the following response to
the postmaster at the site from which the attempt came. 

	A user at your site has just attempted to telnet into our site
	without proper authorization.  We consider this inappropriate
	behavior and would like an explanation of this action as soon as
	possible. 

	This message is generated automatically at the time of the
	attempted entry and is sent to our administrators and the
	postmaster at the machine making the attempt.  We have included
	any information provided by your ident daemon (if in use) on the
	subject line of this message.  We also do a reverse finger for
	future reference. 

	Fred Cohen - fc@all.net - tel:US+216-686-0090

We got the following response:

	To: fc@all.net
	Subject: Who the Hell are You?

	I don't care if you coined "computer virus".  I can telnet into
	whatever I want.  Don't be writing me back here again.  I WILL
	get into your system.  Feel free to write me back for any other
	complaints you have to give to me.  Bee-ach!!!!!

At this point, we contacted the systems admin by telephone and he
identified that the situation would be resolved.  We got an appology,
but then a day or so later, someone posted a message to a mailing list
(we don't have a copy yet) encouraging people to telnet in in order to
cause responses - presumably in order to cause us to not respond to
attempted entries.

As you can see from the following audit trails, the number of attempted
entries is on the increase.  The norm here is 1-2 tries per day and
about 2 per week have a reasonable explanation.  Most of the rest
generate a "user won't try it again" response from the administrator.

====================================================
Racer Starting Engines on all.net by fc.
     Mon Mar 11 18:12:37 EST 1996
Copyright (c), 1985-6 Management Analytics
          All Rights Reserved
====================================================
...

The following lines indicate attempted entries that were refused access:

Mar  4 03:38:07 all in.telnetd[16226]: refused connect from ebola@terra.igcom.net
Mar  4 14:32:57 all in.telnetd[22958]: refused connect from cveley@gunnison.com
Mar  5 22:12:36 all in.telnetd[7960]: refused connect from wfarge@gunnison.com
Mar  5 22:13:22 all in.telnetd[8010]: refused connect from wfarge@gunnison.com
Mar  8 20:17:50 all in.telnetd[1057]: refused connect from maxx@osh1.datasync.com
Mar  9 04:48:26 all in.telnetd[25289]: refused connect from dhp.com
Mar  9 18:52:41 all in.telnetd[5561]: refused connect from raven.psc.edu
Mar 10 19:12:08 all in.telnetd[7456]: refused connect from VP24A97S@ubvmsa.cc.buffalo.edu
Mar 11 08:57:36 all in.telnetd[13321]: refused connect from gryphon.psych.ox.ac.uk
Mar 11 13:25:50 all in.telnetd[27915]: refused connect from dunster-lab4.student.harvard.edu
Mar 11 14:21:49 all in.telnetd[781]: refused connect from pm075-00.dialip.mich.net
Mar 11 15:16:27 all in.telnetd[3244]: refused connect from dunster-lab1.student.harvard.edu
Mar 11 15:30:48 all in.telnetd[4020]: refused connect from gh@HELP011.UTCC.UTK.EDU
Mar 11 16:14:52 all in.telnetd[6075]: refused connect from slc118.xmission.com
Mar 11 17:36:53 all in.telnetd[10125]: refused connect from shell.aros.net
Mar 11 17:55:34 all in.telnetd[10899]: refused connect from bifrost.seastrom.com
Mar 11 18:18:11 all in.telnetd[11893]: refused connect from symptom-7.digex.net
Mar 11 18:18:20 all in.telnetd[11913]: refused connect from symptom-7.digex.net
...

Weekend postings usually take a day or two to have effect.  Now clearly,
this is not a major problem yet.  After all, even 5000 automated emails
per day to systems administrators creates no problem for our computer.
(Responding to questions from those 5,000 admins out there probably
takes a bit more effort, but even that is pretty efficient, and if it
became an issue, we would automate that too.)  What it does is help to
point out some of the IW issues that others will face (and have faced)
on a more managable scale.

As you are probably well aware, the laws in the United States prohibit
the FBI (or essentially any law enforcement worth calling) from becoming
involved untli the incident has reached a certain level of severity. 
For that reason, there is little we can do about these attacks until
they reach the $5,000 worth of effort threshold.  At that point, we will
no doubt ask the FBI to have the people who started this arrested and
have all participants arrested as part of a criminal conspiracy (I'm
sure they'll enjoy that).  Not that the FBI will care anyway, but what
other options do we have anyway?

At any rate, we have fired back with a little bit of PM of our own.  We
added the following attachment to our automated response:

	P.S.  At this time, there is what appears to be a criminal
	conspiracy underway to excersize our detection system.  This is
	a result of a posting to a mailing list by someone who was
	apparently upset at having their activities detected.  A recent
	threat to break into this site posted, and we have contacted
	federal authorities.  As this incident quantitatively increases,
	the level of our work to check out each part of the incident may
	reach $5,000.  At that point, the FBI will be called in and
	participants in this activity may find that they are under
	federal investigation.  Please advise your users to cease and
	desist and advise them to advise others to do so as well. 

	March 1996 - FC

We have also contacted the CERT and made them aware of the increasing
scale and intensity of the incident and asked a few of the more
reasonable respondents to post an appropriate warning back to the list.

Naturally, we welcome any sage wisdom from IW list members.
---------------------------------------------