From: iw@all.net
Subject: IW Mailing List iw/960312
---------------------------------------------
[Moderator's Note: How do we classify this threat? Disgruntled outsider
participating in a protest? Is this IW and if so, what attacks are not?
Is all of info-sec defensive IW and vica versa?]
---------------------------------------------
Date: Tue, 12 Mar 1996 01:24:04 -30000
From: Nick Simicich 
Subject: Incident underway at all.net

It is interesting to me that you actually think you know who is at the 
other end of the attempted telnets.  Consider the possibility of a single 
site doing address spoofing and sequence number guessing to simulate 
'attacks' from a large number of sites.  From the bit of log you've 
posted, you don't have the traces you need to rule that out.

Somehow, I still consider it reasonable to telnet in and see if a guest 
account is provided.  I'd be suprised if one were. Sometimes, however, 
there is a registration account provided, and instructions for use of 
same is given in the banner.

In my opinion, you are overreacting.  Let them telnet in and see if they 
try to log in as root.  If they do, then they are attacking.  If they try 
'guest', that is no different than ftping in and trying 'anonymous'.  Or 
just filter the port completely, which is probably the more sensible 
approach if you don't want people to telnet to you.

If you sent me one of those notes on scifi.maid.com, I'd probably just 
delete it.
---------------------------------------------
From: Jonny Llama 
Subject: Re: IW Mailing List iw/960311
Date: Mon, 11 Mar 1996 20:58:26 -0500 (EST)

> I thought the list members might be interested in an incident of IW
...

I had a similar incident happen to me while I was working in a Jewelry 
shop here in Atlanta.  An old guy  walked by our shop and looked in 
the window, later that same day the old man walked buy again and briefly 
looked at some of the Seiko's displayed in our window.  I had Guido and 
Tony break his knees.  The suspect was neutralized.  

I see this obviously vicious attack in the same light as the nefarious 
conduct displayed by said old man. I'm now in counseling as a result of 
this attack and I encourage you to join.

Telnet? o v e r - r e a c t i o n

> I call it IW because it is using IT as the weapon, the objective, and
> the target, and it is designed to cause us to lower our detection
> threshold, presumably so that we will not catch as many people trying to
> break in.

All email from iw@all.net will be considered an attack and large dosages 
of ritalin will be fired back at you in return.

[Moderator's note: Since we don't want to violate anybody's policy, we
have dropped this subscriber from the list.]
---------------------------------------------
Date: Mon, 11 Mar 1996 19:56:00 -0600
From: Walt Auch 
Subject: Re: IW Mailing List iw/960311

Why are denied telnets such a concern to you?  Attacks that fail are just
that - failures.  I'd be more concerned about the system logs - looking for
attempts that DIDN'T fail.  Yes, there is a valid need to TRACK continued
attempts to access... but from reading the message that you send to the "bad
guys", I'm not sure that my reaction would be too much different - and I'm
on YOUR side!

You list the attempts.  Did you give any consideration to the Privacy Act
before posting?  Seems to me you could have a problem if things go to court
as you suggest.  I really have no "need to know" the exact sites involved
for you to make your point - and I suspect a finger might tell me a whole
lot about the persons involved.
...
---------------------------------------------
From: tju@akira.corp.sgi.com (T. Jason Ucker)
Date: Mon, 11 Mar 1996 17:01:13 -0800
Subject: Re: Incident underway at all.net

Is a telnet connection an attack?  If a user accidentially connects to your
site (though a typo or a misspelling), are you going to file a suit against
them for criminal conspiracy?

Paranoia can often be a valuable trait in a systems administrator, but I see no
evidence of an "attack" in what you've presented.  If you don't want
"unauthorized people" telneting to your site then limit access with a filter or
by some other means.  Otherwise, its like charging someone with robbery &
trespassing because they knocked on your door.
---------------------------------------------
Date: Mon, 11 Mar 1996 21:13:52 -0500
From: "Matthew G. Devost" 
Subject: Re: IW Mailing List iw/960311

What sort of warning banner is displayed when folks telnet to your site?  
---------------------------------------------
Date: Mon, 11 Mar 1996 21:05:21 -0500 (EST)
From: Sick Puppy 
Subject: Re: IW Mailing List iw/960311

> Naturally, we welcome any sage wisdom from IW list members.

Why bother to cater to juvenile instincts?  Let the kiddies try to play.  
When they find out they really can't do anything in your system, they 
will just give up and go away.
---------------------------------------------
Date: Mon, 11 Mar 1996 21:30:52 -0500 (EST)
From: 31HOWK@wmich.edu
Subject: Re: IW Mailing List iw/960311

Hello all,
	I have been lurking in here for a while and thought that this
needed deserved my humble response.  :-) I do not feel that this type of
IW is necessary nor acceptable for the majority of users.  Why? Because
unless you can prove that all of the rejected telnets were less than
inadvertant, you are not only insulting the person who happened to make
a mistake, but also wasting bandwidth sending these disclaimers back to
the originating system. 

	I do however understand the logic behind the idea but find it
less than optimal (IMHO).  People are creatures of habit.  Tracking
behaviors and then issuing a response, seems a more complete approach. 
The only downside is that it is more time consuming than its
counterpart. 

	I guess I still subscribe to the notion of 'innocent until
proven guilty'.  I mean no disrespect for any parties involved but the
thought of the net littered with little nasty notes for a attempted
login seems a little too much.  Unless the responses were tailored to
INCREASE the number of attempts, the reply actually increases the
problem.  By making known that you _really_ don't want anyone telneting
into your system, for whatever reason, you are drawing attention to
yourself.  The problem is that you will draw the attention of all the
people who are out prove you wrong.  This was shown with the reply from
the user after receiving the response.  The casual user will disregard
the notice and go about his way.  If you are concerned with actually
catching or finding the people responsible for trying to gain access,
your best bet is to do so covertly. 

	Like I said before, this is my humble little opinion and about
90 percent of the time agree with the things discussed here.  So if I am
way of base, I'd like to know why you think so.... 
---------------------------------------------
Date: Tue, 12 Mar 1996 08:22:08 -0400
From: myron.cramer@gtri.gatech.edu (Myron L. Cramer)
Subject: Re: IW Mailing List iw/960311

  Well done!  It sounds like you have things under control.  The only thing
else I can think of to do, would be to divert more than casual intrusion
attempts into a booby-trapped environment with some postscript-file trojan
horses for them to download.  This would presumably dampen the attackers'
energies.
---------------------------------------------
Date: Tue, 12 Mar 1996 14:30:01 +0000
From: Johann O Jokulsson 
Subject: Re: IW Mailing List iw/960311
...

It seems to me that a "Connection Refused" message should be
enough for your purposes. That along with keeping some records 
of repeat attempts (sp?) should be enough. And only taking action 
against those that have an extra-ordinary thick skull......

I have never encountered anyone that tries more than 2 or 3 times
before giving up (yet). 

Anyway, I was wondering how you are going to get the FBI to arrest
people coming from overseas?
---------------------------------------------
Date: Tue, 12 Mar 96 09:40:23 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson P.E. Information Security)
Subject: RE: IW Mailing List iw/960311

>	A user at your site has just attempted to telnet into our site
>	without proper authorization.  We consider this inappropriate

Well, you are within your rights to do this though I think it is a
little extreme for a first attempt.  I use something that would make it
more more gentle such as "perhaps this connection was in error but
repetition will be noted".  This gets the point that you are vigilant
across.  Or you could be more explit: "warning banners that this was a
private system were ignored and an attempt to login was made anyway",
but as it is, the note will probably irritate many sysadmins since it
seems that it could have just been a syntactical error on the part of
the user. 

Don't forget that what is obvious to you is not always so clear to others.
---------------------------------------------