Path: utzoo!attcan!uunet!lll-winken!lll-tis!helios.ee.lbl.gov!pasteur!ucbvax!GPVAX.JPL.NASA.GOV!TENCATI
From: TENCATI@GPVAX.JPL.NASA.GOV
Newsgroups: comp.protocols.tcp-ip
Subject: TCP/IP and VMS
Message-ID: <880722095106.000004180F1@gpvax.JPL.NASA.GOV>
Date: 22 Jul 88 16:51:06 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 34

Greetings,

I have a question, and an appeal for developers of VMS TCP/IP products if
no answer is possible.

Is there a product, or a way under VMS to get the source address of a TCP/IP
connection entered into the accounting files?

As many of you probably read in the papers, we were hit by a hacker about a
month ago.  This penetration was accomplished over the Internet.  Unlike our
SPAN connection which is DECnet, we have no way of "tracing" a connection once
it is broken, because the TCP/IP product we are running is not part of VMS, and
therefore does not communicate with VMS' accounting package.   

Under DECnet, after an interactive user logs out, I have a record showing
the remote node and remote userid associated with the connection.   Under
TCP/IP, unless I am diligent and run NETSTAT, I have no way of tracing the
connection.  All accounting shows is a login on terminal NTY1 or XXA1, but
no information about the IP address of the source node.

It seems to me that with a little cooperation between DEC and the vendors, that 
a simple addition to LOGINOUT.EXE and/or the TELNET server would cause this
information to be recorded, provided accounting was enabled.  The benefits of 
having this information should be self evident.

Anybody have any constructive ideas on this subject?

Regards,

Ron Tencati
Jet Propulsion Laboratory
Pasadena, Ca.  

TENCATI@VLSI.JPL.NASA.GOV
TENCATI@GPVAX.JPL.NASA.GOV