Post-mortem of a DOS Attack 242
MartinB writes: "Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a network of compromised IRC bots being used to flood vulnerable targets. Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets, making it impossible to spoof IPs. However, he warns, even consumer versions of WinXP won't have this safety 'feature'. Is there time to prevent this? Is implementing the standard always A Good Thing?" Gibson uses too many exclamation points in his article. But it's still interesting, if only to note the number of exploited personal machines on cable modems.
users have no clue (Score:1)
The emperor has no clothese (Score:1)
He claims: "It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods"
This is not true: it is easily done under such systems -- just not with the sockets layer. People have been doing it for a long time using such things as the TDI layer or direct NDIS calls from applications.
Steve Gibson is well known because he communicates well with ignorant users and has a flare for the dramatic. However, he really just doesn't understand security.
TCP/IP implementation in Windows (Score:1)
Personally, I think that it is important that every OS has a full TCP/IP implementation and I think that Gibson is barking up the wrong tree: It's important that ISPs don't route packets into the wild that don't have correct source IPs! That should be a trivial thing to do and would more or less remove IP spoofing.
There's no use in crippling the TCP/IP implementation, more sensible routing is what is needed to get rid of such attacks and to be able to find its originators.The problem of DDoS attacks still exists, of course, but it could be removed by 'intelligent' routers that don't route traffic that behaves in certain patterns, eg. heaps of SYN packets from one IP to another.
Re:Writing Style (Score:1)
the next generation internet to be a cluster of
VPNs, to cut back on the DDOS stuff. Guess what?
It's probably gonna happen that way.
The Internet is based on far too much of a
consensus model. Consensus models don't scale
well. Bye-bye.
Re:Bot Net (Score:1)
If the hosts are spoofing the sources of the packets then you're probably screwed but these aren't. They are installed on windows systems that can't spoof (without rewritten tcp stacks) and installed on so many that the likelyhood of being able to track down the owner of one and get co-operation in locating the trojan file is high.
The problem is like he said the FBI won't get involved unless $5000 worth of damage is done, or business lost and even then they are already overworked with the cases they have. Its not an untraceable system but anyone who traces you is unlikely to do much.
Generally not half-bad (Score:1)
Gibson is incorrect, as usual. (Score:1)
----------
frost_byte_si
AT SYMBOL
hotmail.com
Just because Winsock does not support the
"IP Header Include" flag does not mean that
packets cannot be spoofed from a 9x machine.
The Winsock DLLs are just interfaces for the
Ring0 VxDs for transport.
If 9x will not construct and send spoofed packets,
then look at Exploit Generator:
ftp://ftp.technotronic.com/denial/expgen085.zip
Hopefully no one actually takes him seriously.
Linux is as bad as XP (Score:2)
However the clue level among random Linux users is not great, and Linux has implemented the full protocol all along. If the same people were all using Red Hat, that would be just as bad as everyone using Windows XP.
Sadly as long as there is no real penalty for running a compromised machine, there will be no pressure on ISPs to care. And as long as that is the case, there will be armies of bots ready to go.
If you want to fix the problem, have a fine of $500 per compromised machine the FBI finds that you have online, and a similar fine for every compromised machine an ISP connects whose activity pattern over at least a week indicated was likely compromised. With that kind of financial bait, the police would be motivated to enforce, ISPs would be motivated to do something about the problems, and consumers would have a reason to care about security.
Nothing less will even slow DDoS. Certainly not putting the same naive people on a more capable OS (like Linux).
Re:Winblows implementation of sockets saved him? (Score:2)
Re:Please, Gibson is nothing more than an "eAlarmi (Score:2)
There are no major consequences yet because nothing truly important has been hooked up to the internet yet. There were no deaths due to car accidents for a long time after the automobile was invented, but that's only because they all went 10 mph back then. [insert cliched information superhighway analogy here]
You are completely missing the point. No intervention would be necessary if the users themselves would wake the hell up and manage their computers properly.
Re:Please, Gibson is nothing more than an "eAlarmi (Score:2)
I agree that bugs in the computer itself are also a bad thing, but through some small effort by the users (less effort than, say, buying a burglar alarm system or a Club) the bug's effects can be reduced or eliminated.
Wow (Score:5)
Everyone always writes about cracking in a condescending, "when-will-they-learn" tone, as if it's all a mildly amusing game (which it is to them, because the authors are rarely the ones being cracked). Gibson, who did get attacked himself, looks at cracking as the serious and dangerous problem that it really is. This article describes a real war, with first strikes, counterattacks, espionage, and so on.
This really opened my eyes to what a huge problem the internet's technological loopholes have and will become. More mainstream articles after this form would surely help raise the awareness about security issues that was sadly lacking in all the unknowing carriers of Zombies.
(And no, I do not consider this "fearmongering". Fearmongering does not offer solutions or point out that none of this would have happened if people would just GET A CLUE.)
Re:Winblows implementation of sockets saved him? (Score:1)
These attacks are verydifficult to defend against, because they simulate actual valid traffic. And you can't block the source address, because it's invalid.
If the address is invalid it should have been blocked by the outgoing routers or the router at your edge. i.e. my firewall won't pass any of the private IP blocks and the routers at my ISP drop packets from IPs in those same private blocks.
Now spoofing routable address is a different story but again if the edge routers simply dropped traffic from IPs it shouldn't see on that particular interface you'd see a hell of a lot less DDoS than you do now.
Re:poor GRC.com (Score:1)
Maybe you do this, but most of the internet does despite efforts to the contrary -- MFS once threatened to disconnect people who weren't blocking spoofed traffic entering and leaving their network.
I tend to think that far less of the edge routers are doing this than you may think. As you said, filtering becomes expensive as the routing tables become larger and companies are not wanting to spend the money on new equipment. That's why I'm suggesting that only the edges perform this type of filtering. You have a limited number of interfaces and the IPs flowing between them are far smaller than the number of acceptable addresses flying through a core router's interfaces.
Also, I'm not talking about the dialup providers. The amount of bandwidth a single (or even 1000) dialup users can provide doesn't even register on the map of these DDoS attacks. But every DSL and cable provider should be filtering their incoming traffic.
Re:poor GRC.com (Score:2)
ou gotta read how he complains about the standart socket implementation of Win2k / XP. First people complain about the lack of, now because its there, damn give MS a break.
I don't know about you, but my routers simply drop traffic which doesn't come from an IP that isn't from the interface it's coming in on. I don't care what they users run because the edge routers won't allow spoofed traffic... well not unless they spoof another IP within the block(s) on the interface. :-)
Exclamation points? (Score:1)
-Michael
Re:Firewall can't block a ping flood (Score:2)
Of course they can. Any half way decent intrusion detection system will notice the pattern of a DoS attack, and dynamically add a firewall rule to block *all* traffic from the offending IP for a period of time. DDoS attacks are trickier, because you need to block several (often hundreds or even thousands of IP addresses or ranges), but the same principle still applies. The concern here is that a large scale DDoS attack will cause the firewall to be processing so many rules for each packet that it's unable to keep up with the traffic. The undesirable packets won't get past the firewall, but random packets will start to be dropped, including ones containing genuine traffic. So you still get a DoS, albeit a lesser one than you would have had without the firewall.
Re:Have a cookie Mr Gibson. (Score:1)
Re:Winblows implementation of sockets saved him? (Score:2)
There are two issues you're addressing here.
Windows crappy sockets implementation prevents it from participation in spoofed packet building attacks, like SYN floods and the like. These attacks are verydifficult to defend against, because they simulate actual valid traffic. And you can't block the source address, because it's invalid.
Windows crappy security allows trojans to be installed that can make attackes that don't require spoofing to be effective - massive pingfloods and the like. These attacks, as SG shows, can be effectively 'cancelled' to a degree. The attack was still going on, but the number of packets coming in wasn't as big a deal the the fat pipe upstream from the small T1 lines
Re:Look who's talking... (Score:2)
He probably runs multiple servers - it's hard to test Windows trojans on a linux box. And DDoS is blind to your OS. You can DDoS a Linux box as easily as a Windows box as easily as a MacOS box. DDoS is a weakness of TCP/IP, not of a particular OS; therefore, it can affect any system on the internet
Re:minor corrections for you (Score:2)
You're right, I don't know what I was thinking :) Attacks like SYN and such are still creating the bandwidth DOS attack. However, they tend to do it a lot less effectively, since the problem witht he spoofed attacks is that they appear to be valid data, where I can tell that a 64K fragmented ping packed is not valid, and have the ability to filter based solely on the properties of the traffic. You can't filter on those terms for a spoofed DoS attack.
Missing footnotes (Score:2)
Oops, forgot my footnotes :) And whoever modded my main post as a troll is one of the people who can't read that I mention up there in the beginning. They apparently can't read here either.
1. You wouldn't know it from reading comp.os.linux.help
2. Aunt Maude who just bought her new Celeron 500 and 15 inch monitor bundle from Walmart
To spoof or not to spoof... (Score:5)
It seems there's a confusion in the discussion below, because people are too dumb to read the part of the article where Steve talks about Spoofed attacks. Let me try to explain.
SG talked about two different attacks. The main one is the brute-force, fill-your-bandwidth, ping attack. This attack is based on known ports and data types that fall outside of what can be considered 'normal' traffic, since in no way should well over a gig of ICMP ping data per minute be considered normal. Because of this, the routers on the upstream side could be configured to disallow the passing of that data. This is what brought the servers back on the net each time.
The part he just briefly touches on is the spoofed attacks, like SYN attaacks and the like. These attacks require the source to manipulate the TCP stack outside of what would be considered 'normal' use. Like sending SYN packets and not sending the SYN-ACK in reply to an ACK that is required in the 3-way handshake. These attacks simulate normal data - SYN attacking the web server, for example. All connections to a web server start with a SYN. So there is no way to statelessly determine if any given SYN is valid or not. The only way to calcel out these attacks is to disable valid services running in your network.
The problem isn't necessarily that Windows will now be able to spoof - the number of machine on the 'Net that can spoof has increased dramatically since Linux appeared on the scene. However, people that run linux also tend to know more about the technical aspects of their computers, and understand how to look for the signs of your computer being taken over (1). The typical Windows consumer (2), however, has very little idea what goes on inside the case where all those wires are connected to, and half of the time, couldn't even get the computer set up right if the cables and ports weren't color-coded. These are the people that see a new Email from Aunt Maude that says "Re: Re: Re: Re: Re: Re: Funny! Open now!" and open the little attachment that drops the Sub7 pieces into their registry before dancing around on their computer and making them laugh. And the problem is stupid laws that keep the FBI from pursuing 13-year-old script kiddies because out laws prevent much of anything from happening to them. Kids that sell drugs and rape other kids go to Juvenille Detention until their 18, at which point they get out, do it again, and go away for a long time. The legal system needs to start treating the spoiled brats who have nothing better to do than DoS computers the same way. If they were picketing and physically blocking entrance to a Brick-and-Mortar store, the police would drag them away. This is the cyberspace extension of that very same idea.M
So cleanup all 900 machines already. (Score:2)
--locust.
Re:users have no clue (Score:1)
Just because someone sent it to you does not mean you have to open it.
Have a cookie Mr Gibson. (Score:3)
Anyone who knows networking will tell you that this is exactly what SYNcookies were made for. The attack didn't use up all the network traffic, but rather used up all the filehandle-slots on the server OS.
Just take a look at that graph [grc.com] and the anver is obvious.
When using SYNcookies the server doesn't allocate a file-handle for each new connection but puts a 'challenge' in the Syn/Ack package and waits for the last Ack of the 3-way handshake. This effectively forces the attacker to reveal his IP address if he wants to use up the filehandles, and then you just block hin in your router.2 C3AF4F2snlbxq'|dc
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D727
Re:Standard = Good (Score:1)
Let's play blame the victim. (Score:2)
Enjoyable read (Score:2)
!r
EvilBot1.3 ready to attack...
EvilBot1.3 ready to attack...
EvilBot1.3 ready to attack...
.
.
.
Look who's talking... (Score:2)
From his DOS attack history [grc.com] page: "defragment our server's hard drives" ? Seems that he's not using Linux for his servers...
And then he complains about being DoSed? Sheesh...
--
Re:Duh! (Score:2)
The reason DDoS attacks are as bad as they are is due almost entirely to lazy ISP's who don't do ingress filtering. The days of routers not being fast enough to do simple filtering is long past. I personally think ISP's should be held liable for allowing their customers to send out spoofed packets. Maybe then the situation would improve.
Re:Script kiddie meets "real" hacker, soils self . (Score:4)
IRC admin ordeal with a botnet. (Score:2)
The email I wrote to CERT is located here [granzeau.com]. It details some of the stuff that happened as I got rid of the botnet. I deleted around 500 bots when all was said and done.
--
Gonzo Granzeau
My experience as an IRC admin (Score:4)
Glad someone else is invading these bot nets like I did.
--
Gonzo Granzeau
Duh! (Score:2)
If you can't track them back (easily) then how will you stop them? Getting ISPs to NOT forward packets that aren't sourced from their domain's IP range would be a start but not perfect IMO as you could simply make it look like Jimmy Joe Bob next door
Re:Look who's talking... (Score:2)
COMINT (Score:3)
Wow. Traffic analysis. A standard tool used by NSA, GCHQ, et. al. Amazing how much you can learn from communications without actually reading the messages. Think about that when you use encryption. What can your opponent learn just by tracking who you are talking to?
Spoofing issue a red herring (Score:2)
@echo off
ipconfig net0 10.0.1.1
spoofmanypackets.exe
ipconfig net0 back.to.normal
OK, a little crude, but it'll work - or do these script kiddies really not write scripts anymore
Re:poor GRC.com (Score:2)
The non-standardness of the sockets is an issue with porting software from other platforms, but that is a winsock/port issue, not a low level packet construction issue.
--
Re:The emperor has no clothese (Score:3)
You point out that he communicates well with ignorant users. Now, it's possible that this is because he himself is ignorant, but you must recognize the other possibility: he knows what is going on, and communicates to ignorant users only the aspect they will understand.
For example, many posters on Slashdot are picking at his claim that Win9x -can't- send spoofed packets etc.
As far as average users go, this is sufficient information. It's like learning in school that a thrown object will describe a parabola (it won't, since the earth is not flat with uniform gravity, but it's close enough for the level of those students). It's better to raise the average education level, than to provide lots of geekish details that will put people off.
And of course, to you and me, it is clear what he means: Windows can't send those packets without a lot of messing around -- and I would expect that this is the sort of thing that would be difficult to install in a Trojan
(recall that the issue here is machines which can be -remotely compromised- -- not a bunch of kids sitting on their own PC with bandwidth, looking for somewhere to aim it).
Re:win tcp/ip stack? (Score:2)
you should re-read the thread (Score:2)
I said they should note that a SYN - ACK - SYN needs to occur which is TCP based, not UDP so all UDP traff should be blocked since for a website you'd need that 3 way connection, not a UDP based connection. Re-read my post.
As for your "it is hard through a general purpose router" comment, bs you could easily drop all UDP packets without worry if your not providing any UDP based services, and it won't affect (dropping the UDP packets won't) the router as much as having to route the packets.
minor corrections for you (Score:4)
The only way to calcel out these attacks is to disable valid services running in your network.
Actually your wrong. I wrote "Daemonic [antioffline.com]" when I was writing "Theories in DoS [antioffline.com]", a paper on higher network level based attacks such as BGP, OSPF based attacks. Now what Daemonic does is sends pseudo random garbage (spoofed) to any port you specify.
Simple lame little DoS attack right? Now even if you don't have the service running for the port your sending the data to, it'll still crap out your Windows2000 box with ease. Now if you send it with a multicast source address which is weirder (haven't benchmarked) things really get odd.
Either way it'll bang up your network. Now FYI sending data through to a port thats not running still has to get there which means the network can still amass latency, which is where you would want to nip it at the butt with your router or firewall.
who are you kidding (Score:5)
So someone writes and says they're a 13 year old script kiddie who knows that the FBI will traceroute, etc, etc, etc., and this is believable? Highly doubtable. As for the attacks, I would say Mr. Gibson should have his uplink provider hire some clueful router administrators who would've fixed the problem in a heart beat.
Lack of understanding from those involved often create more harm than they help. UDP packets coming in to a website? And the admins couldn't think firsthand network skills SYN --> ACK --> SYN, 3 way TCP handshaking? They need to go back and study up using some Cisco Press material.
Anyways for those who haven't seen the page yet or are in charge of networking, and or firewall equipment, check out Stopping DoS [antioffline.com] which is a "do this now" tutorial to stop beating around the bush and cut DoS attacks at both the firewall, and network (router) level. It's not an rfc, not a write up of what a DoS attack is, simply a "fuck it's 3am and I'm getting DoS'ed now how do I stop this shit" paper.
Re:TCP/IP implementation in Windows (Score:2)
Re:The emperor has no clothese (Score:2)
But, it is clear that his programming talents tend to rely upon higher level interfaces nor is he fully cognizant of other tools that are available for other platforms. He seems to concentrate on the Windows platform and does that pretty well. But, he's been talking about nanoprobes for sometime (at least a year) and nothing useful seems to have grown from it.
But, then again, who cares what the programming talent of a script kiddie is when its clear they simply use tools developed by more accomplished programmers for malicious intent.
It doesn't take much to climb into a large truck, turn the key, put it into gear and plow into oncoming traffic just to see how much damage you can do.
What we need are better, smarter tools to detect attacks and have them develop countermeasures against these attacks (sorta like iptrap but on a grander scale). Perhaps the "smart" tools could interface with ISPs to allow them to adapt and filter out the attacks thus preventing them from reaching customers? How would we do this? No clue.
And, we need ISPs who are accessible, have qualified individuals on staff, and willing to help in a timely fashion.
Finally, we need law enforcement with the means and wherewithall to be able to track down these punks and cut their cables permanently. If the attacks are gov't sanctioned, cut the frick'n cable to the country. Or, block all traffic out of known terroristic states. Eventually, the legitimate users will have had enough and demand a change.
Re:Irresponsible (Score:2)
For example, let us assume an ISP has a customer with a LAN on the far end of a T1 using the class C 192.168.1.0. If the ISPs router were to see packets sourced from 172.16.4.7, then obviously something is not right. It's either spoofed or a mis-configuration -- the customer could be multi-homed, or have two LANs, etc.
Re:Let me get this straight... (Score:2)
Perhaps if he had gone back to the FBI with this information, they would have paid more attention to him, since they could have used his data to go after people DDoSing the big boys.
Let me get this straight... (Score:3)
Rather than turning all this over to the FBI, so that they can start tracking these people down, he makes it known to them that he has it, and publishes it. Now, the people who make these abominations will move their control over to something else.
Granted, the FBI might not do anything with the data. If so, then make a stink about the FBI not doing their job!
Personally, vigilante justice is starting to sound better and better....
I was infected by one of these bots. (Score:5)
After I had finished reading I thought I'd check my machine (It's multi-boot, I don't use Windows that much). To my horror, I found out that my Windows partition was infected by the SubSeven bot.
So I kicked up my IRC client and connected to the IRC server that the bot was on. I entered the admin channel and just sat there. A little while later somebody messaged me. I explained that a hidden bot was connected to the server and asked how to remove it.
I was pointed at: http://www.moosoft.com
I downloaded the "Cleaner" application which did a fine job of finding the bot and removing it.
I had a little chat with (I assume) the person controlling these bots. The person seemed to be quite helpful, which supprised me.
From the IRC stats, there were over 900 infected machines connected.
After removing the bot, I disconnected from the IRC server. I'm now considering what to do next. The IRC server was hosted by a company offering UNIX shells, and IRC server hosting.
Do I just leave it at that, put it down to experience and move on. Or should I inform the hosting company, and possibly risk being DoSed myself? (I suspect that the person I talked to on the IRC server logged my IP, which is static)
Nanoprobe (Score:2)
http://slashdot.org/article.pl?sid=00/09/29/154
This article is entertaining, but not especially informative. He bitches about Windows 2000/XP including raw sockets capabilities and says he doesn't know why - wouldn't this be so that applications can do packet mangling? (firewalls, NAT, IP Aliasing, etc?)
Re:poor GRC.com (Score:3)
slashdotted.
You mean, first he gets DDoS'd by a bunch of script kiddies using IRC bots, then he gets...
DDoS'd by a bunch of script kiddies using web browsers.
Spoofing, raw packets on Windows aren't that hard (Score:2)
Disc-lamer: I *am* making much of this up. I haven't tried to turn this into working code. Take it with several grains of salt. But the principles are pretty much correct.
Re:Script kiddie meets "real" hacker, soils self . (Score:3)
Re:Script kiddie meets "real" hacker, soils self . (Score:3)
A few years back I had a few kiddiez harrassing me on IRC. They were really "37337."
I did a traceroute to them and noticed a router of some sort sitting right in front of them -- it just looked wierd. I opened a telnet session and found myself at:
zimmylan>
A Cisco ISDN router, with no password set.
They replied "0h y4H, d0 1t."
I rebooted their router.
They thought I was God.
Script kiddie meets "real" hacker, soils self ... (Score:4)
My favorite line was: Before you question Gibson's skill, or his "inside information" (as one poster suggested "he must have had the Windows source code") consider that this man downloaded and learned the RFC for IRC [irchelp.org]. That might seem alien to someone who relies on the work of others, or reading script FAQ's, but this fellow knows how to make proper use of the tools before him and relies on his own knowledge to craft solutions.
He did not have any help from Microsoft. He knows his tools and he knows his craft. By his own words he's not a magician, he's a scientist.
Be humbled kiddiez, for every dozen of you who "hax0rz" on IRC there's someone like Gibson who actually can hack and run circles around you. Notice that ^boss^ gave this guy respect?
That's very wise.
Didn't he mean... (Score:2)
Phillip.
Re:Linux is as bad as XP (Score:2)
Although it is true that the Linux TCP stack will allow you to construct raw TCP packets, you can't do that without root privs. Windows basically has the same TCP implementation as an unprivileged UNIX login.
That said, I do think it would be helpful if routers checked the return IP address to see if they have arrived over a valid channel as that would essentially eliminate spoofing.
Remember when much of the internet backbone used to run routed?
Nonstandard = good? (Score:2)
> Thing?"
One can always find a situation, however esoteric, where doing it the "wrong" way seems advantageous. Just like there's always a situation where ignorance provides some benefit, but that doesn't mean that one should always choose ignorance as a matter of course.
Standards are the same way. The one-in-a-million situation where a nonstandard approach provides an accidental benefit (this case for example) isn't really a good case for *always* implementing a non-standard approach.
Re:What about NIC addresses ? (Score:2)
Wouldn't work - the NIC address is only used on the local hop, and discarded (well, replaced) with the next pair.
That MAC address is how the cards themselves talk to each other, while inside the ethernet packet is -another- set of addresses, which you would consider to be the "real" addresses - the TCP/IP source and destination.
XP Firewall (Score:2)
Just how long do you think it will be after XP ships before at least one huge hole is found in the default setup? And how much longer before updated bots start taking advantage of it?
I give it two weeks, max.
"That old saw about the early bird just goes to show that the worm should have stayed in bed."
Re:XP not an issue (Score:3)
Indeed. You don't even need to do the hard work of building a full stack if you are just going to SYN flood or similar. You just need a packet driver and some IP smarts.
possibilities (Score:2)
with the techniques he employed, it seems quite possible to create an anti-zombie "team" to go out and defuse ddos nets. I'd probably even pay a team to do just that, if I was losing real dollars to a ddos.
Mirror! (Score:4)
---
Re:My experience as an IRC admin (Score:2)
--
Re:Bot Net (Score:2)
But, eggdrops are very frequently used on IRC for channel services (as mentioned earlier), and even in massive bot nets. However, these exist for redundancy rather than attack. On a netsplit-prone network that has no services (namely EFnet), bots are absolutely essential to maintain any public channel, and the more the better. And of course, eggdrops are preferably hosted on good connections, as they themselves are frequently targets of attacks.
--
Firewall can't block a ping flood (Score:2)
Cable Modem users need to learn about firewalls
Firewalls don't help against valid traffic flood attacks. In a VTF DOS (such as a ping flood, port 80 SYN flood, or Slashdot effect), RFC-conforming packets (not mal-formed packets as in ping of death) disguised as legitimate requests are sent to the target; so many packets are sent that the pipe fills up and the server has trouble fielding requests. Such attacks take advantage of the client-server nature of the commercial Internet as we know it at the turn of the century by using lots and lots of underpowered connections (56K, ISDN, low-end DSL) to take down fat pipes (high-end DSL or cable, T1, even T3).
Floods MUST be blocked upstream.
Punctuation (Score:3)
_O_
hacker or cracker (Score:2)
When would a hacker use a DOS attack in the first place..
More DOS attacks on grc.com (Score:2)
Nicknamed the "slashdot effect", it has already brought down countless of web servers in the past.
No (Score:2)
Bot Net (Score:2)
What about NIC addresses ? (Score:2)
So in theory, even spoofed packets could be traced back to my machine by my ISP (assuming the NIC address is slapped onto every packet sent by my machine).
Would it be possible to use some system like this to prevent spoofing (at least from always-on connections) - assuming the ISP's would agree to check ddos packets against NIC addresses ?
Security sells (or does it?) (Score:2)
That could change quite dramatically if a few ISPs actually started to make their users aware of security and provide them with help (both helpdesk and software like ZoneAlarm). It happened to cars, for example. Manufacturers knew you were in big trouble when you crashed a car, but no one thought of telling the public, because it might scare them away from their cars. Look what the situation is nowadays: results from crash-tests (such as Euro NCAP [euroncap.com]) are heavily used in commercials for cars. The more security measures a car features, the better the public likes the car. Security sells!
So why wouldn't this be true for ISPs? Suppose I'm someone who wants to get a cable modem because I want to surf a lot and maybe run some other stuff. Not an advanced user, just John Doe who likes having a permanent and fast connection (and I think that's the larger part of cable modem users all over the world). Now two of my friends have normal providers who keep their mouths shut about whatever might concern security and two others have a decent ISP, that explains about what might happen and how to avoid it. Sure, the first two guys will probably have less "strange messages" to worry about, but I think I'd sleep a lot better if I knew that my connection had at least some sort of protection against the threats my other two friends don't even know exist.
And I think it would be better for ISPs themselves. After all, if their users have some basic knowledge of security and check their configuration every now and then, the ISP will not get involved in this kind of stories as often. Better for their name and the chance of probable claims from victims.
Again I want to point to a story from car history: the Ford Pinto [mojones.com]. This car had the petrol tank behind the rear wheels. It proved that this was catastrophic when another car crashed into your back: the tank would burst and the petrol would instantly turn to fire because it was in immediate contact with the hot engine of the car that crashed into it. Ford didn't change it, because at that time security didn't sell. When it turned out that Ford had known that this car was dangerous and hadn't done anything to change it (because it was cheaper to pay a few claims than to change the design of the car), they got the public opinion against them.
I think the same goes for ISPs: security does sell, it's just that the general public needs to be made aware of it. I'm sure a lot of @Home users aren't too pleased to hear that they've been abused for criminal activities, while their ISP knew that but didn't act. So let's spread the word: using the Internet can be dangerous, just as driving a car can be dangerous. Don't be defenseless, do something about it!
Re:Punctuation (Score:2)
-----------------
Re:Writing Style (Score:2)
Why would they care? Guess what - when an OS has 95%+ of the market or whatever the figure is (that sounds high), you have a statistically higher chance of being hit. Besides, I'll bet you that Linux would do just as poorly in the hands of the same people who had their machines zombified - how many people are capable of properly securing their machine? And how many people do you think would have been running and old, out of date copy of the OS anyway?
In fact, what he's saying is that by making Win2000 more like UNIX that Microsoft is making the entire Internet less secure. And in this case (making spoofing packets easier), I believe him.
Re:Let's look at both ends here... (Score:2)
How I wish you were kidding. As much as I dislike AT&T (roadrunner/mediaone), at least they filter the ms file sharing ports...
-bluebomber
Gibson? (Score:2)
--
Re:DDoS the kid (Score:3)
Writing Style (Score:4)
Fortunately -- the attacking machines were all security-compromised Windows-based PC's. In a fluke of laziness (or good judgement?) that has saved the Internet from untold levels of disaster, Microsoft's engineers never fully implemented the complete "Unix Sockets" specification in any of the previous version of Windows. (Windows 2000 has it.) As a consequence, Windows machines (compared to Unix machines) are blessedly limited in their ability to generate deliberately invalid Internet packets.
It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods.
As a result, Internet security experts know that non-spoofing Internet attacks are almost certainly being generated by Windows-based PC's. Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available
This has horribly changed for the worse with the release of Windows 2000 and the pending release of Windows XP. For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability FOR ANY APPLICATION to generate incredibly malicious Internet traffic, including spoofed source IP's and SYN-flooding full scale Denial of Service (DoS) attacks!
So we are left with the vision of Loads of potentially insecure Windows boxes - open to the world - being used for more DDOS attacks.
None of which will be pleasing to the MS loyalists
thank you microsoft. This last point is kinda important:
I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity.
and we wonder about the future of the internet.
Check out the Vinny the Vampire [eplugz.com] comic strip
A! Note! From! Steve! Gibson! (Sorta!) (Score:2)
Re:Let me get this straight... (Score:3)
Re:Look who's talking... (Score:2)
But knowing steve he probably handcoded his web server in assembly and its only 28k in size..
--
poor GRC.com (Score:4)
slashdotted.
damned if you do, damned if you don't.
Let's look at both ends here... (Score:4)
Quoting today's popular quote:
"I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."
While this is true, anyone who goes online should not set their system up like a 13 year old might either.
In other words: Don't leave your door open if you do not wish to be victimized. Unfortunately, the local cable company turns on MS file sharing for "support purposes" on all new installs, so one can see how easy it was for this person to gain control of so many systems.
He blasts BlackICE defender. (Score:5)
To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.
I love that last part, "I suggest prayer."
Re:Please, Gibson is nothing more than an "eAlarmi (Score:2)
Come on now. We both know that this is NOT going to happen. Ever helped your mom or your neighbor or some other clueless individual with a Windows PC? Most of the people I talk to can barely figure out what an icon is much less understand at all how to secure their system. It sucks, but that's the reality. Computers are commodity, like VCRs and CD players. At this point, they're no different. That's the sad truth.
-S
Winblows implementation of sockets saved him? (Score:3)
- Wasn't it the crappy security in windows that allowed the DOS attack to occur in the first place?
@Home and computer security (Score:3)
Within the first 14 hours I had witnessed 7 attacks-- three people from outside @home had attacked port 20 (ftp), one had attacked port 515 (lpd, known security problem), two were subseven trojan backdoor scans, and one was a netbus backdoor scan. All in all, over 100 packets were logged at that time, though most turned out to be benign (myself forgetting that I had blocked all pop3 access to the server, f. ex. and then trying to use a very restricted account to recieve system email remotely as well as dhcp broadcast traffic-- the rules are being updated to avoid confusion).
The home user should be taught basic computer safety and security, IMO. However, vendors don't want to scare their customers, so real security is next to impossible to attain....
One of the more fascinating articles (Score:3)
good analysis (Score:5)
In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.
I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.
There is a lot of accessible security information at SANS [sans.org], though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.
Re:users have no clue (Score:2)
Re:poor GRC.com (Score:3)
Then I find out that it's just you guys...
Re:Linux is as bad as XP (Score:3)
However the clue level among random Linux users is not great, and Linux has implemented the full protocol all along. If the same people were all using Red Hat, that would be just as bad as everyone using Windows XP.
You're right. But unfortunately it's going to be WinXP that becomes the OS of choice for the clueless users, not RedHat (or some other distro). And while we can try like mad to educate the users, it's not going to happen. Clueless users will always outnumber clueful users. Look at how many people still can't program a VCR, and they've been in homes since the early 80's!
Sometimes you just have to give up on teching kids not to cut their hands off and start handing out safety scissors again. MS has been very keen on trying to control and limit the use of WinXP by endusers for only MS-approved purposes. This should just be one more safety feature that they implement to protect the users from their own ignorance.
On the other hand, the TCP/IP stack in Win2K is just awesome fast compared to the Win9x flavors...it sure was nice to have if you had to have Windows.
Re:Writing Style (Score:5)
But the thing that I find great about Steve Gibson is that he writes things in a compelling storylike format and in plain english that even the clueless could understand. We techie types already know most of what he had to say in this article to begin with. It's the non-techies who need to read this stuff and learn how to protect themselves, and I think that he does an excellent job at targetting areas of his site to that particular audience.
Re:Look who's talking... (Score:2)
A crash reduces
Your expensive computer
Some points (Score:3)
The folk who are flailing arround condemining 'incomplete sockets implementation' should consider that the IETF never endorsed BSD sockets as a standard. The ability to forge packets is arguably a fault in the BSD sockets spec and Microsoft was arguably correct in implementing checks on the IP source packets it will generate.
Slashdotters who posted MSFT flames could do to repeat 100 times 'the UNIX way is not always the right way'.
In days of yore we VMS folk used to flame UNIX precisely because this sloppy type of programming was pervasive.
It would be interesting to know what facilities the firewall in Windows-XP provides for filtering and monitoring forged packets. It would also be interesting to know how difficult it is to disable the firewall.
As one poster has pointed out however the fact that most cable hookups tend to have source address checking probably saves the day. Also the fact that many home users have NAT boxes to share their cable connection arround the house probably provides some protection.
Oh, man... (Score:2)
My servers can't be easily DoSed off the Internet, as I have a (fairly) secure ISP. They know how to administer their routers and have professionals on the job. Does Steve's ISP have professionals on the job? Apparently not.
He has something technically wrong, too. He is always bragging about how he can ignore "ICMP packets completely," but unfortunately, that's kind of impossible. For you to ignore those packets of data, they have to reach your machine. Therefore, you've used the incoming bandwidth anyway. It's still just as effective.
I noticed that he ignored them using the ISP router, which is indeed possible. That way, he's right, he isn't DDoSed. But he's been talking about how he always ignores him at his machine! Blah.
Cat and mouse "guess the IP?" Was he changing his IP address? He might as well have left it to be DDoSed, as nobody's DNS records would have been refreshing fast enough to be able to easily access the site.
He's right though, the Internet wasn't designed to scale like this. It is, in fact, getting to the point where almost anyone could disable any site, large or small.
Re:also note his other misguided comment (Score:2)
1. He was getting a really easy to filter DDoS attack. Quickly remedied once he got a hold of a technician.
2. Would have been remedied much faster had the 'big guys' like Earthlink and Verio responded to him in a more timely manner. That's just a customer service problem.
So really, he's trying to make the point that the little guys of the world will get really screwed if they try to fix problems like this because there are bigger and better customers for the technicians and government officials to deal with.
So until you've lost hundreds of thousands of dollars, at least, you can expect to basically have to handle it on your own when your small business gets DDoS'd.
Re:I was infected by one of these bots. (Score:2)
I'd want to know if anyone was using my network for anything DoS related and I'm sure any shellhosting company would act if they knew their systems were involved, if not mail their upstream provider and get them to deal with it.
All it will probably result in is the server being moved elsewhere but imo if they allow the hosting to continue they are being negligent, and possibly making themselves partially liable for any DoS attacks started from that server. Not sure how this would stand up in court.