Pursuing and Capturing the Intruder (Building Internet Firewalls, 2nd Edition)

27.3. Pursuing and Capturing the Intruder

If you discover a security incident -- particularly one in progress -- you're going to be tempted to go gunning for the bad guys who are invading your system.

Going after the bad guys has a certain emotional appeal, but it's generally not very practical. There are a variety of approaches you can take, but there are also a variety of technical and legal hurdles.

For an appreciation of the problems involved in hunting down an intruder, see Cliff Stoll's book, The Cuckoo's Egg (Doubleday, 1989). In the late 1980s, Cliff was a system manager at Lawrence Berkeley Labs. While tracking down a minor inconsistency in the accounting system LBL used for computer time billing, he discovered evidence that an intruder had broken in over the Internet. He spent many months on an odyssey trying to chase down the attackers. Although Cliff succeeded admirably (and wrote an entertaining and useful book to boot), few of us are going to be able to emulate his feats. Most sites just don't have the time and resources to track their attackers the way Cliff did; most are going to have to be satisfied with simply getting them off their systems.

Tracking down intruders for legal action is always a long and involved process. Having it take months is actually unusually fast! In general, the process of prosecuting an intruder, or group of intruders, takes a year or more. Be prepared for a long and frustrating process. It can be extremely educational -- you may learn more about the legal system and the phone system than you really wanted to know. It also can be a complete let-down; you call three law-enforcement agencies, two of which can't figure out how to do anything about a computer break-in, and the third of which says something noncommittal and takes down contact information. This might mean, as you will probably suspect, that they don't care and are going to ignore you, or it might mean that they are already nine months into an investigation of this intruder with the help of other sites and don't want to give you any information that might somehow get back to the intruder. You might find out when they call back and ask you to testify or to estimate damages. You might find out in the newspaper. It is worth doing your best to report these incidents anyway, but don't expect much from the experience.

There are two main problems in tracking down intruders: one is technical and the other is legal. The first problem is that tracking an attack back to its ultimate source is usually technically difficult. It's usually easy to tell what site an attack came from (simply by looking at the IP addresses the attacker's packets are coming from), but once you find the apparent source of the attack, you usually find out that the attack isn't really being carried out by a user from that site. Instead, it's very likely that the site has itself been broken into, and it's being used as a base by the person who attacked you.

If that site traces its own break-in, it will usually discover the same thing: the attacker isn't wherever the attacks appear to be coming from. Moreover, where the attacks appear to be coming from is simply another site in the chain that's been broken into. Each link in the chain between the attacker and you involves more sites and more people. There is a practical limit to how far back you can trace someone in a reasonable period of time. Eventually, you're probably going to run into a site in the chain that you can't get in touch with, or that doesn't have the time or expertise to pursue the matter, or that simply doesn't care about the attack or about you. As Figure 27-1 illustrates, these are many links in any network connection.

Figure 27-1. A network connection has many links

Furthermore, at some link in the chain, you are likely to discover that the attacker is coming in over a telephone line, and tracing telephone calls involves whole new realms of technical and legal problems.

You may well find the same attacker coming in from multiple sites. In one incident, responders kept correcting each other, until they realized that nobody was confused; one set of people was referring to SFU (Simon Fraser University, in Canada) and the other to FSU (Florida State University). The similarity of the abbreviations had momentarily concealed the fact that two separate sites, physically distant from each other, were being concurrently used by the same attacker. The attacker had not started from either of them, and when SFU and FSU closed down access, identical attacks starting occurring from other sites.

Be wary when using email or voicemail to contact administrators at other sites when tracking down an intruder. How do you know it's really the administrator that's receiving and responding to your messages and not the intruder? Even if you're sure that you're talking to the administrator of a site, maybe the intruder is the administrator.

The second problem is legal. You might contemplate leaving your site "open", even after you're aware of the attack, in hopes of tracking down the attackers while they're using your site. This may seem like a clever idea; after all, if you shut down your system or disconnect it from the Internet, the attackers will know they've been discovered, and it will be much harder for you to track them down.

The problem is this: leaving your site open doesn't just risk further loss or damage at your own site. What the attacker is probably doing at your site is using it as a base to attack other sites. If you're aware of it, and do nothing to prevent it, those other sites might have grounds to sue you and your organization for negligence or for aiding the attacker.

If you're dealing with someone who's attacking your system unsuccessfully, there's less risk. It's polite to inform the site that the attacker is apparently coming from, so the system administrators there can do their own checking. It also lets you straighten out people who aren't really trying to break in, but are just very confused. For example, attempts to log in as "anonymous", even extremely persistent ones, usually come from people who have confused FTP with Telnet and simply need better advice. Most sites are grateful to be told that attacks are coming from them, but don't be surprised if universities seem somewhat bored to hear the news. Although they will usually follow up, large universities see these incidents all the time.

You'll also find that the occasional site is uninterested, hostile, or incapable of figuring out what you're talking about, and it's not worth your time to worry about it unless the attacks from the site are persistent, determined, and technically competent enough to have a chance of succeeding. In this case, you should enlist the assistance of a response team.