Slashdot Log In
Undernet In Serious Trouble: Any Suggestions? (Updated)
Posted by
michael
on Mon Jan 08, 2001 08:30 PM
from the where's-the-KGB-when-you-need-them dept.
from the where's-the-KGB-when-you-need-them dept.
An Undernet admin writes: "For the past 4 days, many of Undernet's servers have been hit with constant DDoS, massive stuff on the order of 100M/sec that doesn't look like it will clear up anytime soon. The major services with which Undernet is associated, including Uworld and the channel service bots X and W, have been removed because the ISP that hosts them cannot afford to have them online, and even with them offline, the ISP has continued to be hit with the DDoS. Several servers will be forced to delink permanently if this continues. And all of it's happening because a script kiddie in Romania has nothing better to do with his time, and with his head start, many other groups have decided to lend a hand and take out other servers while his main pummelling is going on. We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?" There's a notice on their Web site. Update: 01/08 09:49 PM by michael : The news story we linked to was ancient.
This discussion has been archived.
No new comments can be posted.
Undernet IRC Network in Serious Trouble - Any Suggestions?
|
Log In/Create an Account
| Top
| 501 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Re:Find the people who are doing this... (Score:3)
-Restil
Re:godammit. (Score:3)
Re:script-kiddy culture is to blame (Score:3)
Heh, I know the feeling. I have frequented the SlashNET network for a few years now and have developed some fairly nice friendships. Recently, the ops of radon.slashnet.org and perdition.slashnet.org decided that it would be great fun to use their IRC Operator status to harass me.
They kickban me from the main channel at random, make the servers reset my connection, set services to automatically kick me, they've even gagged me twice. The second time they would have left it on, but I was able to ssh to another box and log in from it to make it known that I had been gagged. They then removed the gag and tried to pretend that they hadn't done it.
Needless to say, IRC, which is supposed to be a recreational activity, is now a pain. I do not get on to be abused by a couple of assholes who happen to have enough access to somebody else's bandwidth that they can become 1337 s3rv3r 0pz.
If they're trying to get rid of me, they're doing a pretty good job. I'd already be gone if I was any less interested in the other people on that network.
I wonder how many of these attacks on IRC networks are caused by an Op abusing his powers and burning a few bridges with the wrong people.
Try securing your boxen first (Score:3)
The first thing to do is to stop letting the guy root computers with great connectivity and bandwidth. Secure the damn boxes and he won't be able to do this kind of thing. Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers. There's really nothing you can do as long as this vandal can get his hands on serious DoS capable hardware.
What about EFNet? (Score:3)
Also, did the DDos ever stop on the LinPeople IRC network? I know it was being hammered by someone that wanted things his way.
The real issue is that there are scripts and applications out there than make it 1-click possible to hack computers. This is to the point of 1-click to hack the whole internet. People need to learn about security and how to tighten their computers down and keep up with security holes so they are not prone to being hacked. There are a ton of linux users out there, but a very small percentage that know how to correctly use it and secure it so their computer is not part of the DDoS's.
Re:trace route (Score:3)
Second problem: These attacks are distributed hence packets come from many different places, more than one source.
Third problem: There are many different types of DOS attack, so you can't just filter on packet types.
The best analogy I can think of for DDOS attacks is this: Imagine someone had a worldwide gang of people that wrote post cards to you, they each sent you 300 post cards a day and there was a hundread people in the gang. You'd get 30,000 postcards a day that you never asked for, this would fill up your mailbox and you wouldn't be able to get your important mail. All you could tell from the post codes was that these cards came from 100 different places around the world. Furthermore the post office now want to charge you for all your extra mail and the only way to stop it is to tell the post office to throw out all your mail including important letter (or else move house).
What some of the major of ISPs are doing is running netflow accounting so they have detailed traffic logs but these tend to be huge. With these logs it is just about possible to indentify the source of the packets *IF* all end-to-end ISPs run this and are willing to co-operate. Just like traceing a telephone call in old movies this takes time and if the machine stops DOSing the target it can make this a lot harder. Once you have found a slave machine in theory you can check the netflow logs for the initial connection from the controlling machine that started the DDOS. This sounds like a pain and it is, it is my understanding that no-one has ever been caught doing a DDOS by this method.
Sniffing packets at ingress points for known DDOS master to slave commands would be a possible solution BUT every possible ingress point would have to impliment this (not realistic - massive understatment) and all the DDOS authors would have to do would be to change the used commands. This would just combat script kiddies using old software really.
Two words: Difficult problem.
(Slightly) OT - I Love Undernet (Score:3)
Really, I do.
The Undernet was a place that I was able to use like the proverbial Roman agora, shaping a lot of my political arguments and testing them against people who otherwise would not have dealt with me.
I was 15 years old and an over-bright geek girl when I discovered #debate on Undernet, which I had joined due to my recent accession to the Debate Team at highschool. I, a new anarchist, met some of the great folks who were making up the famous and oft-mirrored The Anarchist FAQ [blackened.net] . Some of the issues I discussed -- and was forced to research at a level far higher than would have been required at school -- included prisons and imprisonment, the decentralization of utilities, and other supposedly "boring" questions of public policy that I learned, early on, were fascinating to me. Like other geeks I specialized early and Undernet was my venue to this specialization.
I argued with long time anarchist theorists as well as libertarians, Democrats, Republicans, and government employees and politicians with decades of experience in politics and policy. Nobody gave a shit- or knew, without a lot of work- that I was young, Jewish, Yankee, and female. It taught me that mentality was key and that I could do anything.
I then joined up in #politics, which is slanted much further to the right and is often very silly and vapid- but still often contains some of the best and most informed argument on the Net from time to time. People have discussed foreign policy, economics, ecology, cryopreservation, and lots of other issues in there.
I have gotten jobs and close friends through Undernet. I will be a lifelong inhabitant of #politics as long as it exists and isn't overwhelmed by script kiddies or other idiots.
My congratulations to IRC's staff for keeping it up so long and my hopes that Slashdotters can help them, loan them the brains, time and other resources necessary to fend off this idiotic attack.
Counterefficient (Score:3)
Posting a Slashdot story, and making a huge deal out of this is a horrible way to try to resolve this problem.
Had no one ever mentioned anything, this "script kiddy" would have wondered what was going on and stopped the whole thing. But now he's probably seeing that "Underworld" has acknowledged the attack (it's written in a sad, melanchony tone; and it also gives the impression that they are clueless and helpless -- I know this isn't the case, they just seem to have worded it poorly.) And seeing an article on Slashdot about something you're doing is probably a good way to egg him (or her) on.
Just let it die of inattention -- it's remarkbably amazing how well this works.
Re:Try securing your boxen first (Score:4)
Just because I am free spirited, unworryied, or just plain lazy/dumb/maleducated doesnt mean I share responsibility when someone else breaks the law. If you break the law, then YOU have the full responsibility - not me, not some ISP, not some guy with a cable modem or DSL line.
This is a major problem, people shirking some personal responsibility to someone else - its not effective (read: passing the buck) and its plain and simple not right. The person who breaks the law is responsible for the law breaking - not the guy four hops down or up the ladder.
A serious proposal for a more secure irc network. (Score:4)
The first step to resolving this is IP mirroring. Unless you are an irc operator, you see your own IP address on each server and each user on the network. This removes the first bit the user needs for a massive disruption of the network. Ircops need to be able to see the hostmask in order to protect the servers from the misdeeds of users.
The next step in protecting your irc network is to have no publicly listed server connecting to any other publicly listed server. All hubs should be ircop only. This makes it so that the hubs the all-important links to the edge of your network are hidden from public and from the hackers view.
Now in order to make the task more difficult simply give out only one hostname that all users will use in order to connect. Each server would be required to take users if the resources are available for them. Local users to a server would of course have priority. The single hostname may not totally protect your network however it will ensure the hackers have to work a bit harder to get the information on the server they are using to connect. No offense to any serious hackers out there is intended however script kiddies are by and by lazy creatures.
These measures will not protect the average user who accepts CTCP chats or DCC's however those who do not should have total immunity from the script kiddies.
In order to provide channel operators with a modicum of control in their channels have a bot that can see host masks and accepts ban commands via private messages giving the users nick. The bot would only allow the ban if the user issuing the command is a channel operator in the channel they are requesting the ban for.
You could also get smart and use channel services. Channel services while it might rile some of the ircops who see channel ownership as a bad thing. However a private ownership of a channel once created and registered tends to make sure that there is no point in attempting to split servers from the network in order to try to take control of a channel. If you do not like ownership of channels simply, decide on a very short-term idle channel deletion. If a channel is popular enough to have people online 24x7 then they have the right to decide who controls their community.
Many IRC networks and services packages implement these security-improving provisions already. You can look at Stratics IRC Network [stratics.com] which while small has a very effective implementation [stratics.com]. Stratics IRC is a gaming related network [stratics.com] offering these features. [stratics.com]
Re:script-kiddy culture is to blame (Score:4)
Um. Have you considered the irony of posting something like this to slashdot?
--
All men are great
before declaring war
script-kiddy culture is to blame (Score:5)
Efnet, undernet, chatnet, all the big nets. the PFY's known as scriptkiddies (some of them not even youthful pimple faced youths anymore) go to IRC because it's somewhere that magically makes their penis extend two or three whole inches, just because they can find some person or some group of persons, cause them a great deal of displeasure, and say "Look what i did!" to their buddies.
What these twits would realize, if they had grey matter operating above the brainstem, is that by doing this, they're making everyone who has donated equipment and bandwidth to IRC networks question whether or not that was a good idea.
IRC networks are going to go away because of scriptkiddies, unless these kiddies, some of them over 20 these days (get a life, folks), knock it off.
Would YOU run a public irc server if it ment you were going to get DoSed into the stone age twice a week? I sure as hell wouldn't. Maybe that's why chatnet only has 4 servers in the US these days.
All that being said, undernet has always been a haven for oversexed, underage wankers anyway.
Go ahead, moderate this post as a flame. I'm just upset because my home channel, which has existed in one form or another since the previous bush administration, has been moving around from network to network lately trying to find one that doesn't get shut down constantly by angry users, or worse yet, angry ircops who are scriptkiddies themselves.
Re: Ask Slashdot: Undernet In Serious Trouble. . . (Score:5)
First of all let me state that I have as little to do with the actual operation of the Undernet server or the network as a whole as possible. That role if fulfilled by another group who works very hard with a real task and literaily deals with IRC problems in their personal time, so it's hard for me to comment on the politics of their situation. I can however, comment on the politics, and a few technical details (For certain reasons, I'm more than a little vage in what we observed during the attack) of the situation I was involved with at the time. What follows is somewhat of a chronology of the event.
Hr 1 - 3. The attack started pretty slowly. So slowly that it really didn't set of any alarms, though some customers on remote parts of the network did notice high latency, and a bit of packet loss. This was enough to start looking around, but not really enough to suspect an attack.
3:00 - 3:15: Connectivity is lost to nearly any network that requires crossing a border router. The traffic stats from the border routers show that nearly every bit of connectivity is full company wide. It was clear that at this point that this was probably an attack, though it was unknown what was being attacked, or where it was coming from.
3:15 - 4:00: Using historical data the sources of the attack were identified. Using this data, we initiated contact with each provider we have connectivity from to request filters be placed in their network to block the attacks. At the same time the company's tech support call center is overwellmed with calls from customers experiencing various problems. Further, all the major application servers (mail, news, etc) are also nearly unusable since they no longer have connectivity to the remote machines they were talking to. As a topper, one of the noisier (literaily) network monitoring programs our NOCC uses has gone into "make random noises mode." This is due, in large part, to the nearly 600 alarms it thinks exist because of connectivity problems to the rest of the network.
4:45: I remove the FDDI cables from the FDDI card in the IRC server.
4:00 - 4:30: The attack is starting to dissipate. It's theorized that it's because the machine that was being attacked was no longer on the Net. Also about this time, the distributed filtering should start taking place.
6:00: After spending a couple of hours cleaning up the mess that such an attack leaves on all the other machines I receive the standard email from the security people requesting time estimates for my labor on this afternoon's Comedy Hernia Hit.
This chronology is reflective of nearly every other DDoS attack I've experienced in the last 12 months. It's clearly frustrating, and a complete waste of my time (especially since it was my last working day before a very rare vacation), and it should be pretty clear why I don't want IRC servers on a network I have to maintain.
Let me be clear, at no point was the server itself ever effected (other than, I assume it lost connectivity to it's hub during the attack), but nearly other major application was affected in some way, and it definitely caused a lot of paying customers to not get the service they pay for.
Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this? I know all the machines on my network are secure, but I can't control machines I don't maintain. And that's just the problem. This isn't about the host sites securing their network, most of them do and the ones who don't learn quickly that they have to. Adding (more) security features to the application (ircd) also isn't the answer, as the machine itself was never affected. Hunting down the initiator of the attack only prevents that person from attacking anything for a while, like the death penality I see no indication that it's a real deturiant to the crime. Quite honestly, I too am at a loss as to what, if anything, will ultimately solve the problem short of completely abandoning the technological foundations that the Internet was built on.
As for law enforcement, they are generally quite interested in such attacks[2], but they have clear guidlines in what they can and can not get involved in (you have to show a capial loss grater than a specificed amount). In this case I know these guildlines were met, but generally these investigations go nowhere because the trail often leads to cracked machines that have no usefull telemetry of the attack, or the intrusion. I have often thought that companies who fail the maintain basic security on their network should be held liable to damages to other networks in these situations, but even that is quite troublesom.
Of course, there is one method that solves this problem, at least for me. It was to remove the service from our network. As a Sysadmin who has customer's who pay to use other services I have no trouble with this. As someone who tries to be a useful member of the "Internet Community" I have serous issues with this method. In this case, no good deed goes unpunished.
[1] In fact, I personally pulled the FDDI cables out of the machine during the attack once we determined the machine that was the
[2] Though, sometimes you have to work to make contacts with people smart enough to care.
Use those sources... (Score:5)
Thalia
This is why I left efnet in the firstplace. (Score:5)
But, if you don't feel like reading it, I'll sum it up here. and add a bit, now that I think about it.
-------
I used to be a script kiddie, then I hit puberty.
You either understand that last statement or you dont. Kids are kids, and having worked with emotionally hadicapped (not retarded) in a highschool setting, I know what they do with computers. I'm the one who had to fix them. (macs, no less)....
There's 3 reasons I've found that kids like to break things
1. They don't own it, so they cannot comprehend that it has value to someone. This is perfectlly normal for kids between the ages of 2-6, it varies in it's severity, but it usually goes away before kids are injected into the social realm of dealing with other people in school, so it's not a big problem.
2. Kids between the ages of 6-18 more commonly express their destructive skills on something because they do not understand it, and feel that by breaking it they have power over someone who does know how to use it. Ownership isn't a factor in this, I've seen kids break their own things because they cant make it work (you see this very commonly with "broken" toys in younger children.
Again, most kids will stop, or mellow down by the time they've hit puberty.
The third case is most common in mentally or emotionally challenged children:
3. "If I can't have fun with it, no one can." This is more common among older kids and extends beyond material items. This is the only case where I've found that ownership REALLY matters, but not in all cases. most people, however, grow out of this phase as well.
So what is someone who hasn't outgrown this state well past the time they should have? The police and doctors call them Sadists and Sociopaths. In this case however i would feel reluctant to use either of those terms. I think in this case it's more a case of a pre-pubescent pissing match between himself and another channel.
Back in my own script kiddie days on IRC I witness MAJOR network wars included the disabling of about 50% of the @home network in san diego, cutting down telephone poles, cutting off power to NOC's, angry kids beating the SHIT out of the kid who nuked him at school, calling in bomb threats to places, ANYTHING and EVERYTHING they can do to disable an ISP even if only for a second.
just long enough
All that shit I saw, was _ALL_ related in one way or another to "channel takeovers" some of them over things as petty as who's allowed to flirt with the only girl in a channel, platform debates, music debates... rarely over anything more mature than a 6th or 7th grade level.
Which brings up this point: most of the people who do this are still kids (under 18) so unless they nuke a military server or something, all their gonna get in most cases is a warning, maybe a fine.
So, what's to be done? I say it's time that the more mature half of the internet joins together to fight this in a way that younger kids have no controll over. I've had AMAZING success tracking down script kiddies and calling their parents. People who are clueless, or who have something to lose by being related to a kiddie, are VERY helpful.
Here's some ideasI've used and had VERY good success with.
1. Fight back online - Pro: it's fast and can be effective. Con: lowers you to their level.
2. Call their parents/employer/school*** - Pro: Can be VERY effecting in the long term. I've had people fired, grounded, suspended, and reprimanded with one phone call. Con: Can take a while, or you get someone who just doesn't care.
3. Call the ISP from which the attacks orginate.* - Pro: Admin's will always know what you're talking about, and they're usually helpful as DDOS through their systems reflects badly upon them, costing them dollars. Con: most dialup/residential ISP's dont really care or log things, so it's hit or miss.
4. Shut it all down, and walk away for awhile. - Pro: Best idea if you can afford this option. Most kiddies get bored after a few days, or when school starts. Con: depending on who you are, shutting down your system and doing something else may not be possible.
So, there you go... those are my loosely compiled thoughts and ramblings on the subject of Script Kiddies.... ciao
-Doug
Not funny. Not one bit. (Score:5)
Well, don't be. It's not funny. There are people losing money because of this; there are people who are becoming absolutely brainless and deciding "Gosh, it'd be fun, let's go the way of the skript-kiddie and and help the DoS'ing be even worse!"
Then there are dedicated channel ops and owners who are building bots, starting channels, writing mailing-list software to help their members and fellow ops deal with the crap that's going on. I'm a 200-level op on one of the linux channels on Undernet (check my user info for more information) and while there are those here who feel IRC is a waste of time, I believe it's one of the best ways to communicate with people all around the world about a common interest. If you don't like IRC you don't have to use it. I can see how some people think it's a waste; but it's something I enjoy. And so do 20-odd other ops and regulars in this channel.
I met these people because they helped me install Linux over two years ago; there are ops and regulars who are good friends of mine from Australia, New Zealand, Canada, the US, UK, Malaysia, Germany, Greece to name a few. We put faces to the names via webcams; we know who's going out with who, we comfort our friends when they're going through crap, and we came together and cooperated with a mailing list and new bots and new policies once W went on the blink.
Someone tried to compromise our channel yesterday (a takeover, for the unschooled) but order was restored. With W (X for other channels; we happened to have W when he was still around) the oplist, auto-kicks, and bans are very easy to store; without W, the guy managed to get ops by pretending to be one of us. Could have done some damage, but thanks to some IRCops (Thank you seti and saralee!) order was restored, new bots put in place, and new channel policies. I know there are other
Right now there's rumors that W and X will never come back. If they don't Undernet is dead...and where is a channel to go? Some IRC networks have strange ident issues; some are dying out; and some have a structure such that it's hard to even keep hold of a channel because of skript kiddies. Right now Undernet splits a lot--too many users and not-so-perfect routing. It's also hard to connect to a server. There's a lot of lag.
And now I get to a point I think bears hearing: Forking doesn't mean animosity. (Are you reading this, RMS?
To the skript kiddies out there who are continuing to pummel Undernet because you think it's cool: Stop acting lower than dirt and get a life. You can find something better to do than cost people time and money.
"The GIMP Girl"
Re:Easier to stop it in retrospect (Score:5)
quick story
I remember getting TONS of spam from a machine a major university. It appeared to be a machine running in the astronomy dept. I sent a nice friendly e-mail about it, as our users were getting 20 to 30 spams a minute through it and wanted to stop being told where to get Viagra (Bob dole already told us thank you). The official response from the sys admin was a none to polite, "Fuck you and mind your own god damn business".
My response was to cc that with a letter asking a bunch of questions to 2 local newspapers and 1 TV station and the president of the alumni association. The open relay got closed *magically*
What the point to my incessant yammering you ask? Sometimes ISP's (especially smurf sites in Japan *ahem*) need to be bullied into doing some of the most obvious, easy things. Some ISPs claim that filters cause problems, increase router load etc, etc, etc. The problem usually is that no one has brought it to their attention, or rather no one has screamed at them loudly enough.
Re: Ask Slashdot: Undernet In Serious Trouble. . . (Score:5)
DUMP THE ROUTE As soon as possible stop advertising the affected block to your peers, this is the fastest way to prevent the traffic entering your AS and saves bandwidth on your internal lines. It under your control and its faster than informing all your peers and waiting till *they* get filters in place, its not their problem and even if they filter the traffic it still takes their external bandwidth.
This depends on your BGP config and a few things will happen, firstly if you're a large ISP you're going to lose other customers as you're not advertising their IP addresses and depending on peering agreements the minimum could be as large as a /20 or /19 but its better than lossing the whole network and all your customers! If upstream peers from you are not aggregating your routes this will in effect remove the route from the whole net (might take a little while to converge the whole net) and the traffic from the attacking DDOS machines won't get very far (their own subnet). If your routes are aggregated upstream and you've withdrawn the route the traffic stops with the upstream ISP anyway.
This should give you breathing time without the loss of your whole network and (at least you'll have bandwidth to telnet to your routers) identify which machines were getting attacked. Talk to the upstreams and get them to dump the host(s) specific route to null.
I meet far to many network admins that think they know everything there is too know about networking that just state "what can I do but put filters on the border", which is fairly useless for preserving external bandwidth which of course is what your customers are paying for.
BTW, while I'm here, anyone want to give me a job?
Will configure routers for food.
Re:Try securing your boxen first (Score:5)
Hrm. Bad analogy.
More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).
--
All men are great
before declaring war