Denial of service attacks apparently from UUNET Netblocks

Dale Drew ddrew at
Tue Oct 7 15:40:13 UTC 1997

Keep in mind, that even if that ANI was obtainable that  it still
doesnt solve the problem at hand.  Denial Of Service attacks have
just as much political infastructure problems as they do technical ones.

A majority of the DoS attacks that MCI assists in tracing originate
from "Jump" points; comprimised shell accounts that offer high
bandwidth capascity.  These shell accounts ("T3 Eggdrop Shells") are
high commodity items on hacker trading grounds, like IRC (eg; #shells).

DoS attacks usually involve several hub points;  traversing 
several ISPs (reducing response times), Jump Off points (needing
coordination), and then their is the final hop; usually a dialup
account - either stolen, or created using a stolen credit card, making
ISP subscriber information useless.

Even if the magical ANI information can be obtained (eg; ANI and CLID
can actually be part of the accounting stream for some NASes), this data
isn't typically provided to the victim, or victim's ISP without a 
court order, requiring law enforement assistance.

Despite the fact that a majority of customers we deal with do not 
want Law Enforcement assistance ("I just want the attack to stop"),
the ones who do want it have to deal with jurisdictional office 
politics and heavy case loads.

A majority of Denial Of Service Attacks do not fit the minimum 
jurisdictional-specific dollar loss, nor Felony class 
baseline to be considered a worthwhile case to pursue.  Additionally,
since a majority of these attacks are sourced from minors (read;
High Dweeb Factor), prosecution of these individuals is also not
usually an option (unless, of course, you are in Texas).

Civil remidies, however, should not be ruled out; as their effects 
are sometimes greater felt than criminal prosecution; loss of
computer equipment and heavy fines that involve garnished wages
for the next 5-10 years typically equate to "Gee, if I do this again,
I won't be able to buy Doom".  Rather than the criminal prosecution,
which results in probation and a now "professional" history that
allows the hacker to pursue a carrer in security consulting ("He MUST
know what he's talking about, he's a convicted computer hacker"). :sigh:

The social/political issues need to be addressed just as strongly as
the technology issues.  Speed bumps don't prevent speeding, radar 
traps do.  Not wanting to get into an analogy war here, you get the point.

I would recommend that ISPs obtain NOC and Security contacts for
all that they peer with,and I would recommend that customers of ISPs
obtain NOC and Security Team telephone and pager numbers of their
ISPs.  If your ISP doesn't have such information, nag them until they
get it, or move to another ISP.  Pre-Plan for these attacks; on-the-fly
coordination just doesn't cut it when you dealing with high-impact,
fast cycle time attacks.

Security teams at ISPs should also obtain contact information for
their local and federal law enforcement offices.  Such contacts
should be tested regularly, (eg; monthly) to ensure they are 
accurate.  You can also ask Law Enforcement to provide you with
a briefing on the types of computer investigations they are 
working on and seeing, which may help you plan your method of attack or
compensation, or help you justify your continued existance with your 
upper management.

Other source of information/contact would be NCSA'a ISPSEC
team (, IPOS team, CERT (,
and FIRST (

Also, MCI has released a Denial Of Service "tracking" program 
called DoStracker that helps to automate detection and tracing of
these types of attacks through large backbone networks.

DoSTracker is freely available to the public and can be
found at:

Dale Drew                                 MCI Telecommunications
Sr. Manager                                 internetMCI Security
Voice:  703/715-7058                     Internet: ddrew at
Fax:    703/715-7066                 MCIMAIL: Dale_Drew/644-3335

At 10:40 AM 10/7/97 -0300, James_deleskie wrote:
>> I would not be surprised if the caller's phone number were logged, most
>> modern modem banks talk ANIS and DNIS, which if I'm remembering correctly
>> is basically caller ID.  I'm thinking of putting this on our POP, as there
>> doesn't seem to be an extra charge to get the data from the telco.
>I would have to disagree, in Canada anyway, the telco charges extra for
these features, andand while
>the modemracks will support it few if any ISP are gonna spend the $$$ for
>Until of course they are attacked and loose business and then the VP's the
>of NOT having it.
>> Charles
>> ~~~~~~~~~					~~~~~~~~~~~
>> Charles Sprickman 				Internet Channel
>> INCH System Administration Team			(212)243-5200
>> spork at					access at
>> On Mon, 6 Oct 1997, Phil Howard wrote:
>> > Date: Mon, 6 Oct 1997 21:30:11 -0500 (CDT)
>> > From: Phil Howard <phil at>
>> > To: steve at
>> > Cc: nanog at
>> > Subject: Re: Denial of service attacks apparently from UUNET Netblocks
>> > 
>> > Steve Mansfield writes...
>> > 
>> > [snip snip snip]
>> > 
>> > > S'okay.  Have the feds subpoena UUNET for the connect logs for these
>> > > max'es.  UUNET keeps the logs and is capable, given the exact time
of the
>> > > attack(s), of going through the logs, identifying exactly who it
was, and
>> > > if it's one of their customers, giving the personal info to the feds.
>> > > If it's a reseller's customer, they can get the user info and
forward it to
>> > > the reseller and inform the feds who they need to talk to for the
>> > > info.  Whoever it was is as good as nailed.
>> > 
>> > Unless it was a stolen account.  With more and more "naive" users coming
>> > online, the chance of this kind of thing happening is greater and
>> > You can shut off the account.  Feds can visit the home of whoever owns
>> > account.  They can even be blocked from ever getting any account at any
>> > ISP for life.  But if this possibility is fact, you won't have the perp
>> > and they can attack again.
>> > 
>> > Now if the telco has records of all the phone calls you can find out
>> > the calls actually came from.  Maybe that's the perp.  Maybe not.
>> > 
>> > What is ultimately needed is some better real time detection of this kind
>> > of thing sufficiently deployed so that it is present on all routers where
>> > the exposure exists.  You may not catch the perp, but you might reduce
>> > damage it causes.
>> > 
>> > How to encourage this to be done is left as an exercise for the reader.
>> > 
>> > -- 
>> > Phil Howard
>> > KA9WGN       | House committee changes freedom bill to privacy
invasion !! |
>> > phil at      | more info:,4,14180,00.html |
>> >
>> > 

More information about the NANOG mailing list