It could be both - the attackers motive is his knowledge and I believe it's up to you to solve the problem. One method might be to make an application that emails an admin that is on campus at the ime when one of these "attacks" takes place and then have them respond immediately. I know this is a labour resouce consuming way of dealing with it, but I cant think of (maybe someone else can!) a more effective way to deal with these attacks. Perhaps it is just one person and catching them out would put a stop to your problems and make everyone happier. Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure? >From: "Nicholas C. Weaver" <nweaverat_private> >To: incidentsat_private >Subject: DoS and Windows Login >Date: Thu, 17 Oct 2002 14:16:34 -0700 (PDT) >MIME-Version: 1.0 >Received: from outgoing.securityfocus.com ([205.206.231.27]) by >mc3-f39.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Thu, 17 >Oct 2002 21:25:21 -0700 >Received: from lists.securityfocus.com (lists.securityfocus.com >[205.206.231.19])by outgoing.securityfocus.com (Postfix) with QMQPid >49C34A3176; Thu, 17 Oct 2002 16:15:13 -0600 (MDT) >Received: (qmail 26951 invoked from network); 17 Oct 2002 20:50:17 -0000 >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Message-Id: <200210172116.g9HLGYE06492at_private> >X-Mailer: ELM [version 2.5 PL2] >Return-Path: >incidents-return-4297-koremeltdown=hotmail.comat_private >X-OriginalArrivalTime: 18 Oct 2002 04:25:22.0025 (UTC) >FILETIME=[5F743590:01C2765E] > >UC Berkeley runs a fairly open network (*GASP*, no firewall). > >Lately, many users have been experiencing a minor but annoying DOS >attack: The windows system's authentication procedures, after X failed >password tries, locks out the account for 30 minutes. Someone or some >group is doing large scale password guessing which is resulting in >many users being unable to log in in the morning, until this timeout >passes. > >Question: Have those in other universities or other generally open >computing environments noticed a similar trend? Is this the work of >an attacker trying to brute-force passwords or a deliberate DOS >attempt? > >-- >Nicholas C. Weaver nweaverat_private > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com _________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 18 2002 - 15:28:50 PDT