Network Operators and smurf

Dalvenjah FoxFire dalvenjah at
Mon Apr 27 06:32:19 UTC 1998

On Sun, Apr 26, 1998 at 04:50:11PM -0400, Daniel R Ehrlich put this into my mailbox:
>First, I am not speaking for Penn State, although I am a member of the
>University's CERT team.  Second, I am not asking that any block be removed.
>Such a request would have to come from others at PSU.
>It may require two weeks when you have to deal with the multiple domains of
>control one finds at this University.  This means that you can not just walk
>up to some machines and pull the plug without have large quantities of
>excrement start flowing rapidly down hill from on high and sweeping
>everything in it's path away.

You may already know this, but it doesn't hurt to reiterate.

I've had to deal with this to a certain extent at a local university. What
you need to do is to draft a security policy that explains what action you
can take when a machine connected to the campus network is used in some sort
of hack/DoS attempt. The policy should say something like, "We will attempt
to contact the maintainer of the box. If we cannot contact the maintainer
or the maintainer cannot repair the box within 6 hours, we will disconnect
the box from the network." Modify as required for your site.

Then, go to the highest level of management you can, without pissing
too many folks off (yes, university politics suck). Get them to sign off on
it, and keep going all the way up to the chancellor, or whoever the Big Guy
is. Make sure that you explain that every time someone uses a University box
to hack or DoS, the university is wide-open for lawsuits and such - especially
if folks knew about the problem and didn't take action.

Then, you have the ammunition you need to disconnect problem boxes when they
crop up. If the Whiny Researcher In Question throws a fit, wave the policy
in their face and explain that they should have thought of that before putting
an insecure box on the net.

(You might also discuss with the researcher the fact that anyone hacking
into their box can steal their data; I understand research types are very
protective of their data, and paranoid that someone else might get ahold
of it. This might at least encourage them to secure their boxes better.)


 Dalvenjah FoxFire (aka Sven Nielsen) "Aristotle was not Belgian. The central
 Founder, the DALnet IRC Network      message of Buddhism is not 'every man
                                      for himself.' And the London Underground
 e-mail: dalvenjah at            is not a political movement."
 WWW:    -- Wanda, "A Fish Called Wanda"
 whois: SN90                          Try DALnet!

More information about the NANOG mailing list