Post-mortem of a DOS Attack

MartinB writes: "Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a network of compromised IRC bots being used to flood vulnerable targets. Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets, making it impossible to spoof IPs. However, he warns, even consumer versions of WinXP won't have this safety 'feature'. Is there time to prevent this? Is implementing the standard always A Good Thing?" Gibson uses too many exclamation points in his article. But it's still interesting, if only to note the number of exploited personal machines on cable modems.

Wow

That was hands down the coolest article on computer security I've ever read. :)

Everyone always writes about cracking in a condescending, "when-will-they-learn" tone, as if it's all a mildly amusing game (which it is to them, because the authors are rarely the ones being cracked). Gibson, who did get attacked himself, looks at cracking as the serious and dangerous problem that it really is. This article describes a real war, with first strikes, counterattacks, espionage, and so on.

This really opened my eyes to what a huge problem the internet's technological loopholes have and will become. More mainstream articles after this form would surely help raise the awareness about security issues that was sadly lacking in all the unknowing carriers of Zombies.

(And no, I do not consider this "fearmongering". Fearmongering does not offer solutions or point out that none of this would have happened if people would just GET A CLUE.)

To spoof or not to spoof...

It seems there's a confusion in the discussion below, because people are too dumb to read the part of the article where Steve talks about Spoofed attacks. Let me try to explain.

SG talked about two different attacks. The main one is the brute-force, fill-your-bandwidth, ping attack. This attack is based on known ports and data types that fall outside of what can be considered 'normal' traffic, since in no way should well over a gig of ICMP ping data per minute be considered normal. Because of this, the routers on the upstream side could be configured to disallow the passing of that data. This is what brought the servers back on the net each time.

The part he just briefly touches on is the spoofed attacks, like SYN attaacks and the like. These attacks require the source to manipulate the TCP stack outside of what would be considered 'normal' use. Like sending SYN packets and not sending the SYN-ACK in reply to an ACK that is required in the 3-way handshake. These attacks simulate normal data - SYN attacking the web server, for example. All connections to a web server start with a SYN. So there is no way to statelessly determine if any given SYN is valid or not. The only way to calcel out these attacks is to disable valid services running in your network.

The problem isn't necessarily that Windows will now be able to spoof - the number of machine on the 'Net that can spoof has increased dramatically since Linux appeared on the scene. However, people that run linux also tend to know more about the technical aspects of their computers, and understand how to look for the signs of your computer being taken over (1). The typical Windows consumer (2), however, has very little idea what goes on inside the case where all those wires are connected to, and half of the time, couldn't even get the computer set up right if the cables and ports weren't color-coded. These are the people that see a new Email from Aunt Maude that says "Re: Re: Re: Re: Re: Re: Funny! Open now!" and open the little attachment that drops the Sub7 pieces into their registry before dancing around on their computer and making them laugh. And the problem is stupid laws that keep the FBI from pursuing 13-year-old script kiddies because out laws prevent much of anything from happening to them. Kids that sell drugs and rape other kids go to Juvenille Detention until their 18, at which point they get out, do it again, and go away for a long time. The legal system needs to start treating the spoiled brats who have nothing better to do than DoS computers the same way. If they were picketing and physically blocking entrance to a Brick-and-Mortar store, the police would drag them away. This is the cyberspace extension of that very same idea.M

Have a cookie Mr Gibson.

Anyone who knows networking will tell you that this is exactly what SYNcookies were made for. The attack didn't use up all the network traffic, but rather used up all the filehandle-slots on the server OS.

Just take a look at that graph [grc.com] and the anver is obvious.

When using SYNcookies the server doesn't allocate a file-handle for each new connection but puts a 'challenge' in the Syn/Ack package and waits for the last Ack of the 3-way handshake. This effectively forces the attacker to reveal his IP address if he wants to use up the filehandles, and then you just block hin in your router.
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

Re:Script kiddie meets "real" hacker, soils self .

I thought the exchange with ^boss^ was funny as hell. You could almost read "Jesus, if this guy can fucking hack my bots, spy on my channel, know how many active bots I have, what targets I've hit in the past week, fuck! fuck fuck fuck! I'd better start staying over my friends' house and I'd probably better format and shred my harddrive! Fuck fuck fuck!"

My experience as an IRC admin

I noticed a bunch of bots connecting to our irc server approx a year and a half ago. After monitoring them for a bit, I found their password, found out they were subseven bots, and got their ports and passwords. I then proceeded to manually remove the bots over the period of the next couple of days. You can remotely remove subseven bots if you have ports and passwords. I removed around 500 bots or so. When they hopped their dynamic IP (when they figured out what I was doing) I followed them, got them Glined there, and followed them to three seperate servers before they gave up and disabled the dynamic ip address. It was a pain in the ass, but it was worth it when the guy finally threw in the towel.

Glad someone else is invading these bot nets like I did.

--
Gonzo Granzeau

COMINT

It monitored the flow of IRC channel nicknames and automated the process of determining who was talking to whom, and who were the "bosses" who commanded the most power and respect

Wow. Traffic analysis. A standard tool used by NSA, GCHQ, et. al. Amazing how much you can learn from communications without actually reading the messages. Think about that when you use encryption. What can your opponent learn just by tracking who you are talking to?

Re:The emperor has no clothese

It's pretty hard to infiltrate a botnet and -find bugs in them-, and stop a DDoS attack without understanding security.

You point out that he communicates well with ignorant users. Now, it's possible that this is because he himself is ignorant, but you must recognize the other possibility: he knows what is going on, and communicates to ignorant users only the aspect they will understand.

For example, many posters on Slashdot are picking at his claim that Win9x -can't- send spoofed packets etc.
As far as average users go, this is sufficient information. It's like learning in school that a thrown object will describe a parabola (it won't, since the earth is not flat with uniform gravity, but it's close enough for the level of those students). It's better to raise the average education level, than to provide lots of geekish details that will put people off.
And of course, to you and me, it is clear what he means: Windows can't send those packets without a lot of messing around -- and I would expect that this is the sort of thing that would be difficult to install in a Trojan

(recall that the issue here is machines which can be -remotely compromised- -- not a bunch of kids sitting on their own PC with bandwidth, looking for somewhere to aim it).

minor corrections for you

The only way to calcel out these attacks is to disable valid services running in your network.

Actually your wrong. I wrote "Daemonic [antioffline.com]" when I was writing "Theories in DoS [antioffline.com]", a paper on higher network level based attacks such as BGP, OSPF based attacks. Now what Daemonic does is sends pseudo random garbage (spoofed) to any port you specify.

Simple lame little DoS attack right? Now even if you don't have the service running for the port your sending the data to, it'll still crap out your Windows2000 box with ease. Now if you send it with a multicast source address which is weirder (haven't benchmarked) things really get odd.

Either way it'll bang up your network. Now FYI sending data through to a port thats not running still has to get there which means the network can still amass latency, which is where you would want to nip it at the butt with your router or firewall.

who are you kidding

So someone writes and says they're a 13 year old script kiddie who knows that the FBI will traceroute, etc, etc, etc., and this is believable? Highly doubtable. As for the attacks, I would say Mr. Gibson should have his uplink provider hire some clueful router administrators who would've fixed the problem in a heart beat.

Lack of understanding from those involved often create more harm than they help. UDP packets coming in to a website? And the admins couldn't think firsthand network skills SYN --> ACK --> SYN, 3 way TCP handshaking? They need to go back and study up using some Cisco Press material.

Anyways for those who haven't seen the page yet or are in charge of networking, and or firewall equipment, check out Stopping DoS [antioffline.com] which is a "do this now" tutorial to stop beating around the bush and cut DoS attacks at both the firewall, and network (router) level. It's not an rfc, not a write up of what a DoS attack is, simply a "fuck it's 3am and I'm getting DoS'ed now how do I stop this shit" paper.

Let me get this straight...

Gibson finds out how the zombies work. He finds the IRC channel they use for control. He gets the command set.

Rather than turning all this over to the FBI, so that they can start tracking these people down, he makes it known to them that he has it, and publishes it. Now, the people who make these abominations will move their control over to something else.

Granted, the FBI might not do anything with the data. If so, then make a stink about the FBI not doing their job!

Personally, vigilante justice is starting to sound better and better....

I was infected by one of these bots.

I must thank Gibson for the article, and Slashdot for bringing it to my attention.

After I had finished reading I thought I'd check my machine (It's multi-boot, I don't use Windows that much). To my horror, I found out that my Windows partition was infected by the SubSeven bot.

So I kicked up my IRC client and connected to the IRC server that the bot was on. I entered the admin channel and just sat there. A little while later somebody messaged me. I explained that a hidden bot was connected to the server and asked how to remove it.

I was pointed at: http://www.moosoft.com

I downloaded the "Cleaner" application which did a fine job of finding the bot and removing it.

I had a little chat with (I assume) the person controlling these bots. The person seemed to be quite helpful, which supprised me.

From the IRC stats, there were over 900 infected machines connected.

After removing the bot, I disconnected from the IRC server. I'm now considering what to do next. The IRC server was hosted by a company offering UNIX shells, and IRC server hosting.

Do I just leave it at that, put it down to experience and move on. Or should I inform the hosting company, and possibly risk being DoSed myself? (I suspect that the person I talked to on the IRC server logged my IP, which is static)

Re:poor GRC.com

• First he gets DDoS's by a bunch of script kiddies, then he gets....

  slashdotted.

You mean, first he gets DDoS'd by a bunch of script kiddies using IRC bots, then he gets...

DDoS'd by a bunch of script kiddies using web browsers.

Re:Script kiddie meets "real" hacker, soils self .

One of the crackers that Bill Cheswick and Steve Bellovin caught trying to break into the AT&T Bell Labs firewall was a kid from the Netherlands. Apparently with Netherlandish law at the time, he wasn't doing anything illegal, so they did something more direct and effective to resolve the problem:

"We called his Mom."

Re:Script kiddie meets "real" hacker, soils self .

It was brilliant. :)

A few years back I had a few kiddiez harrassing me on IRC. They were really "37337."

I did a traceroute to them and noticed a router of some sort sitting right in front of them -- it just looked wierd. I opened a telnet session and found myself at:

zimmylan>

A Cisco ISDN router, with no password set. :) I told them "I can wave my hand and make you go away."

They replied "0h y4H, d0 1t."

I rebooted their router.

They thought I was God. :P

Script kiddie meets "real" hacker, soils self ...

I thought Mr. Gibson's article was well-written. That having been said it is amusing to see kiddiez like "wicked" get their comeuppance by someone from the old school who can actually craft their own code.

My favorite line was:

So I downloaded a copy of the Internet RFC 1459 for Internet Relay Chat (IRC) Protocol and figured out how IRC works.

Before you question Gibson's skill, or his "inside information" (as one poster suggested "he must have had the Windows source code") consider that this man downloaded and learned the RFC for IRC [irchelp.org]. That might seem alien to someone who relies on the work of others, or reading script FAQ's, but this fellow knows how to make proper use of the tools before him and relies on his own knowledge to craft solutions.

He did not have any help from Microsoft. He knows his tools and he knows his craft. By his own words he's not a magician, he's a scientist.

Be humbled kiddiez, for every dozen of you who "hax0rz" on IRC there's someone like Gibson who actually can hack and run circles around you. Notice that ^boss^ gave this guy respect?

That's very wise. :)

Re:XP not an issue

All it takes is one compitent programmer in the cracker community or elsewhere to write a modified TCP stack for Windoze which can spoof the source IP and all the zombies can bring it with them.

Indeed. You don't even need to do the hard work of building a full stack if you are just going to SYN flood or similar. You just need a packet driver and some IP smarts.

Mirror!

Here! [comatosehitmen.com]

/Svennis


---

Punctuation

I'm suprised he didn't write his entire note in assembly language.
_O_

Re:DDoS the kid

Nah. Have the bots DDOS the IRC server. :)

Writing Style

I have found that while Steve Gibson has had a taste for a melodramatic writing style, that the technical detail in his writing is fairly solid and is certainly above average. So with that grain of salt the article is worth looking at:

Fortunately -- the attacking machines were all security-compromised Windows-based PC's. In a fluke of laziness (or good judgement?) that has saved the Internet from untold levels of disaster, Microsoft's engineers never fully implemented the complete "Unix Sockets" specification in any of the previous version of Windows. (Windows 2000 has it.) As a consequence, Windows machines (compared to Unix machines) are blessedly limited in their ability to generate deliberately invalid Internet packets.

It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods.

As a result, Internet security experts know that non-spoofing Internet attacks are almost certainly being generated by Windows-based PC's. Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available

This has horribly changed for the worse with the release of Windows 2000 and the pending release of Windows XP. For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability FOR ANY APPLICATION to generate incredibly malicious Internet traffic, including spoofed source IP's and SYN-flooding full scale Denial of Service (DoS) attacks!

So we are left with the vision of Loads of potentially insecure Windows boxes - open to the world - being used for more DDOS attacks.

None of which will be pleasing to the MS loyalists

thank you microsoft. This last point is kinda important:

I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity.

and we wonder about the future of the internet.

Check out the Vinny the Vampire [eplugz.com] comic strip

Re:Let me get this straight...

He did talk to the FBI, they required proof of >$5000 damage, plus they would prioritize based on damage, and were extremely busy. Hence, not a snowball's chance in hell of prosecuting.

poor GRC.com

First he gets DDoS's by a bunch of script kiddies, then he gets....

slashdotted.

damned if you do, damned if you don't.

Let's look at both ends here...

Quoting today's popular quote:

"I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."

While this is true, anyone who goes online should not set their system up like a 13 year old might either.

In other words: Don't leave your door open if you do not wish to be victimized. Unfortunately, the local cable company turns on MS file sharing for "support purposes" on all new installs, so one can see how easy it was for this person to gain control of so many systems.

He blasts BlackICE defender.

I think the funniest part of the article for me is that he infects one of his machines with a Zombie, then tries different personal firewalls to see whether they catch it. ZoneAlarm works well, but BlackICE defender doesn't do anything to help. Then he says:

To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.

I love that last part, "I suggest prayer."

Winblows implementation of sockets saved him?

"Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets"

- Wasn't it the crappy security in windows that allowed the DOS attack to occur in the first place?

@Home and computer security

I could not help noticing that nearly 1/4 of the attacking machines were on @home. I recently set up a Linux gateway connecting to @home from a personal network with a rather extensive ipchains based firewall ruleset (complete with logging).

Within the first 14 hours I had witnessed 7 attacks-- three people from outside @home had attacked port 20 (ftp), one had attacked port 515 (lpd, known security problem), two were subseven trojan backdoor scans, and one was a netbus backdoor scan. All in all, over 100 packets were logged at that time, though most turned out to be benign (myself forgetting that I had blocked all pop3 access to the server, f. ex. and then trying to use a very restricted account to recieve system email remotely as well as dhcp broadcast traffic-- the rules are being updated to avoid confusion).

The home user should be taught basic computer safety and security, IMO. However, vendors don't want to scare their customers, so real security is next to impossible to attain....

One of the more fascinating articles

I found myself almost reading his account like reading Cryptinomicon. It was very interestnig for me to read how he built bots for IRC and collected four days of data on the ^BOss^ person and all their activities. I bet they probably crapped their pants when he popped in and started talking to them and said what he'd been doing. I loved how ^Boss^ was very quick to point out that he didn't do it and wouldn't do it in the future. Ducking and covering there. All in all a great read. I highly recommend you spending the time to do so. Almost like reading a fiction novel.

good analysis

It is nice to see someone take the time to dissect a DDoS attack.

In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.

I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.

There is a lot of accessible security information at SANS [sans.org], though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.

Re:poor GRC.com

I wondered what had happened. I saw this on The Register this morning and was reading through the article at grc.com and the page never finished loading! I thought...hmmm...could he possibly be getting DDoS'd again for posting the story?

Then I find out that it's just you guys...

Re:Linux is as bad as XP

Windows is the target of choice because there are large numbers of clueless people with good connectivity running Windows.

However the clue level among random Linux users is not great, and Linux has implemented the full protocol all along. If the same people were all using Red Hat, that would be just as bad as everyone using Windows XP.

You're right. But unfortunately it's going to be WinXP that becomes the OS of choice for the clueless users, not RedHat (or some other distro). And while we can try like mad to educate the users, it's not going to happen. Clueless users will always outnumber clueful users. Look at how many people still can't program a VCR, and they've been in homes since the early 80's!

Sometimes you just have to give up on teching kids not to cut their hands off and start handing out safety scissors again. MS has been very keen on trying to control and limit the use of WinXP by endusers for only MS-approved purposes. This should just be one more safety feature that they implement to protect the users from their own ignorance.

On the other hand, the TCP/IP stack in Win2K is just awesome fast compared to the Win9x flavors...it sure was nice to have if you had to have Windows.

Re:Writing Style

I have found that while Steve Gibson has had a taste for a melodramatic writing style, that the technical detail in his writing is fairly solid and is certainly above average. So with that grain of salt the article is worth looking at:

But the thing that I find great about Steve Gibson is that he writes things in a compelling storylike format and in plain english that even the clueless could understand. We techie types already know most of what he had to say in this article to begin with. It's the non-techies who need to read this stuff and learn how to protect themselves, and I think that he does an excellent job at targetting areas of his site to that particular audience.

Some points

Before going into flame mode folk might like to consider that Windows-XP also includes a firewall/glorified packet filter and that the change probably reflects a transfer of functionality out of the stack and into a separate module.

The folk who are flailing arround condemining 'incomplete sockets implementation' should consider that the IETF never endorsed BSD sockets as a standard. The ability to forge packets is arguably a fault in the BSD sockets spec and Microsoft was arguably correct in implementing checks on the IP source packets it will generate.

Slashdotters who posted MSFT flames could do to repeat 100 times 'the UNIX way is not always the right way'.

In days of yore we VMS folk used to flame UNIX precisely because this sloppy type of programming was pervasive.

It would be interesting to know what facilities the firewall in Windows-XP provides for filtering and monitoring forged packets. It would also be interesting to know how difficult it is to disable the firewall.

As one poster has pointed out however the fact that most cable hookups tend to have source address checking probably saves the day. Also the fact that many home users have NAT boxes to share their cable connection arround the house probably provides some protection.