Keep in mind, that even if that ANI was obtainable that it still
doesnt solve the problem at hand. Denial Of Service attacks have
just as much political infastructure problems as they do technical ones.
A majority of the DoS attacks that MCI assists in tracing originate
from "Jump" points; comprimised shell accounts that offer high
bandwidth capascity. These shell accounts ("T3 Eggdrop Shells") are
high commodity items on hacker trading grounds, like IRC (eg; #shells).
DoS attacks usually involve several hub points; traversing
several ISPs (reducing response times), Jump Off points (needing
coordination), and then their is the final hop; usually a dialup
account - either stolen, or created using a stolen credit card, making
ISP subscriber information useless.
Even if the magical ANI information can be obtained (eg; ANI and CLID
can actually be part of the accounting stream for some NASes), this data
isn't typically provided to the victim, or victim's ISP without a
court order, requiring law enforement assistance.
Despite the fact that a majority of customers we deal with do not
want Law Enforcement assistance ("I just want the attack to stop"),
the ones who do want it have to deal with jurisdictional office
politics and heavy case loads.
A majority of Denial Of Service Attacks do not fit the minimum
jurisdictional-specific dollar loss, nor Felony class
baseline to be considered a worthwhile case to pursue. Additionally,
since a majority of these attacks are sourced from minors (read;
High Dweeb Factor), prosecution of these individuals is also not
usually an option (unless, of course, you are in Texas).
Civil remidies, however, should not be ruled out; as their effects
are sometimes greater felt than criminal prosecution; loss of
computer equipment and heavy fines that involve garnished wages
for the next 5-10 years typically equate to "Gee, if I do this again,
I won't be able to buy Doom". Rather than the criminal prosecution,
which results in probation and a now "professional" history that
allows the hacker to pursue a carrer in security consulting ("He MUST
know what he's talking about, he's a convicted computer hacker"). :sigh:
The social/political issues need to be addressed just as strongly as
the technology issues. Speed bumps don't prevent speeding, radar
traps do. Not wanting to get into an analogy war here, you get the point.
I would recommend that ISPs obtain NOC and Security contacts for
all that they peer with,and I would recommend that customers of ISPs
obtain NOC and Security Team telephone and pager numbers of their
ISPs. If your ISP doesn't have such information, nag them until they
get it, or move to another ISP. Pre-Plan for these attacks; on-the-fly
coordination just doesn't cut it when you dealing with high-impact,
fast cycle time attacks.
Security teams at ISPs should also obtain contact information for
their local and federal law enforcement offices. Such contacts
should be tested regularly, (eg; monthly) to ensure they are
accurate. You can also ask Law Enforcement to provide you with
a briefing on the types of computer investigations they are
working on and seeing, which may help you plan your method of attack or
compensation, or help you justify your continued existance with your
upper management.
Other source of information/contact would be NCSA'a ISPSEC
team (http://www.ncsa.com), IPOS team, CERT (http://www.cert.org),
and FIRST (http://www.first.org).
Also, MCI has released a Denial Of Service "tracking" program
called DoStracker that helps to automate detection and tracing of
these types of attacks through large backbone networks.
DoSTracker is freely available to the public and can be
found at: ftp://ftp.mci.net/outgoing/dostrack742812.tar