Responding to Attacks.

Last time, we studied different types of attacks and tried to classify them into levels based on their severity. Today we will try to explore ways to recover from these attacks.

What do you do if you discover an attack in progress? It depends on the situation.

Responding to Level-One Attacks

Level-one attacks can be treated as described previously. Filter the incoming address and contact the attacker's service provider. These are minor inconveniences. Only when the denial-of-service attack appears to be related to some other form of attack (perhaps more sophisticated) or where it continues for some time  should you bother to do more than exclude the incoming traffic.

Responding to Level-Two Attacks

Level-two attacks can be dealt with internally. There is no reason to leak information that local users can access things they shouldn't. Basically, freeze or eliminate the user's account. If there are complaints, let your lawyers sort it out. If you "counsel" the individual, you will see poor results. Within a month, he or she will be at it again. You are not engaged in a game. There is no guarantee that this internal user is just an innocent, curious individual. One last thing: give no warning about freezing the account. This way, you can preserve any evidence that might otherwise be deleted.

Responding to Level-Three, -Four, and -Five Attacks

If you experience any sort of an attack higher than a level two, you have a problem. Your job, then, is to undertake several actions:

• Isolate the network segment so that the activity can only occur in a small area
  
• Allow the activity to continue
  
• Log all activity heavily
  
• Make every effort (using a different portion of the network) to identify the source or sources of the attacks

You are dealing with a criminal. Under state and federal statutes, this type of access is a crime. If you are to capture that criminal, you will need evidence. Generating that evidence will take time.

The standards of evidence in an Internet criminal case are not exactly settled. Certainly, the mere act of someone trying to retrieve your /etc/passwd file by sendmail will not support a criminal case. Nor will evidence of a handful of showmount requests. In short, to build an iron-clad case against an intruder, you must have some tangible evidence that the intruder was within your network or, alternatively, some tangible evidence identifying the intruder as the one who downed your server in a denial-of-service attack. To do this, you must endure the brunt of the attack (although you can institute come