Forum: The Yahoo Denial of Service 619
It's one of the larger news items of the day, but we've sorta avoided mentioning it here because it is really "just another Denial of Service Attack." But it's the biggest one ever. It took down Ya- 'we serve half a billion pages a day' -hoo. And they were taken down for several hours from a distributed DOS attack. What does this mean? I honestly don't know, but I figure you guys might have some opinions.
It's DoS (Score:2)
kwsNI
Not so good (Score:2)
Answer: NOTHING!! As far as I can tell, you're sitting out on a limb and there's nothing you can do to prevent becomming a victim of a DOS attack.
You CAN however do quite a lot to prevent being a source, or at least an untraceable source - you should take great care that no network traffic leaces your network whith bad (=not your own) source address. If this simple precaution was in more widespread use, tracking this stuff would be much easier.
netscan.org (Score:2)
Can I sue you for negligence? (Score:5)
Like IP spoofing, for example. IP spoofing would more or less come to a halt if ISPs, Universities, and corporations would put some simple filters into place, preventing packets with impossible source addresses from leaving their networks.
This distributed DOS stuff can be stopped only if *all* of the sites in the community engage in sound security practices.
I don't think so (Score:4)
Re:First? (Score:2)
What about prevention? (Score:2)
I recently installed a firewall at our company - previously we were reliant on protection of our private network by Microsoft Poxy Server which is by no means a security product. We now use the Sonicwall Pro product which includes a DMZ segement and halfway decent reporting facilities.
One thing I've noticed is how many DoS attacks are attempted by single hosts aimed at our network, we're not a large organisation and we provide services to a pretty small yet worldwide market.
Now I'm not entirely sure how well the firewall would stand upto a proper attack and would like to know what other options are available to me to help avoid this sort of outage.
Any takers?
Re:uh oh (Score:2)
More information on HNN (link) (Score:2)
Re:Any suspects? (Score:5)
Motives... (Score:3)
D-O-S: Not just for script kiddies any more....
jf
Wow, there is some organised people out there... (Score:2)
But now I'm realising that it would have been a large, very organised 'team' effort. After all, it's going to take more than just a couple of computers to put through 500 million page requests in such a short period of time.
The more worrying thing is this: If it was possible to take down Yahoo, what else are they going to try and take down? Was this just a one off, to see if it can be done? Or was this just the first.
A possible way to try and stop all this is to get the mainstream media to accept the term 'script-kiddie' and make sure they know what the meaning of it is, i.e. so that the next time a major DoS attack occurs, the media recognises that it was just script-kiddies playing around. This way, the script-kiddies will less likely to pull these stunts because they know they won't get called 'hackers', which is they're goal, but this derogatory term which makes them look uncool.
Window Shopping Hordes (Score:4)
What's really scary isn't DoS attacks that are obvious, but ones which are indistinguishable from regular traffic.
Reasonably static and well hosted sites like Yahoo wouldn't be taken out, but the average E-Commerce site, with dynamically generated pages off a single-point-of-failure SQL Server architecture would be completely knocked out by what appeared to be nothing more than extremely heavy traffic.
Such an attack would require massive compromise of hosts(since they'd be able to execute only a few five minute random clicksessions per hour), but would show up on no security scans and would be indistinguishable from an unusually large horde of window shoppers.
How would you defend against this? How would you even know you were under attack?
And, most intriguingly, if you're getting paid by the ad impression, would you care?
A quick message to the people responsible...your behavior will eventually lead to the kind of IP network monitoring that the Russian Government is making all their ISPs pay for. It is one thing to describe the attacks and work to repair the infrastructure; it's something entirely different to execute attacks that will quickly lead to solutions that can only be described as nightmarish.
Think for a moment who <i>wins</i> when you take down Yahoo, and shudder. Because there is a winner, and in the long run, it ain't you. You're helping someone. Guess who.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Some relevant URLs on DDoS (Score:3)
2) trinoo [washington.edu]
3) tfn tribe flood network [washington.edu]
4) tfn2k [securify.com]
5) Cert's denial of service tools [cert.org]
Useful?
It means everyone... (Score:4)
This means that we all have to take security seriously. That password matters. Don't share it. If you have resources, use two part authentication. Take reasonable precautions. Audit your setuid programs. Don't put "." in your path. Don't have world-writable files. If you can't afford commercial 2-part auth solutions, at least use ssh instead of telnet. Etc., etc., etc.
We can't afford to have security be the province of experts and miscreants. Responsible netizenship demands that we take security seriously, at least to enough of an extent that we can be confident our own systems aren't being used by others to attack systems.
Some people believe that cracking systems or launching DoS attacks are a legitimate form of civil disobedience. I actually agree with that. But you are only engaging in legitimate civil disobience if you are doing it on your own equipment and not concealing your identity. Protesters go somewhere openly and risk arrest. Vandals sneak around in the dark wearking ski masks and painting slogans. One is a principled stand and the other is a cowardly crime. Furthermore, when you use someone else's computer in your act of civil disobedience, it would be like the act of, when the police wade into your protest with their truncheons flailing, grabbing the nearest non-participant and using them as a shield. Cowardly.
So, as always shy with my opinions, that's what I think the giant DoS means.
Anyone know if this was mere mischeif or if there was a motive for this incident, BTW?
Yahoo! - Why denial of service (DOS) attacks work (Score:2)
Ok I'm biased since I wrote this article, but it covers the Yahoo! DOS (I took a look at their network/etc) and goes over what you can do to prevent being DOS'ed, and what you can do to "be a good neighbour".
Yahoo! - Why denial of service (DOS) attacks work (http://www.securityportal.com/) [securityportal.com]
Kurt Seifried
Re:I don't think so (Score:2)
I've noticed this too, being a USWest Megabit subscriber. Any links to sites that give a bit more detail than the ITR [internettr...report.com] (hmm, the current index for N. America is pretty (s)low, looks like it took a hit about 7a.m.)
Re:DOS : Please explain (Score:2)
It looks like the script kiddies are basically getting a bunch of insecure machines to just all start pinging the hell out of something from different places around the net. Ya gotta admit, you could flood the hell out of a connection pretty fast just by finding even 20 insecure hosts.
I myself fail to see what the point of attacking Yahoo is. AFAIK, they are not domain name hijacking like a certain e-tailer nor are they trying to enforce a stupid patent like another certain e-tailer, and they did not try to trademark WHOIS, so what is the point of going after them?
Re:Can I sue you for negligence? (Score:2)
Probably not.
This is a slippery slope. I feel one should blame the person who breaks the law not someone who innocently contributed to the possibility of the law being broken. To blame the owner of the cracked system used for a DoS attack is like blaming the owner of a stolen car for it's use in a bank robbery, or to blame the kids who wrote DeCSS for the (potential) piracy of DVDs.
Furthermore, in the case of cracked machines being used for DoS attacks, there is no contractual requirement for the owners of those machines to put secure servers onto the net, so I doubt your lawsuit would be successful. You would probably obtain better results by publicizing the need for server maintainers to be more aware of implications of an insecure machine.
Stacheldraht in action? (Score:2)
The design is quite well thought-out, with multiple layers where DoS servers are responsible for a bunch of slaves which do the actual DoS work. These servers can then be controlled from a central point. Massive bandwidth to DoS at the cracker's hands.
I guess this incident shows that it or a similar package is in use. This is a new way of attacking, so I think it was worth a news item.
Re:Not so good (Score:2)
Re:What about prevention? (Score:2)
Checkout the Linux Firewall HOW-TO at http://linuxdoc.org for more information.
Anything to do with lagged 'net in general? (Score:2)
---
Re:netscan.org (Score:2)
moderators, take note:
usage: sarcasm -[low | medium | overbearing] "comment"
this happens all the time... (Score:2)
Re:What about prevention? (Score:2)
Not MS This time.. (Score:2)
Go ahead, moderate me down. Couldn't care less.
Re:What about prevention? (Score:5)
The attack doesn't attack your firewall, it doesn't attack your boxes, it very simply attacks your bandwidth, it fills it up, completely, leaving no room for other traffic.
It doesn't matter if your firewall drops every single packet it sees, for that matter it doesn't matter if you unplug your box, it isn't going to help at all.
The vast number of machines that have been compromised, especially on university campuses where attention to security is limited on many boxes, and a crack can go unnoticed for months or years, give these flood networks more bandwidth than a medium-large sized ISP. If they are willing to take the risk that someone tracks them down, they can knock out most companies and for that matter, often their upstream.
So, as an administrator, there is little you can do. Some things can help slightly, (see following) but if you get one of the larger networks pointed at you, you call your provider, get them to call their provider, and hope that they can implement some kind of filtering on their router as a temporary solution. You probably won't get far with that however.
Things to do:
1. log log log log log. Strange packets coming in should be logged. If you can do this, theres a chance the guy can be traced back to source if one of the IPs is on a network with a competent admin and the source of the network control packets can be found.
2. Alert whoever you have to. If you're getting hammered, its a crime, tell the police, look on the CERT site for more details about who you can contact if you're in this situation.
3. close up all ports that aren't critical, from any replies. These guys function best when they can hit a wide range of ports and get replies from your box, effectively doubling the load generated by each packet. If you drop 98% of the ports on your box, that leaves most of the packet hits out in the cold, making them have to work harder. Don't be scared to start dropping whole class A/B networks if a large number of hits are coming through from them.
4. For those using unix based firewall solutions, have a couple of scripts handy which you can use to turn off all ICMP (you should already be filtering bad ICMP, this just goes the next step), and all non-essential ports.
5. Have syncookies on your system if available, this will help keep you working during small TCP floods
6. Make sure that you, as admin, have on your firewall the necessary rules to deny spoofed IPs from within your own network. If you don't, you are irresponsible and quite possibly a contributing cause to this whole mess. An internet connected network needs monitoring, no matter how well set up. Take the time to do it.
The final verdict is there is no individual solution to this problem. If everyone implemented #6, we'd be in a lot better shape, still not brilliant but certainly a vast improvement. On the positive side, there are many brilliant minds who have observed this problem and are working on infrastructure solutions (see BOF recently etc).
No matter how good your firewall software, script kids these days have the capability to flood your entire link. Proactive and constant vigilance is the only thing that could possibly minimise the damage.
Re:Motives... (Score:2)
Does the /. effect count .... (Score:2)
- Fred announces "isn't it crazy they're selling frizmos on EBay for $10M" on SlashDot
... the /. hordes go over to check it out .... EBay goes down - Fred gets pissed at EBay for some reason, and announces "isn't it crazy they're selling frizmos on EBay for $10M" on SlashDot
... the /. hordes go over to check it out .... EBay goes down
One is an indirect DOS attack on EBay, the other is just a 'normal' net traffic peak - how do you tell? do you care? (if you're EBay you may actually welcome the interest)Links (Score:5)
Cyberattack Cripples Yahoo [apbnews.com] (APBNews)
Who's Behing Yahoo Attack? [zdnet.com] (ZDNet)
FBI talks with Yahoo! about attack [zdnet.com] (ZDNet)
How a basic attack crippled Yahoo [cnet.com] (CNet) (with stupid protocol animations too!)
And in other news: A different type of DoS attack is being carried out against Yahoo. At least 40 web articles [excite.com] have been written so far, showing evidence of how many reporters must be calling Yahoo right now. Once the second round of DoS attacks are stopped, the techies can finally get some work done beefing up the site.
Re:Packet Monkeys (Score:5)
My attitude towards Greenpeace protests would be quite a bit different if they went down to local nursing home, yanked old people out of their beds (they're easier to handle than say, rading a gymnasium), and chained them to the gates of a nuclear power plant.
When you sneak through other people's accounts, machines, and networks to both hide your identity and launch your attack, then you are effectively chaining up the elderly (metaphorically speaking, of course). For an act of civil disobedience to be an honourable act, one must openly reveal one's identity and run the risk of arrest and imprisionment. I'm not impressed if someone comes up to me and says "I told my girldfriend to chain herself to the gate. I stayed home. I had the sniffles."
Civil disobedience by proxy is the act of a coward. A sniveling little spineless coward.
My account info has my real name and my real primary e-mail address. I stand up for what I say. I don't lay booby-traps or hide behind other people.
Internet III and further (Score:3)
It could be done pretty cheaply during the changeover to IPv6. Just use the first byte to indicate what level of security (or bitwise OR of different security features) the host network guarantees. Then you could just block, for example, any mail coming from someone who didn't guarantee they could track down the original author (whic implies that they have enforced similar rules on their relaying).
--Kevin
Yes, very much so (Score:2)
Re:Can I sue you for negligence? (Score:2)
Now try making a claim that a reasonable man should be expected to know that a networked computer can be used as part of a distributed DoS attack.
The fact that you probably have to explain to the court what you mean by "a distributed DoS attack" will make it difficult.
Re:DOS : Please explain (Score:2)
Because you can.
The point of the 33133+3 h^x0r d00d's existience is to see just how big a stink he can raise. Well, he sure raised a stink all right. The previous posters' comments are dead on. We're about two steps shy of one of two things: Total chaos on the Net, or (more likely) an event that will make the Inquisition seem like a polite conversation over tea and crumpets.
These kiddies need to be taken a clue, personally and fast: you're turning the global sandbox you play in into a litter box, and if you don't clean up your act RIGHT NOW, Big Brother is going to dump you (*and us*) right down the latrine.
How that clue is delivered is none of my business.
Re:Not so good (Score:2)
Maybe this bit can be automated, sending control messages back to the sources of the messages (including routers) and asking them to choke or shutdown the connections? Of course, then you have an authentication problem to make sure somebody else doesn't shut off your legit streams...
Re:Disabling mail forwarding (Score:2)
chkconfig sendmail off
In other OSes you may have to edit the startup scripts directly. Programs needing to send mail will execute sendmail in send only mode.
You can email me directly if you have specific problems.
--
Further info on DoS tools (trinoo et al) (Score:2)
Any Solaris users/admins care to comment on the whether it's sheer bad luck that these tools pick on Solaris rather than Linux ? Or is it just a matter of time before thousands of insecure RedHat boxen join the tribe ?
And wouldn't win95 boxes on dial-up connections be the ideal host to launch distributed DoS attacks from ?
--
Re:Packet Monkeys (Score:2)
--
linuxisgood:~$ man woman
I'm sorry, I can't help it..... (Score:3)
It is sweeps week after all....
DOS attackers should be jailed (Score:2)
I'd expect there might be a great opportunity for some company to create tools/services for tracking DOS attacks... someone like Cisco would obviously be in a good position to track coordinated attacks.
I bet it was GlobalCenter's fault . . . (Score:2)
I find it quite likely that GlobalCenter screwed up, and that Yahoo! is attempting to spin the story so that their stock price doesn't get hammered. Fortunately for the readers of slashdot, we usually remember that it's not necessary to attribute something to malice that can adequately be explained by ignorance.
Leap Year Issue? (Score:2)
Ad impressions (Score:2)
Re:Can I sue you for negligence? (Score:4)
however, once you take into account the realities of the machines that are on the net today, this is nigh impossible. every day, DSL and cable modems are bringing more and more windows, linux, xBSD, etc. boxes onto the net with assigned IP addresses and security holes the size of Texas.
you can't, however, pin this on these individual users. if you're a systems administrator and that's your only working task, it is still difficult to keep up with security issues these days. it's more than a full-time job to keep a network secure from all of the possible attacks. you're never going to get all of the broadband users to secure their systems themselves, it'd be a herculean task.
it's better to start at the software/OS distributors and force them to hande the situation better. much like setting up ipmasq for the first time, the first thing to do is deny everything, then allow only what is necessary. operating systems should install the same way.
jimmy installs redhat, and decides that he needs web, email, ftp and nntp access. he runs through the installation, and at the end only ports 80, 25, 21 and 119 are open. he doesn't know any more than that, and he shouldn't need to know more than that.
there's no bind running errantly on his system, no apache running... honestly, at the end of pretty much any linux installation users have daemons running that they'll never need or use, opening up ports and holes that just aren't necessary.
instead of expecting every single end user out there to attend BOF security conferences and read bugtraq, maybe we should give them more secure setups to start with.
after all, in your scenario BOF don't exist, since everyone would already be included.
Re:It's DoS (Score:4)
-Nick Chernyy
P.S. for all of you paranoid FreeBSD users, there is a patch available and has been merged into the sources long ago.
Re:Not so good (Score:2)
There is no solution to prevent large distributed DoS attacks. What you can do is put certain filters in place to detect these attacks and act accordingly. When the largest problem is the amount of bandwidth, your only recourse is to get your upstream ISP to filter it at their site because they likely have much more bandwidth than you do. However, the problem with this is that they get very annoyed very fast and will tell you to go jump in a lake if their major routers are going down (this is of course unless you are a major customer). Believe me, I have dealt with sprint, uunet, and exodus regarding this and their solution regarding an idiot repeatedly DoS attacking your site is to charge you more money for all their trouble or to tell you to go away.
ISPs, bandwidth users must take responsibility (Score:2)
Likewise, anyone with a system connected to the 'Net must take responsibility for its security. A machine that's wide open to being "rooted" is an "attractive nuisance;" it is innocent by itself but incites trouble by facilitating abuse. The "white hats" on the 'Net should be proactive and stay one step ahead of the "black hats" in this respect. They should be walking down the Internet's virtual streets rattling doorknobs, and if they find one unlocked, they should tell the owner of the house, "See here; your house is unlocked. This is not good." This is far better than having a thief slip in later.
--Brett Glass
Re:How do you know who's responsible? (Score:2)
Re:Can I sue you for negligence? (Score:2)
But realize, there *are* legitimate reasons to do source-routing, and it *is* part of the IPv4 spec.
Should a place be held liable? Well.. i would say, if I was a tier-1 carrier, I might say 'if you want to attach to our network, you must ensure that such-and-such never enters our network'. THAT is how it should be done.
Re:It's DoS (Score:4)
Didn't you hear. It was caused by a bunch of DOS zealots who refuse to upgrade to Windows. They actually used DOS and just pinged the heck out of Yahoo. They claimed to be using this action as a way to show their disatisfaction with MS because they no longer support DOS. I, for one, say more power to 'em! Down with MS! Long live DOS! The undisputed KING of OS's!
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
It's a good thing Yahoo uses FreeBSD. (Score:3)
FreeBSD also has two special kernel options -- ICMP bandwidth limiting and TCP/IP RST restriction -- which can help with some DoS attacks. (No OS can do anything about a swamped pipe, of course, but if it knows how to throw away bogus packets and does not fall into the trap of trying to respond to them all, it'll be in much better shape. And, of course, it should never crash.)
I've seen some trolls in this discussion that suggested that FreeBSD was somehow responsible for Yahoo's woes. In fact, the opposite is true. If I'm going to get hit by TFN or Stacheldraht, I'll want a FreeBSD system -- probably the most recent version on the FreeBSD-stable development branch -- not NT, MacOS, or Linux. In our tests -- and we did a bunch of them when stream.c hit the streets -- it held up the best.
--Brett Glass
Re:Packet Monkeys (Score:2)
I would know too. I've had hosting boxes with 100mbps interfaces on an network with oc3 and multiple t3's to tier1 providers completely annihilated due to users using IRC without permission (EFNet is evil). One one occasion, all it took was a DoS attack from a box at a corporation with a t3 to sprint, the university of colorado and a misconfigured US naval academy network. Estimated traffic? 134mbps. Scaling an attack such as that to 1gbps (as reported) is fairly easy if you use distributed sources.
It is also true that there are many script kiddies with this much bandwidth available due to compromised shells and broken networks. Visit EFNet IRC sometime. There are many idiots without a clue with the ability to carry out attacks such as this. You don't have to know what you're doing to scan the entire internet for known vulnerabilities then sniff traffic and tty's at a number of locations and gain access to many other networks.
Re:How does one stop a DOS? (Score:2)
The problem is that there are many types of attacks that are capable of interrupting service. Many times installed filters require the provider or the customer to compromise their use of the service to allow for better security and protection.
Lotsa Red Hat boxes on DSL connections: be afraid (Score:2)
We in the Linux community have to pay more attention to our own security. We're going to start to see more and more folks with always-up DSL connections and static IP addresses. If the default configuration as shipped by Red Hat, or Corel, or whoever isn't damn near bulletproof, you know that the DoS freaks are going to own a lot of these boxes, simply because you can assume that there are a lot of people who won't apply security upgrades, who think "I don't need to care about security, nothing on this box matters".
On the contrary, any DSL-connected Unix clone is an attack vehicle, if captured.
It's not good enough to have some specialized Linux distributions that focus on security. The market leaders are the ones that really matter, because if you find a flaw in Red Hat you've found an exploit you can immediately use on thousands of machines.
Re:Not so good (Score:2)
You CAN however do quite a lot to prevent being a source, or at least an untraceable source - you should take great care that no network traffic leaces your network whith bad (=not your own) source address. If this simple precaution was in more widespread use, tracking this stuff would be much easier
This is only a start. You must also secure your hole bnetwork against intrusion. It's difficult, especially with the lack of quality of Windows. In my mind OpenBSD [openbsd.org] has gone the farthest with out of the box security. Even then it's possible an exploit may be found.
Using firewalls helps with security, but they still aren't fool proof. Systems behind them can still be compromized, but it's more difficult. My rule I setup systems with is if it must be accessable from the internet, then only those ports that need internet access are routed to it and from it by a seporit firewall system. Any other system must reside behind a NAT or masqurading firewall. This general rule helps alot with securing a site.
Unfortunatly this is only the tip of the iceburg. many other things need to be done. We maby should have an Ask Slashdot on securing systems and networks. Possibly one on each of the major OSes and on networks in general.
Re:ISPs, bandwidth users must take responsibility (Score:2)
Good point. Unfortunately, the response of some organizations to the white hat who tries to focus attention on a security flaw is to try to get the white hat prosecuted as a cracker.
Which Linux version did you test? (Score:2)
Recent Linux versions also have a number of kernel options to help with some DoS attacks, and Linux and *BSD kernel developers have been learning from each other on this issue. Just the same, if a recent Linux kernel didn't hold up well in your tests, we should know. Which version did you test?
Just one problem: (Score:2)
Re:What about prevention? (Score:2)
...phil
Re:Which Linux version did you test? (Score:2)
--Brett Glass
Re:Disabling mail forwarding (Score:4)
As someone else pointed out, you also need to put a script that does ``/usr/lib/sendmail -q'' into /etc/cron.hourly/ if you don't want your mail to get stuck at random.
But another useful trick, if there are certain machines you want to accept mail from and others that you don't, is to run sendmail under tcpd so that it obeys /etc/hosts.allow and /etc/hosts.deny, by adding this to /etc/inetd.conf:
smtp stream tcp nowait root /usr/sbin/tcpd /usr/lib/sendmail -bs
That way you can, for example, let specific machines on your subnet connect to your SMTP port without allowing the whole world to exploit the sendmail-bug-du-jour. (You can also do this with ipfwadm firewall rules, but I find hosts.allow to be easier to deal with.)
I generally prefer running services on my desktop machines (including sendmail and httpd) from inetd instead of having them always running as daemons in the background because that makes it easier to centralize control of their access lists, and because you don't have as many idle processes chewing up swap space. And since I'm the only one who ever connects to the http server on my desktop machine, the process-creation overhead is trivial (this wouldn't be such a good idea for a high volume web or mail server, obviously.)
Re:Which Linux version did you test? (Score:2)
Having compiled the Linux kernel dozens of times, and the FreeBSD kernel only thrice, I have noticed an underlying architectural difference between them. Options in BSD kernel *seems* to be more general, while stuff in the Linux kernel *seems* to be more specific. Now, I'm not an expert of DoS attacks, or even of the ways Linux or BSD handles them. However, DoS is not just a single, or even a handful of attack types. There are hundreds of DoS variants. The trick is not to include a kernel option for each attack type. Rather, it's how the kernel handles a flood of requests. I'm not sure it should even be the kernel's job to determine which requests are valid or bogus. That's up to a userland component.
Re:Ad impressions (Score:2)
The idea is to be indistinguishable from a genuine customer. You can't determine who to block--you've got customers angry because the system is slow, but you have no way to determine which ones are fake and which ones are there to buy something.
This attack is particularly frightening when one considers the relatively low number of clients needed to knock out even a hardware encryption system. "They keep lookin', but they just don't buy...but at least the ad sales are great!"
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
NEWS FLASH: TWO MORE SITES HIT (Score:2)
ABC News [abcnews.com] is reporting that two more web sites were hit in the last 24 hours, in attacks remarkably similar to the one that hit Yahoo. One website was Buy.com [buy.com], which was hit just as their stock was going IPO with 800 megabytes of traffic per second in a coordinated DoS (smurf?) attack. The other website was eBay [ebay.com]. The Yahoo attack used one gigabyte of traffic per second, according to ABCNews. Full story is here [go.com].
Re:Not MS This time.. (Score:2)
Some DoS attacks take advantage of server software. However, I believe the attack here was an attack on bandwidth. In such attacks, the target is generally flooded by more pings/TCP SYN packets/etc than their pipe can handle, even if the computer itself responds immediately and is well within an acceptable load. These attacks generally work by tricking a large number of inoncents, in conjunction with cracked accounts, into sending traffic to the same target.
Link to article on Ebay attack (Score:2)
FreeBSD saved Yahoo's butt. (Score:2)
--Brett Glass
Re:Any suspects? (Score:2)
Re:Which Linux version did you test? (Score:2)
umm... duh.
That's not the point though... if they're on 2.2.x and they see panic XYZ and don't tell us "hey I got a panic XYZ on 2.2.x when I ran stream.c" then in 6 months when they're ready to move to 2.4.x because it's been "stable" for months now odds are they're still going to get panic XYZ!
while this isn't the forum to report that panic, they mentioned it and were asked for info by someone who would do something about it (at least make sure the right people knew about it) and responded with a non-answer answer.
The big corporations can afford to write their own (Score:3)
Advocates of the GPL tend to invoke the bogeyman of large, evil corporations just spoiling to use your code. But if you buy this argument, you'll in fact be hurting the little guy who might challenge the big ones.
It's unethical to participate in an agenda whose purpose is to hurt others -- especially out of spite. Therefore, you should not use the GPL.
--Brett Glass
Re:Links (Score:3)
---------
Question: How do I leverage the power of the internet?
Re:Responsible corporations? (Score:2)
The idea behind BSD is to help the community, for the comman person, the programmer, the corperation, and the user. It works, as helping one in turn helps the rest. If I gave you a lemonade, or a coke, told you it was absolutely yours to use, sell, give, etc. Even had a contract between us, and then after you drank it accused you of stealing, who would you think was nuts?
The GPL believes that no one should own the code, yet their advocates are afraid of someone stealing it, or even NON-GPL code. BSD believes in helping further technical advancement, and thus allows for reuse and splinters. In the end, splinters are a BOON, because (especially with open source) the best one comes out on top, or is applied in very new directions. If not the best standard is derived and pushed by a huge company, killing the smaller, the larger must still compete because no one will follow it if there are absolutely no benefits. And, would these features even come about if it wasn't for the free code? If they would have, obviously at a later date. The problem?
This Happens All the Time (Score:2)
I find it hard to believe that Yahoo wasn't set up to cope with the denial-of-service attacks I've seen described so far. I'm sure that everyone who works on a web site with more than 10-20 million hits/day has dealt with these attacks.
For example, for the venerable SYN flood attack all one needs to due is tune the kernel to cope with it. SYN floods happen to most large sites on a daily basis.
The connect-to-port-80-and-hold attack is hard for a multiprocessing server like apache to deal with since it has to fork() for each connection. For a multithreaded server it's no problem at all-- it just needs a large pool of threads at its disposal. Each open connection takes up a thread until it times out, but thread creation takes up minimal resources. These connections are not always logged with the IP address in the web server, though perhaps they ought to be.A worse problem, and perhaps this is what happened, is if an actual GET takes place. In this case the thread has to do something other than merely exist. Each IP address is dutifully logged, making it possible to track down the participants in the attack. (Of course this leads into the other thread here on whether people who are not malicious, but whose systems were hijacked, should be liable.)
Does anyone know exactly what kind of attack this was? Was it directed at the Yahoo site and the routers just melted, or was it directed at the routers themselves? (E.g. bogus routing messages flooding the routers with false updates or other routing-level attacks.)
I'd hate to see Yahoo's networking bill for this month.
18 Page Ransom Letter (Re:The Attacks Continue!) (Score:2)
"A SOURCE CLOSE to the investigation of the Web site attacks told MSNBC he had read a threatening 18-page letter written by the alleged attacker. Included in the letter: "This is a watershed event of Net security debacle. We have shot across the bow of Yahoo. It's a real wake up call. This attack is just the first of the assaults that we will be launching on the Web
In the letter, the purported attacker complained about companies "capitalizing" on the Internet; the investigator MSNBC spoke to believes online brokerage companies such as eTrade could be his next target.
Check it out at:
http://http://www.msnbc.com/news/367495.asp
-ben
http://www.exocortex.org
Re:More Sites Now... (Score:2)
Re:DOS attackers should be jailed (Score:2)
Brett, don't post flamebait (Score:2)
This was Stallman's intent: to destroy programmers' prospects for success. He has said so, repeatedly.
You're twisting his words, and you know it. I could as well say "Brett Glass's intent is to give all the big corporations a free ride at the expense of the little guy." You might not agree with RMS. I myself don't agree with a lot of what he says. But I don't go spreading lies about him.
RMS created the GPL to make sure source code would always be available, no matter where it was or what it was incorporated into. You don't have to agree with this, but your policy of countering RMS's ravings with your own just hurts your cause.
The decision to use the GPL rests purely with the developer. Some people like the concept of code that cannot be incorporated into a closed source project. I kind of like it myself. Others want to foster code reuse as much as possible, and don't mind it being used in a close source project. When you come along and attempt to dictate what the developer should use, you are doing the same thing RMS does -- trying to force others to have your opinion.
Don't be a hypocrite, Brett.
Not flamebait; just the simple truth. (Score:2)
No, I'm not. In his more candid moments, Stallman states his intentions loud and clear. You may have seen him in "propaganda mode," in which he makes vague, warm fuzzy claims about "freedom."
Here are two quotes from Stallman -- spaced 14 years apart! -- which show that Stallman's intention is, and always has been, to hurt programmers via the GPL.
The first comes from Stallman's "GNU Manifesto," in which he says, explicitly, that his intent is to sabotage commercial developers and limit their career prospects so that they could make no more money than starving graduate students. In 1984, Stallman wrote:
In short, enraged that some of his colleagues were leaving the lab to pursue a commercial venture, he sought to sabotage them as a way of discouraging anyone from doing this in the future.
Stallman's more recent writings, speeches, and interviews confirm that this malicious intent still exists 14 years later. Here's what Stallman said when interviewed by a reporter for Forbes magazine:
(For the full text of the article, see http://www.forbes.com/forbes/98/0810/6203094a.htm. )
Thus, we can see that the GPL is a tool of spite. Its purpose: to attack commercial programmers and software businesses, and to reduce programmers' salaries to those of starving graduate students.
Now, I don't know about you, but I believe that to attack one's colleagues and hinder their progress out of spite and malice is unethical. Thus, I believe it's unethical to use the GPL. I hope that, now that I've told you some parts of the story that you may not have heard, you'll reconsider your stance regarding the GPL.
--Brett Glass
Re:Which Linux version did you test? (Score:2)
Re:Which Linux version did you test? (Score:2)
Thanks for the plethora of information.
"Wouldn't want GPL contamination
Sure, we all know that xBSD has a better */IP kernel
Re:DOS attackers should be jailed (Score:2)
Has it ever occured to anyone that we might want to all take responsibility and work together for a better society in more ways than jailing the 'bad' ones? Lets not produce them (abuse, neglect -- including latch-key, etc.).
I knew the kid who hacked NASA from Sudbury, Ontario a couple years ago
... bah
Juniper! (Score:2)
Take a look here [obtuse.com].
-John
Help them! (Score:2)
-John
Re:The big corporations can afford to write their (Score:2)
First of all, programmers who build on BSD-licensed code are not "taking" it. It's still there, for all the world to see and use. What's more, because the functionality of that code is already availble for free, they can only make money from a derivative work if they add substantial value. And all the money they do make will be the result of the functionality they added. Thus, they haven't "taken" anything from you. They've created value and deserve to be rewarded for that.
Hrm. You have a weird defination of hurt...
No, it's quite a normal definition of hurt. If you offer the code to anyone in the whole world to use as he or she pleases except a developer, you're playing a vicious game of "keep-away" with that developer. You're destroying the market for the functionality by making it available for free. At the same time, you're asking the developer to reimplement it before forging ahead. This is, indeed, hurtful. It holds developers back by requiring them to reimplement the wheel needlessly instead of making forward progress. And it deters standardization by requiring them to create and use a different code base. Not good.
it's my code.
In that case, why use it as a weapon to hurt people?
If the little guy wants to challenge the big guys, how about he offers to pay me to write code for him? I could use the cash.
So could he! Unfortunately, once you've given the code away to everyone else, it's not fair to ask him to pay for it. He can't make money off it, since its market value is now zero. So, you're asking him to pay for something which he cannot get his customers to pay him for! He's starting out "in the hole," and that's not fair.
But he can't run off with my code and hide it.
He can't hide it -- not if you've published it. He can only keep his improvements. (And that's fair; they're his improvements and his only way of making a living.) Nor can he "run off" with it. It's still there for anyone to use.
I don't see how failing to let someone else close-source code I wrote is either unethical or immoral.
Again, see above. They can't "close-source" your code; they can only decide to keep theirs.
Failing to do things for other people with no reward isn't unethical in any system of ethics I can think of. Certainly not mine.
Well, in that case I think you'll agree that programmers should not be forced to publish their work for free. But this is what the GPL tries to do.
However, what the people who take the code (no matter what their size) of BSD programmers, close source it, and give them no credit,
Actually, the BSD license allows the author to ask for credit. Ironically, this is something that Richard Stallman vehemently opposes. He's opposed to authors' rights -- not only for code, but for books and music, too.
while they are acting 'ethically' (because they were give permission to, however remotely), skirt the edges of morals in my book.
Again, the author can ask for this. But the trend is toward not doing so. Under the BSD or MIT X licenses, it's not required; the code has virtually no strings attached. Which is what open source should be about! The GPL is an attempt to turn open source -- which is otherwise a good thing -- into a weapon designed to hurt programmers. The motivation: pure spite and malice. This is not a good thing and is certainly not ethical, and so we should oppose it.
--Brett Glass
Re:Window Shopping Hordes (Score:2)
I'm becoming more and more of a believer that very few people are genuinely evil, most are just supremely selfish. That "all is fair in love and war" is no surprise in that context; both come from the same source.
A little to think about as Valiumtine's Day rolls around. (D.O.H.)
Anyway, I'm pretty much saying flat out that nobody's going to be thinking these geniuses are all K-Rad 3133+ hackers when their behavior is successfully used to turn some of their best supporters--the tech industry--against the right to be anonymous online.
That's not associating with them. That's saying, there's no good reason for what you're doing, because you're just doing what certain governmental forces want you to do anyway.
And incidentally, yes the government could blame it on the nonexistent evil, but why do it themselves when they merely need to wait for a patsy to do it for them?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:Can I sue you for negligence? (Score:2)
If your system is cracked, and then used to attack me, can I sue you for negligence?
I doubt it. Legal decisions rest on precedent as much as possible, rather than an objective decision. Although it's not a good analogy, I suspect that a legal case on this basis woould be treated as an extension of burglary. There's already a precedent that when premises are burgled by entering the unsecured premises next door, then breaking through between the cellars, there isn't a case for negligence against the premises holder of the first place entered. IANAL
Brett Glass has a heavy axe to grind. (Score:2)
This is because Glass is a fulminating anti-GPL fanatic; facts unfortunately come second. Let the reader beware.
--
Re:DOS attackers should be jailed (Score:2)
The law already has ways of handling juveniles and first time offenders that may have "fallen astray", and certainly those should be applied if applicable - no difference because it's a cyber-crime. Similarly, though, cyber-crimes need to be treated in *all* ways the same as any other... we're talking disruption of inter-state commerce here, as well as causing millions of dollars of losses.... not exactly kids play.
Sorry to hear you're in denial. (Score:2)
Apparently, you're so much in denial about the notion that there could be a bug in Linux that you've felt compelled to resort to name calling and personal attacks when one is mentioned.
--Brett Glass
You really expected me... (Score:2)
You might find that some of the other folks who have reported crashes under stream.c can help you more, since I'm sure that some of them have systems that are still running as they were.
--Brett Glass
Re:It's a good thing Yahoo uses FreeBSD. (Score:2)
Do you have more information on this? Linux kernels have options to not repsond to ICMP echo broadcasts (or any ICMP echos at all) and also have the rp_filter which drops packets originating on an ip that the interface is not part of, but these other methods you mention are intriguing.
Re:Can I sue you for negligence? (Score:2)
If a swimming pool has not been fenced up, and a child sneaks onto the property and drowns, the owner of the pool can be held partly liable. If you own a gun and neglect to lock it up or its ammunition, you can be held liable when someone steals the gun and kills someone with it.
This is known as the "attractive nuisance" principle. If you are responsible for some resource that presents an attractive nuisance to some miscreants, and you fail to take reasonable measures to secure it, you can wind up taking some of the heat for the damage they cause.
Computer security is so generally lousy that I'm reluctant to say that this principle should apply to system administrators in general. Not knowing the nature of this particular DoS attack, I'm particularly doubtful that it should qualify as an "attractive nuisance" -- for example, as far as I know there is no good way to prevent someone from launching a smurf attack from your network.
But the point is that it is a well-established principle that someone who maintains their property carelessly, in a way that facilitates theft or misuse, can in fact be held liable for negligence.
Re:Disabling mail forwarding (Score:2)
Sendmail has supported this internally since 8.8 or 8.9, by means of
example.com REJECT
192.168.0 REJECT
and run makemap hash access < access, sendmail will automatically reject mail coming from example.com or the 192.68.0 network.
Sendmail's rules are a bit looser than tcpwrapper's rules; for example, doing this will reject mail with an envelope sender from example.com as well as mail coming from a host in the example.com rDNS space. And Jamie's points about centralization of access files are well taken. But you can basically do this in sendmail without using tcpwrappers, if necessary.
Stallman hopes to take in the simple-minded. (Score:2)
Perhaps you haven't met Richard personally. Have you seen the way he leers at every passing female?
Recently, a female acquaintance told me that she and other women had specifically asked that Richard not be invited to a party they planned to attend. They further noted that, if he was present, they would stay in a different room to avoid being stared at, slobbered at, and bluntly propositioned -- as they had been at previous gatherings where Richard was present.
At the Fall 1999 LinuxWorld Expo, I watched as Richard, having just stepped off the dais after a panel discussion, ostentatiously scanned each woman in the group from head to toe as if he was mentally undressing her.
This is not exactly what I'd call behavior worthy of respect.
and morally support the FSF in most all of its activities.
The FSF is neither moral nor ethical. Attacking people out of spite never is.
However, I can understand someone disagreeing with Stallman. But to disagree with someone, you first have to understand what they are seeing. You, obviously, do not.
I've talked with Stallman at length and have reviewed his writings, speeches, and activities. I have also interviewed others about his behavior. I probably don't know more about him than his closest friends, but I daresay I know exactly what his views and aims are.
You say Richard Stallman created the FSF and the GNU GPL out of anger. I think you are probably partly right.
His writings, his speeches, and accounts of his behavior at the time fully support the notion that the FSF and the GPL were created entirely out of anger and spite.
You say it was out of spite towards some ex-colleagues, or the typical programmer. There, you are wrong.
Not so. Read Stallman's GNU Manifesto, where he explicitly states his aim: to ensure that no programmer can ever make more for his work than a starving graduate student.
Richard Stallman was screwed, and screwed good by proprietary software companies.
Not true at all. All of the work which was used by the spinoffs of the MIT AI lab was bought and paid for by grants from government and industry. It was the express intent that the concepts developed at the Lab be incorporated into government and commercial projects. Richard, unable to see the big picture, resented this -- even though this process was the entire reason he could live in an academic playground in the first place!
Of course, when the commercial spinoffs did happen, Richard couldn't go himself; he was a creature of academia and not one who "played well with others." In a fit of rage, So, he vowed vengeance on those who would threaten his small, cozy academic nirvana by leaving.
If you have read the GNU Manifesto, you know this. And the truth is, we all have. Yes, he was angry. But all I can say about that is "How could I be so comatose as to have not been angered by it?"
I think you might want to reread the document from a broader and more informed perspective. Again, this was Richard's perception -- warped, as it was, by horrible rage, anger, and spite.
Today, I am angry when I have to click "I agree" to some outrageous claims just so I can play a game. I'm glad I get angry. It shows me I've woken up. And Richard Stallman is one of the people who did that.
Actually, the GPL itself is a "shrink-wrap" (or "click-wrap") license, with terms every bit as onerous to developers as the ones to which you refer. The GPL, as a cure, is worse than the disease.
Richard Stallman does not wish for free software programmers to be poor.
He desires all programmers to be put "on a treadmill" (to borrow a phrase from a Microsoft executive) so that they cannot prosper. This intent is explicitly stated in The GNU Manifesto and in other documents and speeches.
He does wish for proprietary software manufacturers to make less money.
If software vendors charge too much, others who charge less will come along and compete with them. It's a self-correcting process.
Is he wrong?
It is always unethical and wrong to attack anyone's livelihood out of spite.
Exploitation will make you rich. Slave traders (they still exist) have never been poor.
Commercial software developers are, by and large, neither exploitative nor rich. And to label them as "slave traders" is a deceptive and nasty slur. Most software companies fail, and the ones that do succeed often barely manage to remain profitable. Only a few, such as Microsoft, have done inordinately well. These can be counted on the fingers of one hand -- and you won't use up all the fingers.
Richard Stallman believes proprietary software to be exploitation.
By this logic, owning my own house or car and not letting anyone use it at any time would also be exploitation. "Exploitation" is a loaded and pejorative word. There's nothing wrong with owning property -- intellectual or physical. Unless you're just plain spiteful about the other guy having it.
Looking at how much money Microsoft is worth, I'd agree.
That's paper worth. Red Hat is worth billions on paper too, incidentally, though it has never made a dime and in fact has lost millions of dollars per employee. Want to talk about exploitation? I think enticing them to buy stock in a company that has always lost money and has virtually no assets (Red Hat doesn't even own what it sells) is exploitation.
RMS would like software making to no longer exploit the end user.
He clearly wants to exploit programmers instead. ;-) Seriously, though, "exploitation" is an unjustified pejorative. Asking people to pay to license the intellectual property you produced via your own hard work is perfectly reasonable and fair. If you created something good, you deserve to be rewarded. Stallman wants to deny programmers a just reward for their work.
That will undoubtedly mean less money for those who try to exploit. All the better.
Again, the pejorative. By this logic, the person who asks you to pay for your food at a restaurant or supermarket is also "exploiting" you.
A few months ago, it was reported that Linus Torvalds had already cost Bill Gates several billions in shares value. I, for one, cheered.
It sounds as if you are spiteful.
Many others did as well. Yet when you quote Richard Stallman as having done the same to proprietary Unix companies, he is somehow evil.
It is never ethical to hurt anyone else out of spite or malice.
When people are free, the slave traders go bankrupt. That does not mean the the liberators were the bad guys to begin with.
"Slave traders?" "Liberators?" Sorry, but it's code, not people, that we're talking about here. One of the most misleading (and, at times, silly) parts of Stallman's rhetoric is his anthropomorpism of code. He talks about software as being "free" -- and uses the word "free" in multiple senses, that is, as a "pivot word," in an attempt to lead the reader to fallacious conclusions.
Richard Stallman paid the rent for many years by selling tapes with GNU Emacs on it.
Good for him. Why, then, does he begrudge other programmers a livelihood?
So stop the "He's a commie!" lingo already.
If you look at any of my postings, you'll see that I've never called Stallman a communist. However, his propaganda does borrow heavily from that of communism. And, alas, it is intended to mislead.
--Brett Glass
System and Network Security (Score:2)
There are many, well publicised portals and locations for such information, both system specific and universal. www.securityfocus.org, bugtraq, and many other environments provide up to the minute information on security for a wide range of systems, and any systems administrator should follow these closely, as well as system specific sources.
Those on a lesser scale, DSL and modem, should also pay attention. If you feel unwilling to take the time to secure your system, you should invest in an operating system that is Secure By Default. OpenBSD is the most publicised of these, but there are several hardened variants of linux, and hardeners for popular operating systems like RedHat (check out http://bastille-linux.org/).
For linux guys, I recommend reading the Linux Admin Security Guide (http://metalab.unc.edu/lasg/) and learning about IPChains, or for the bleeding edge people, Netfilter (Which is proving to be very powerful)
Unfortunately I have no pointers for Windows, but perhaps other users can contribute URLs where information like that can be located. A quick search in a search engine may help too.
Re:DOS attackers should be jailed (Score:2)
Re:Packet Monkeys (Score:2)
Partisan action against a violent repressive government is not "civil disobedience," it is guerilla warefare or an "underground."
Perhaps we were not in agreement about terms here. Resistance to Hitler's regime, from providing information to the Allies to slashings tires on government vehicles would not be, to me, acts of civil disobedience. And I absolutely agree with you that such acts are honorable in such a context. But the United States is NOT, no matter how upset you may legitimately be with it, in no way comparable to Europe under Nazi occupation.
Re:Packet Monkeys (Score:2)
I don't remember whom I am quoting here, so if one of you knows, please give appropriate credit: "The only thing necessary for evil to triumph is for good men to do nothing."