In <[log in to unmask]> [log in to unmask] writes:

> Stan writes:
>
> > > Further, with telnet-like access attempts, there is the possibility to
> >  > begin rejecting all incoming packets from any particular address (forged
> > or not)
> >
> >  Causing a service interruption, potentially...a larger scale interruption
> >  than simply turning off the modem.
>
> No. There is absolutely no reason that a simple, fully automatic, completely
> transparent-to-the-user mechanism can't be put into MPE, essentially identical
> to the protocol that exists now in MPE that hangs up your modem connection
> after three failed logon attempts, but one that actually provides more
> security than we've had in the past.
>
> If a particular remote IP address accrues 25 (or 50 or 100) failed logon
> attempts in 1 (or 4 or 6 or 24) hours, that remote IP address could then be
> written into a file of non-accepted IP addresses. This file would essentially
> be the antithesis of INETDSEC.NET.SYS. Rather than specify the list of
> acceptable IP addresses, this file would list those foreign IP addresses that
> are to be rejected.

Except that, unlike the phone system, each time a typical user (hacker)
connects to the 'net, he gets a different IP address. None but the stupidest
hackers ever connect from a fixed IP address (at least not one that belongs
to THEM). 99.9% come from AOL, Netcom, U-losenet (aka uunet), or one of the
other ones. The best you would hope for is to accumulate a growing table of
excluded IP addresses from those providers;
 --you'd never stop the same hacker by excluding an IP address
 --there's probably a bigger chance you'd end up arbitrarily cutting off one
   of your own dialup users if they arbitrarily got that IP address assigned
   next time they dialed in
 --You can never hope to keep a sufficient 'exclude' list of all the dialup
   ports on the 'net (a couple online dns-servers keep lists like that for
   e-mail servers already, but they'll never be completely up-to-date; I know
   firsthand - NetMail/3000 now supports dynamic lookup of incoming addresses
   against the DUL (dial-up list) allowing it to automatically reject any
   mail relays being attempted by dialup users that don't have POP accounts on
   the server.)
 --And on the more paranoid side, if there are any non *TOP NOTCH* Internet
   providers between your network and the network your remote user is coming
   from, you have to at least consider the possibility that the IP address you
   see is being 'spoofed' (forged). It's not trivial to do over the 'wide'
   Internet, but it can be (and has been) done. [the "top notch" providers -
   ones that run really professional operations - usually have sufficient
   security systems/measures in place to prevent spoofing via their network;
   but there are a LOT of clueless ISPs out there.]

As mentioned, with the telnet server you can at least proactively choose
which address you'll let connect; though I suspect very few sites do that
(yet). VT connections have no such luxury; and as Stan mentioned, if you're
faced with a network 'attack' and don't have real good security in place
already, your only defense is to basically unplug the 'net; which in many
cases is the same as unplugging your machine -- it puts you out of business.

I like John Korbs idea on the Radio Shack boxes; I'm going to go pick up a few
of those for one of my customers asap.

 -Chris (remove nospam) Bartram

P.S. I saw this quote on someone's .sig on one of the anti-spam lists and I'll
    blatantly e-quote it here 'cause it cracked me up:
    "There are only so many clues to go around, and the Internet is growing at
     a geometric rate... You do the math" (attributed to Scott Bradner of
     Harvard I believe)