[ale] fingers pingers tracers and more! oh my!

Tue Dec 18 22:11:28 EST 2001

Ah, I'm reminded of that classic saying: "Democrats are just Republicans
that haven't been mugged yet." :) Heard that on one of those Sunday morning
talk shows, but I digress ...

Firstly, your chances these days of finding a responsive host to finger
requests are slim to none. The finger daemon, while highly useful in the
ARPAnet days, is now simply too risky to expose. Even if it's a more recent
daemon that simply gives out a system info message instead of identifying
currently logged-on users per its traditional usage, it's still one more
potential hole for break-ins and/or DoS attacks. As recently as 1992, I was
able to crash the Solaris IP stack by slamming the machine's finger service
with a flood of requests.

Now assuming that the alleged attacking host isn't spoofing the origination
IP address in the TCP/IP datagram it sends to you (usually done in a SYN
flood, which Linux kernels have been preventing for at least three years
now), simply take the attacking IP address and:
- reverse-lookup the canonical, if possible
- perform a lookup on it at whois.arin.net (or regional equiv.)
- contact the appropriate authorities

If the addy is in a dialup block, is a firewall or belongs to a publicly
shared machine, you'll need to rely on the sysadmins in the domain to match
the time of your attack with their system logs (if they even keep such
beasts).

And even if the IP address eventually maps to a one-user box (typically a
DSL-connected one), there's always the chance that the physical owner is
unaware that the box is already "0wn3d" and acting as a willing slave in,
for example, email virus or DDoS attacks.

Welcome to the jungle. And it goes w/o saying that the best offence is a
good defence, so make use of any iptables and/or other firewall mechanisms,
as well as turning off any services you don't need to expose to the cruel
world.

And I've probably just made most of this up, for all I know, except for a
lot of help from an old Phrack article:
	http://www.fc.net/phrack/files/p48/p48-14.html

On Tue, Dec 18, 2001 at 05:04:05PM -0800, Stephen Turner wrote:
> so the internet is a big, evil, dark, and scary place,
> so we need weapons to combat the evils that haunt us
> right? im looking for stuff to identify people say
> they connect to me or something i want to either take
> thier email and trace em down (if even possible) or
> what ever.. um im not sure if finger works over the
> net.. or what ever in fact im not sure what im looking
> for...  but security is the main issue.. and after
> security i need to be able to detect and trace someone
> if they A: attempt anything so they can be reported B:
> trace them down if they breach my security and be able
> to report them and if applicable pay for damages...
> maybe im just nutz crazy or over shooting it so thats
> why im asking for comments on this email... if it even
> makes sense... i think im rambling :-p

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.