<?paul

When does a cyber attack warrant law enforcement involvement?

Wednesday, April 6. 2005


Having my own dedicated server, I am privy to all the fun little logs that the system generates. Now like any computer connected to the net, there are all manner of port knocks going on from various infected systems, looking for already present trojans, or known vulnerabilities to exploit. That being said however, I also receive more serious brute force attacks, attempting to log in via SSH. These attacks show up in my logs looking something like this:


alex/password from 127.0.0.1: 1 Time(s)

ana/password from 127.0.0.1: 1 Time(s)

andrea/password from 127.0.0.1: 1 Time(s)

andrew/password from 127.0.0.1: 1 Time(s)

angel/password from 127.0.0.1: 1 Time(s)

bank/password from 127.0.0.1: 1 Time(s)

barbara/password from 127.0.0.1: 1 Time(s)

betty/password from 127.0.0.1: 1 Time(s)

billy/password from 127.0.0.1: 2 Time(s)

bob/password from 127.0.0.1: 1 Time(s)

brandon/password from 127.0.0.1: 1 Time(s)

brian/password from 127.0.0.1: 1 Time(s)

buddy/password from 127.0.0.1: 1 Time(s)

carmen/password from 127.0.0.1: 1 Time(s)

charlie/password from 127.0.0.1: 1 Time(s)
I changed the IP


Several of the recent attacks have come from customers of the same host as me, so I have dutifully followed up with the security staff. Overall though, I haven't been too impressed with the level of response I have received. My understanding is that once they receive a complaint, they send a nice little email to whomever owns the attacking machine, letting them know what is going on, and offering to assist in securing the machine as obviously it has been compromised by a third party. This does absolutely nothing if the attacker has legitimate access to the machine in question, and leaves a large window for an attacker with illegitimate access to the machine to continue their work while they wait for the machines owner to respond.


At what point do these attacks become sufficiently severe to warrant involvement of a law enforcement agency? Is a brute force attack as shown (in part) above enough? Do they have to actually gain access to my system? If it's the former, who do I call? The local police, the RCMP, the police local to where my system is hosted, or even the FBI? If it's the latter, doesn't this give attackers free reign to continue to attack other systems, until they find one less secure?


Finally the possibility exists that the attack is merely one head of a worm, which has already compromised the attacking machine, and is merely seeking another vulnerable machine. Should this possibility effect my reaction?


Comments »

No Trackbacks
No comments

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
 

Hi, I’m Paul Reinheimer, a developer working on the web.

I co-founded WonderProxy which provides access to over 200 proxies around the world to enable testing of geoip sensitive applications. We've since expanded to offer more granular tooling through Where's it Up

My hobbies are cycling, photography, travel, and engaging Allison Moore in intelligent discourse. I frequently write about PHP and other related technologies.

Search