Forgot your password?
typodupeerror
The Internet

Forum: The Yahoo Denial of Service 619

Posted by CmdrTaco
from the stuff-to-think-about dept.
It's one of the larger news items of the day, but we've sorta avoided mentioning it here because it is really "just another Denial of Service Attack." But it's the biggest one ever. It took down Ya- 'we serve half a billion pages a day' -hoo. And they were taken down for several hours from a distributed DOS attack. What does this mean? I honestly don't know, but I figure you guys might have some opinions.
This discussion has been archived. No new comments can be posted.

Forum: The Yahoo Denial of Service

Comments Filter:
  • Wow, a DOS attack. Does Microsoft know about that? Isn't it supposed to be DoS?

    kwsNI
  • by Anonymous Coward
    Well, the first thing that comes to mind is: If it can happen to yahoo, what's to stop it from happening to me?

    Answer: NOTHING!! As far as I can tell, you're sitting out on a limb and there's nothing you can do to prevent becomming a victim of a DOS attack.

    You CAN however do quite a lot to prevent being a source, or at least an untraceable source - you should take great care that no network traffic leaces your network whith bad (=not your own) source address. If this simple precaution was in more widespread use, tracking this stuff would be much easier.

  • probably does more harm than good. Need a smurfable subnet? they have a list of the 2048 worst offenders.
  • by Rommel (33210) on Tuesday February 08, 2000 @12:16PM (#1294253)
    If your system is cracked, and then used to attack me, can I sue you for negligence? How else do we get companies to put proper practices in place?

    Like IP spoofing, for example. IP spoofing would more or less come to a halt if ISPs, Universities, and corporations would put some simple filters into place, preventing packets with impossible source addresses from leaving their networks.

    This distributed DOS stuff can be stopped only if *all* of the sites in the community engage in sound security practices.
  • by PenguinX (18932) on Tuesday February 08, 2000 @12:16PM (#1294256) Homepage
    As I do not see a link out to anywhere I will guess that this refers to a problem that started yesterday and propigated throughout many top level routers. The problem originated at Alter Net and it would appear as though they had a bad routing update - which propigated to glbx.net and effected many sites such as Yahoo!, CNN and a few others. This all depends on who your connected into - and where the routing packets are forced, but for many USWest !nterprise customers yesterday half or so of the internet was "down".
  • no.
  • Rather than all discuss how the people doing this are "eL33t" or just twats with more time on their hands than can be filled wanking how about a discussion of possible preventative measures?

    I recently installed a firewall at our company - previously we were reliant on protection of our private network by Microsoft Poxy Server which is by no means a security product. We now use the Sonicwall Pro product which includes a DMZ segement and halfway decent reporting facilities.

    One thing I've noticed is how many DoS attacks are attempted by single hosts aimed at our network, we're not a large organisation and we provide services to a pretty small yet worldwide market.

    Now I'm not entirely sure how well the firewall would stand upto a proper attack and would like to know what other options are available to me to help avoid this sort of outage.

    Any takers?

  • What? You mean all the times I've tried to get through to /. and it has taken several minutes to reply *haven't* been as a result of DoS attacks?
  • Those of you without the Hacker News Network slashbox on your front page might want to take a look at this story [hackernews.com], which has a bit more information as well as links to a number of media stories about it (Wired, NYTimes, etc.).
  • by jimm (5532) <jimm AT io DOT com> on Tuesday February 08, 2000 @12:21PM (#1294276) Homepage
    Wired claims in Routers Blamed for Yahoo Outage [wired.com] that it was not a DoS attack; rather, it was a misconfigured router at their ISP. Anonymous source 'n everything.
  • by John Fulmer (5840) on Tuesday February 08, 2000 @12:21PM (#1294278)
    I wonder how long (or if it has already happened) until an employee of an online business decides to improve the value of his stock options by taking out his company's top rival(s) for a couple of hours. There are times (say around December 15th for many merchants) when something like could be devestating.

    D-O-S: Not just for script kiddies any more....

    jf

  • When I first heard about it (it was on our 'superficial' morning TV news), I realised that it wasn't a 'hack' but just a DoS attack with some script kiddies not having enough time on their hands.

    But now I'm realising that it would have been a large, very organised 'team' effort. After all, it's going to take more than just a couple of computers to put through 500 million page requests in such a short period of time.

    The more worrying thing is this: If it was possible to take down Yahoo, what else are they going to try and take down? Was this just a one off, to see if it can be done? Or was this just the first.

    A possible way to try and stop all this is to get the mainstream media to accept the term 'script-kiddie' and make sure they know what the meaning of it is, i.e. so that the next time a major DoS attack occurs, the media recognises that it was just script-kiddies playing around. This way, the script-kiddies will less likely to pull these stunts because they know they won't get called 'hackers', which is they're goal, but this derogatory term which makes them look uncool.
  • by Effugas (2378) on Tuesday February 08, 2000 @12:23PM (#1294284) Homepage
    Yahoo was taken down by a major Denial of Service attack--this is true.

    What's really scary isn't DoS attacks that are obvious, but ones which are indistinguishable from regular traffic.

    Reasonably static and well hosted sites like Yahoo wouldn't be taken out, but the average E-Commerce site, with dynamically generated pages off a single-point-of-failure SQL Server architecture would be completely knocked out by what appeared to be nothing more than extremely heavy traffic.

    Such an attack would require massive compromise of hosts(since they'd be able to execute only a few five minute random clicksessions per hour), but would show up on no security scans and would be indistinguishable from an unusually large horde of window shoppers.

    How would you defend against this? How would you even know you were under attack?

    And, most intriguingly, if you're getting paid by the ad impression, would you care?

    A quick message to the people responsible...your behavior will eventually lead to the kind of IP network monitoring that the Russian Government is making all their ISPs pay for. It is one thing to describe the attacks and work to repair the infrastructure; it's something entirely different to execute attacks that will quickly lead to solutions that can only be described as nightmarish.

    Think for a moment who <i>wins</i> when you take down Yahoo, and shudder. Because there is a winner, and in the long run, it ain't you. You're helping someone. Guess who.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • by Mushy (143625) on Tuesday February 08, 2000 @12:23PM (#1294285)
    1) stacheldraht" [sans.org]
    2) trinoo [washington.edu]
    3) tfn tribe flood network [washington.edu]
    4) tfn2k [securify.com]
    5) Cert's denial of service tools [cert.org]
    Useful?
  • by evilpenguin (18720) on Tuesday February 08, 2000 @12:25PM (#1294292)
    ...has to pay more attention to security. While I am sure there are quite a few people willing to cooperate in launching a DoS attack (and, BTW, who cares if it is typed DoS or DOS?), I'm equally sure the primary method is to launch the attack from the cover of a number of compromised systems. A DoS attack can be done with any compromised account, too. It doesn't require a "root" compromise if all you are doing is flooding a router or set of routers from multiple different networks. You only need a root compromise to do "cool" stuff with forged headers and illogical option bits (like SYN-FIN). If you are launching your attack from compromised accounts that you logged into from other compromised accounts, you don't care about forging headers. Your identity is already hidden by other means. What do you care if some suits come knocking on the door of the owner of the compromised host? You aren't there.

    This means that we all have to take security seriously. That password matters. Don't share it. If you have resources, use two part authentication. Take reasonable precautions. Audit your setuid programs. Don't put "." in your path. Don't have world-writable files. If you can't afford commercial 2-part auth solutions, at least use ssh instead of telnet. Etc., etc., etc.

    We can't afford to have security be the province of experts and miscreants. Responsible netizenship demands that we take security seriously, at least to enough of an extent that we can be confident our own systems aren't being used by others to attack systems.

    Some people believe that cracking systems or launching DoS attacks are a legitimate form of civil disobedience. I actually agree with that. But you are only engaging in legitimate civil disobience if you are doing it on your own equipment and not concealing your identity. Protesters go somewhere openly and risk arrest. Vandals sneak around in the dark wearking ski masks and painting slogans. One is a principled stand and the other is a cowardly crime. Furthermore, when you use someone else's computer in your act of civil disobedience, it would be like the act of, when the police wade into your protest with their truncheons flailing, grabbing the nearest non-participant and using them as a shield. Cowardly.

    So, as always shy with my opinions, that's what I think the giant DoS means.

    Anyone know if this was mere mischeif or if there was a motive for this incident, BTW?

  • Ok I'm biased since I wrote this article, but it covers the Yahoo! DOS (I took a look at their network/etc) and goes over what you can do to prevent being DOS'ed, and what you can do to "be a good neighbour".

    Yahoo! - Why denial of service (DOS) attacks work (http://www.securityportal.com/) [securityportal.com]

    Kurt Seifried

  • but for many USWest !nterprise customers yesterday half or so of the internet was "down".


    I've noticed this too, being a USWest Megabit subscriber. Any links to sites that give a bit more detail than the ITR [internettr...report.com] (hmm, the current index for N. America is pretty (s)low, looks like it took a hit about 7a.m.)
  • CERT put out a thing about this a few months ago in this document [cert.org] - also see some of the links they have to past documents.

    It looks like the script kiddies are basically getting a bunch of insecure machines to just all start pinging the hell out of something from different places around the net. Ya gotta admit, you could flood the hell out of a connection pretty fast just by finding even 20 insecure hosts.

    I myself fail to see what the point of attacking Yahoo is. AFAIK, they are not domain name hijacking like a certain e-tailer nor are they trying to enforce a stupid patent like another certain e-tailer, and they did not try to trademark WHOIS, so what is the point of going after them?

  • If your system is cracked, and then used to attack me, can I sue you for negligence? How else do we get companies to put proper practices in place?

    Probably not.

    This is a slippery slope. I feel one should blame the person who breaks the law not someone who innocently contributed to the possibility of the law being broken. To blame the owner of the cracked system used for a DoS attack is like blaming the owner of a stolen car for it's use in a bank robbery, or to blame the kids who wrote DeCSS for the (potential) piracy of DVDs.

    Furthermore, in the case of cracked machines being used for DoS attacks, there is no contractual requirement for the owners of those machines to put secure servers onto the net, so I doubt your lawsuit would be successful. You would probably obtain better results by publicizing the need for server maintainers to be more aware of implications of an insecure machine.

  • There was an analysis on a distributed DoS software on Bugtraq somewhat recently. It's called Stacheldraht, is designed to be installed on many unsecure machines on the net (i.e. they get cracked and don't notice it, it's not a voluntary network). There's also another package of which I don't remember the name.

    The design is quite well thought-out, with multiple layers where DoS servers are responsible for a bunch of slaves which do the actual DoS work. These servers can then be controlled from a central point. Massive bandwidth to DoS at the cracker's hands.

    I guess this incident shows that it or a similar package is in use. This is a new way of attacking, so I think it was worth a news item.
  • Prevent? Maybe not, decrease the likelihood? You better f'ing believe it. How far you go and how much you spend varies on what your protecting but for FreeBSD there's an ICMP_BANDLIM which enables icmp error response bandwidth limiting. Before you give up you may wish to do a bit more research....
  • Well, personally I don't use commercial firewall tools. I use Linux. It makes a great, full-featured firewall if you know how to configure it. It is much more difficult to configure Linux as a firewall than it is to configure commercial "out-of-the-box" solutions, but the added flexibility that Linux gives you can be worth it.

    Checkout the Linux Firewall HOW-TO at http://linuxdoc.org for more information.
  • Does this does attack have anything to do with the fact that the N et has sucked for the last four-five days [internettr...report.com] here in North America?
    ---
  • ...and check out the alarmingly high percentage of 'k12' addresses they list, too. What, don't schools in this country pay top dollar for their net admins just like real companies do?

    moderators, take note:
    usage: sarcasm -[low | medium | overbearing] "comment"

  • ...every time slashdot links to a remote site!

  • True. Except people can't figure out where my firewall is by my e-mail address. :P

  • Hmm... I could imagine the crap that would be posted here bashing MSFT if Yahoo was using NT/IIS. However, since they were using FreeBSD, we won't hear a peep from anyone.

    Go ahead, moderate me down. Couldn't care less.

  • by PhiRatE (39645) on Tuesday February 08, 2000 @12:45PM (#1294360)
    There are no defenses. Trust me, as someone who is deeply concerned about it and has spent a considerable amount of time investigating.

    The attack doesn't attack your firewall, it doesn't attack your boxes, it very simply attacks your bandwidth, it fills it up, completely, leaving no room for other traffic.

    It doesn't matter if your firewall drops every single packet it sees, for that matter it doesn't matter if you unplug your box, it isn't going to help at all.

    The vast number of machines that have been compromised, especially on university campuses where attention to security is limited on many boxes, and a crack can go unnoticed for months or years, give these flood networks more bandwidth than a medium-large sized ISP. If they are willing to take the risk that someone tracks them down, they can knock out most companies and for that matter, often their upstream.

    So, as an administrator, there is little you can do. Some things can help slightly, (see following) but if you get one of the larger networks pointed at you, you call your provider, get them to call their provider, and hope that they can implement some kind of filtering on their router as a temporary solution. You probably won't get far with that however.

    Things to do:

    1. log log log log log. Strange packets coming in should be logged. If you can do this, theres a chance the guy can be traced back to source if one of the IPs is on a network with a competent admin and the source of the network control packets can be found.

    2. Alert whoever you have to. If you're getting hammered, its a crime, tell the police, look on the CERT site for more details about who you can contact if you're in this situation.

    3. close up all ports that aren't critical, from any replies. These guys function best when they can hit a wide range of ports and get replies from your box, effectively doubling the load generated by each packet. If you drop 98% of the ports on your box, that leaves most of the packet hits out in the cold, making them have to work harder. Don't be scared to start dropping whole class A/B networks if a large number of hits are coming through from them.

    4. For those using unix based firewall solutions, have a couple of scripts handy which you can use to turn off all ICMP (you should already be filtering bad ICMP, this just goes the next step), and all non-essential ports.

    5. Have syncookies on your system if available, this will help keep you working during small TCP floods

    6. Make sure that you, as admin, have on your firewall the necessary rules to deny spoofed IPs from within your own network. If you don't, you are irresponsible and quite possibly a contributing cause to this whole mess. An internet connected network needs monitoring, no matter how well set up. Take the time to do it.

    The final verdict is there is no individual solution to this problem. If everyone implemented #6, we'd be in a lot better shape, still not brilliant but certainly a vast improvement. On the positive side, there are many brilliant minds who have observed this problem and are working on infrastructure solutions (see BOF recently etc).

    No matter how good your firewall software, script kids these days have the capability to flood your entire link. Proactive and constant vigilance is the only thing that could possibly minimise the damage.

  • Only this is the "Internet economy" and classic rules don't apply. Both Yahoo! and Global Crossing closed up yesterday and (significantly) today; both ahead of the S&P500, of which both are members. Go figure, but don't sell short before making a DoS attack or you could lose your shirt and go to jail...
  • I suspect there's a wonderfull grey area here .... for example contrast the following:
    • Fred announces "isn't it crazy they're selling frizmos on EBay for $10M" on SlashDot ... the /. hordes go over to check it out .... EBay goes down
    • Fred gets pissed at EBay for some reason, and announces "isn't it crazy they're selling frizmos on EBay for $10M" on SlashDot ... the /. hordes go over to check it out .... EBay goes down
    One is an indirect DOS attack on EBay, the other is just a 'normal' net traffic peak - how do you tell? do you care? (if you're EBay you may actually welcome the interest)
  • by interiot (50685) on Tuesday February 08, 2000 @12:48PM (#1294370) Homepage
    Here's some links since none were posted:

    Cyberattack Cripples Yahoo [apbnews.com] (APBNews)
    Who's Behing Yahoo Attack? [zdnet.com] (ZDNet)
    FBI talks with Yahoo! about attack [zdnet.com] (ZDNet)
    How a basic attack crippled Yahoo [cnet.com] (CNet) (with stupid protocol animations too!)

    And in other news: A different type of DoS attack is being carried out against Yahoo. At least 40 web articles [excite.com] have been written so far, showing evidence of how many reporters must be calling Yahoo right now. Once the second round of DoS attacks are stopped, the techies can finally get some work done beefing up the site.

  • by evilpenguin (18720) on Tuesday February 08, 2000 @12:51PM (#1294377)
    I said it in my earlier post, but I'm going to say it again here (so, yes, mark me redundant if you must): Certainly a DoS attack can be a legitimate form of civil diobedience, but if you are going to do it as such, have the courage of your convictions and launch the attack directly from your own machines on your own network, using your real IP address. Then its civil disobedience.

    My attitude towards Greenpeace protests would be quite a bit different if they went down to local nursing home, yanked old people out of their beds (they're easier to handle than say, rading a gymnasium), and chained them to the gates of a nuclear power plant.

    When you sneak through other people's accounts, machines, and networks to both hide your identity and launch your attack, then you are effectively chaining up the elderly (metaphorically speaking, of course). For an act of civil disobedience to be an honourable act, one must openly reveal one's identity and run the risk of arrest and imprisionment. I'm not impressed if someone comes up to me and says "I told my girldfriend to chain herself to the gate. I stayed home. I had the sniffles."

    Civil disobedience by proxy is the act of a coward. A sniveling little spineless coward.

    My account info has my real name and my real primary e-mail address. I stand up for what I say. I don't lay booby-traps or hide behind other people.
  • by kevin805 (84623) on Tuesday February 08, 2000 @12:53PM (#1294383) Homepage
    I wonder when we are going to start seeing subsets of the internet partition themselves off and only deal with other sites the implement certain policies (for example, contractual agreements regarding penalties from spam coming from your domain, failure to block impossible packets and so on).

    It could be done pretty cheaply during the changeover to IPv6. Just use the first byte to indicate what level of security (or bitwise OR of different security features) the host network guarantees. Then you could just block, for example, any mail coming from someone who didn't guarantee they could track down the original author (whic implies that they have enforced similar rules on their relaying).

    --Kevin
  • Yahoo (YHOO) is up 19 1/8 points [infospace.com] on the news. Either investors are confused and think the DoS attack is generating millions of dollars in ad-impression revenue, or the stock market makes absolutely no sense. I have no good reason to suspect it's anything but the latter.
  • With a loaded gun you would have an easy time claiming that a reasonable man should have known that the loaded gun was dangerous.

    Now try making a claim that a reasonable man should be expected to know that a networked computer can be used as part of a distributed DoS attack.

    The fact that you probably have to explain to the court what you mean by "a distributed DoS attack" will make it difficult.

  • Why Yahoo?

    Because you can.

    The point of the 33133+3 h^x0r d00d's existience is to see just how big a stink he can raise. Well, he sure raised a stink all right. The previous posters' comments are dead on. We're about two steps shy of one of two things: Total chaos on the Net, or (more likely) an event that will make the Inquisition seem like a polite conversation over tea and crumpets.

    These kiddies need to be taken a clue, personally and fast: you're turning the global sandbox you play in into a litter box, and if you don't clean up your act RIGHT NOW, Big Brother is going to dump you (*and us*) right down the latrine.

    How that clue is delivered is none of my business.

  • Now you can start backtracing the flood through your ISP / provider and he can start doing it with his backbone connection, ad nauseam.

    Maybe this bit can be automated, sending control messages back to the sources of the messages (including routers) and asking them to choke or shutdown the connections? Of course, then you have an authentication problem to make sure somebody else doesn't shut off your legit streams...

  • If all you want to do is to allow outgoing mail, just stop running sendmail in daemon mode. With redhat you can do this with

    chkconfig sendmail off

    In other OSes you may have to edit the startup scripts directly. Programs needing to send mail will execute sendmail in send only mode.

    You can email me directly if you have specific problems.
    --
  • Some excellent & very timely coverage, esp. in December last year, came from SANS [sans.org]; see in particular Solaris Flash alert [sans.org]; it seems that a lot of trinoo, TFNxxxx and stacheldraht has originated from poorly secured Solaris boxes. Also see SANS Global Incident Analysis Center [sans.org] for broader coverage of current security issues.

    Any Solaris users/admins care to comment on the whether it's sheer bad luck that these tools pick on Solaris rather than Linux ? Or is it just a matter of time before thousands of insecure RedHat boxen join the tribe ?

    And wouldn't win95 boxes on dial-up connections be the ideal host to launch distributed DoS attacks from ?



    --

  • Pardon me? a lot of shells? Haha... I don't think that 30 or 50 shells could make a dent in yahoo... (I can learn, correct me if i'm wrong... don't flame :-)). More likely this was a distributed smurfing (or somethin else semi-similar). If it didn't take intelligence, i guarantee it took preparation. I would place money on the fact that a lot of misconfigured routers were exploited to do this.

    --
    linuxisgood:~$ man woman
  • When DOS attacks! This Sunday on FOX! (Right after the Simpsons!)

    It is sweeps week after all....
  • A DOS attack is just as bad as creating a destructive virus, since it can cause serious financial losses for the site/company attacked. It'd be good to see the government (FBI hopefully, since it'd likely be inter-state) go after one of these jerks and hang them up to dry. Too bad if it's a script kiddie - an example needs to be set.

    I'd expect there might be a great opportunity for some company to create tools/services for tracking DOS attacks... someone like Cisco would obviously be in a good position to track coordinated attacks.
  • The Yahoo! servers (there are a ton of them) are located at the GlobalCenter NOC in Sunnyvale. They have thousands of machines there - it's a very impressive setup. However, that NOC is perhaps the WORST place in the world to place a server - it is completely overloaded, and the employees barely have command of the English language. A company I worked for hosted their servers there, and the latency created by the jammed connections virtually hosed the web-based service they designed.

    I find it quite likely that GlobalCenter screwed up, and that Yahoo! is attempting to spin the story so that their stock price doesn't get hammered. Fortunately for the readers of slashdot, we usually remember that it's not necessary to attribute something to malice that can adequately be explained by ignorance.

  • I was wondering the same thing. Feb 29th is close at hand. Wonder if that has anything to do with it?

  • Correct me if I'm wrong, but it's usually the number of times that the image has been requested, not a page on which the image is placed. A DoS script is unlikely to waste time requesting images.
  • by AugstWest (79042) on Tuesday February 08, 2000 @01:39PM (#1294462)
    at first glance, fom an administrator's perspective, I can understand this.

    however, once you take into account the realities of the machines that are on the net today, this is nigh impossible. every day, DSL and cable modems are bringing more and more windows, linux, xBSD, etc. boxes onto the net with assigned IP addresses and security holes the size of Texas.

    you can't, however, pin this on these individual users. if you're a systems administrator and that's your only working task, it is still difficult to keep up with security issues these days. it's more than a full-time job to keep a network secure from all of the possible attacks. you're never going to get all of the broadband users to secure their systems themselves, it'd be a herculean task.

    it's better to start at the software/OS distributors and force them to hande the situation better. much like setting up ipmasq for the first time, the first thing to do is deny everything, then allow only what is necessary. operating systems should install the same way.

    jimmy installs redhat, and decides that he needs web, email, ftp and nntp access. he runs through the installation, and at the end only ports 80, 25, 21 and 119 are open. he doesn't know any more than that, and he shouldn't need to know more than that.

    there's no bind running errantly on his system, no apache running... honestly, at the end of pretty much any linux installation users have daemons running that they'll never need or use, opening up ports and holes that just aren't necessary.

    instead of expecting every single end user out there to attend BOF security conferences and read bugtraq, maybe we should give them more secure setups to start with.

    after all, in your scenario BOF don't exist, since everyone would already be included.
  • by nicou (149950) on Tuesday February 08, 2000 @01:52PM (#1294475)
    I'd guess that this is the work stream.c, a ip stack bug which panics/freezes(resource wise) and is not FreeBSD specific. One of the original bugtraq post actually included a Linux kernel panic line from dmesg. Reports were also sent in that NT servers were down aswell. Stream works by creating as many open files/sockets as the system will allow thereby rendering it useless and from what I've read that its effectivness is proportional to the volume of packets sent so modifying the standard distributed dos tool to send stream packets and therefore downed yahoo. Chances are the only reason yahoo got attacked was because it was there not because it was the only large network that had that hole in it network stack.
    -Nick Chernyy
    P.S. for all of you paranoid FreeBSD users, there is a patch available and has been merged into the sources long ago.
  • While this and syn rate limiting are a good thing, they will do nothing if your link is completely overwhelmed. ICMP_BANDLIM and SYN rate limiting will only protect your computer resources as well as uplink bandwidth (your attempts to respond to SYN on open ports or TCP Resets on closed ports, or ICMP error messages).

    There is no solution to prevent large distributed DoS attacks. What you can do is put certain filters in place to detect these attacks and act accordingly. When the largest problem is the amount of bandwidth, your only recourse is to get your upstream ISP to filter it at their site because they likely have much more bandwidth than you do. However, the problem with this is that they get very annoyed very fast and will tell you to go jump in a lake if their major routers are going down (this is of course unless you are a major customer). Believe me, I have dealt with sprint, uunet, and exodus regarding this and their solution regarding an idiot repeatedly DoS attacking your site is to charge you more money for all their trouble or to tell you to go away.
  • One reason that attacks such as Stacheldraht, Trin00, and TFN are possible is that ISPs are failing to monitor their networks and backbones for outgoing packets with spoofed source addresses and incoming packets with impossible ones. If addresses were validated at the router, it would not be easy to mount a distributed DoS because the packets causing the problem would be easily traceable to their sources, and the attackers could be shut down.

    Likewise, anyone with a system connected to the 'Net must take responsibility for its security. A machine that's wide open to being "rooted" is an "attractive nuisance;" it is innocent by itself but incites trouble by facilitating abuse. The "white hats" on the 'Net should be proactive and stay one step ahead of the "black hats" in this respect. They should be walking down the Internet's virtual streets rattling doorknobs, and if they find one unlocked, they should tell the owner of the house, "See here; your house is unlocked. This is not good." This is far better than having a thief slip in later.

    --Brett Glass

  • read the front page story in USA Today today (dead tree). It is about the iCraveTV lawsuit, and you'll see more people who want a massively regulated Internet.(they also misspelled Valenti (the MPAA dude), at least /. can fix 'em on the fly :-)
  • Yes, as a matter of social politeness, they should run their networks accordingly.
    But realize, there *are* legitimate reasons to do source-routing, and it *is* part of the IPv4 spec.

    Should a place be held liable? Well.. i would say, if I was a tier-1 carrier, I might say 'if you want to attach to our network, you must ensure that such-and-such never enters our network'. THAT is how it should be done.
  • by moonboy (2512) on Tuesday February 08, 2000 @02:41PM (#1294529) Homepage
    No, it was in fact a distributed DOS attack.

    Didn't you hear. It was caused by a bunch of DOS zealots who refuse to upgrade to Windows. They actually used DOS and just pinged the heck out of Yahoo. They claimed to be using this action as a way to show their disatisfaction with MS because they no longer support DOS. I, for one, say more power to 'em! Down with MS! Long live DOS! The undisputed KING of OS's!

    ----------------

    "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
  • by Brett Glass (98525) on Tuesday February 08, 2000 @02:45PM (#1294534) Homepage
    Recent tests with an exploit called "stream.c" -- which creates the same sort of denial of service situation -- showed that some Linux servers crashed when confronted with so large a flood of packets. But FreeBSD, while it did slow down, did not crash -- even if stream.c was tuned to cause the maximum possible amount of havoc on the network.

    FreeBSD also has two special kernel options -- ICMP bandwidth limiting and TCP/IP RST restriction -- which can help with some DoS attacks. (No OS can do anything about a swamped pipe, of course, but if it knows how to throw away bogus packets and does not fall into the trap of trying to respond to them all, it'll be in much better shape. And, of course, it should never crash.)

    I've seen some trolls in this discussion that suggested that FreeBSD was somehow responsible for Yahoo's woes. In fact, the opposite is true. If I'm going to get hit by TFN or Stacheldraht, I'll want a FreeBSD system -- probably the most recent version on the FreeBSD-stable development branch -- not NT, MacOS, or Linux. In our tests -- and we did a bunch of them when stream.c hit the streets -- it held up the best.

    --Brett Glass

  • Wrong. 30 to 50 shells with 10 - 100mbps nic's connected to t3's (such as at univerities, large corporations and co-located hosting boxes) are quite capable of taking services such as yahoo out. This, as well as misconfigured networks, are easily taken advantage of.

    I would know too. I've had hosting boxes with 100mbps interfaces on an network with oc3 and multiple t3's to tier1 providers completely annihilated due to users using IRC without permission (EFNet is evil). One one occasion, all it took was a DoS attack from a box at a corporation with a t3 to sprint, the university of colorado and a misconfigured US naval academy network. Estimated traffic? 134mbps. Scaling an attack such as that to 1gbps (as reported) is fairly easy if you use distributed sources.

    It is also true that there are many script kiddies with this much bandwidth available due to compromised shells and broken networks. Visit EFNet IRC sometime. There are many idiots without a clue with the ability to carry out attacks such as this. You don't have to know what you're doing to scan the entire internet for known vulnerabilities then sniff traffic and tty's at a number of locations and gain access to many other networks.
  • Get the upstream ISP to identify the attack and install filters at their borders. If that tier 1 isp has enough capacity, the DoS attacker will probably get bored knowing they aren't affecting service and eventually go away.

    The problem is that there are many types of attacks that are capable of interrupting service. Many times installed filters require the provider or the customer to compromise their use of the service to allow for better security and protection.
  • We in the Linux community have to pay more attention to our own security. We're going to start to see more and more folks with always-up DSL connections and static IP addresses. If the default configuration as shipped by Red Hat, or Corel, or whoever isn't damn near bulletproof, you know that the DoS freaks are going to own a lot of these boxes, simply because you can assume that there are a lot of people who won't apply security upgrades, who think "I don't need to care about security, nothing on this box matters".

    On the contrary, any DSL-connected Unix clone is an attack vehicle, if captured.

    It's not good enough to have some specialized Linux distributions that focus on security. The market leaders are the ones that really matter, because if you find a flaw in Red Hat you've found an exploit you can immediately use on thousands of machines.

  • You CAN however do quite a lot to prevent being a source, or at least an untraceable source - you should take great care that no network traffic leaces your network whith bad (=not your own) source address. If this simple precaution was in more widespread use, tracking this stuff would be much easier

    This is only a start. You must also secure your hole bnetwork against intrusion. It's difficult, especially with the lack of quality of Windows. In my mind OpenBSD [openbsd.org] has gone the farthest with out of the box security. Even then it's possible an exploit may be found.

    Using firewalls helps with security, but they still aren't fool proof. Systems behind them can still be compromized, but it's more difficult. My rule I setup systems with is if it must be accessable from the internet, then only those ports that need internet access are routed to it and from it by a seporit firewall system. Any other system must reside behind a NAT or masqurading firewall. This general rule helps alot with securing a site.

    Unfortunatly this is only the tip of the iceburg. many other things need to be done. We maby should have an Ask Slashdot on securing systems and networks. Possibly one on each of the major OSes and on networks in general.

  • Good point. Unfortunately, the response of some organizations to the white hat who tries to focus attention on a security flaw is to try to get the white hat prosecuted as a cracker.

  • Recent Linux versions also have a number of kernel options to help with some DoS attacks, and Linux and *BSD kernel developers have been learning from each other on this issue. Just the same, if a recent Linux kernel didn't hold up well in your tests, we should know. Which version did you test?

  • All the ideas above make fetchmail not work. I think to do what I want to do I'm going to have to set fetchmail to only listen on localhost. That will probably do it. Any ideas?
  • Same product here. If you're seeing what I'm seeing (Smurfs), then it's more likely that what you're looking at is somebody trying to use your network in an attack on somebody else. I personally consider those to be part of the noise.


    ...phil
  • The system that panicked outright when attacked by stream.c was a Red Hat box, one of the lab machines. We keep it mainly for testing and so that we can support users; same with NT. We use BSD (FreeBSD and OpenBSD) for all production systems, both because they're better under load and to avoid GPL contamination of our work.

    --Brett Glass

  • by Jamie Zawinski (775) <jwz@jwz.org> on Tuesday February 08, 2000 @03:52PM (#1294597) Homepage
    If all you want to do is to allow outgoing mail, just stop running sendmail in daemon mode. With redhat you can do this with

    chkconfig sendmail off

    As someone else pointed out, you also need to put a script that does ``/usr/lib/sendmail -q'' into /etc/cron.hourly/ if you don't want your mail to get stuck at random.

    But another useful trick, if there are certain machines you want to accept mail from and others that you don't, is to run sendmail under tcpd so that it obeys /etc/hosts.allow and /etc/hosts.deny, by adding this to /etc/inetd.conf:

    smtp stream tcp nowait root /usr/sbin/tcpd /usr/lib/sendmail -bs

    That way you can, for example, let specific machines on your subnet connect to your SMTP port without allowing the whole world to exploit the sendmail-bug-du-jour. (You can also do this with ipfwadm firewall rules, but I find hosts.allow to be easier to deal with.)

    I generally prefer running services on my desktop machines (including sendmail and httpd) from inetd instead of having them always running as daemons in the background because that makes it easier to centralize control of their access lists, and because you don't have as many idle processes chewing up swap space. And since I'm the only one who ever connects to the http server on my desktop machine, the process-creation overhead is trivial (this wouldn't be such a good idea for a high volume web or mail server, obviously.)

  • It doesn't really matter what version they were using. I would assume that any competent administrator does not use any development kernels, and doesn't upgrade their stable kernel everytime a new one is announced. It doesn't do anyone a bit of good to say "oh, you were using 2.2.x, that's you problem, use 2.2.y with the z patch instead".

    Having compiled the Linux kernel dozens of times, and the FreeBSD kernel only thrice, I have noticed an underlying architectural difference between them. Options in BSD kernel *seems* to be more general, while stuff in the Linux kernel *seems* to be more specific. Now, I'm not an expert of DoS attacks, or even of the ways Linux or BSD handles them. However, DoS is not just a single, or even a handful of attack types. There are hundreds of DoS variants. The trick is not to include a kernel option for each attack type. Rather, it's how the kernel handles a flood of requests. I'm not sure it should even be the kernel's job to determine which requests are valid or bogus. That's up to a userland component.
  • <i>Correct me if I'm wrong, but it's usually the number of times that the image has been requested, not a page on which the image is placed. A DoS script is unlikely to waste time requesting images.</i>

    The idea is to be indistinguishable from a genuine customer. You can't determine who to block--you've got customers angry because the system is slow, but you have no way to determine which ones are fake and which ones are there to buy something.

    This attack is particularly frightening when one considers the relatively low number of clients needed to knock out even a hardware encryption system. "They keep lookin', but they just don't buy...but at least the ad sales are great!"

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • ABC News [abcnews.com] is reporting that two more web sites were hit in the last 24 hours, in attacks remarkably similar to the one that hit Yahoo. One website was Buy.com [buy.com], which was hit just as their stock was going IPO with 800 megabytes of traffic per second in a coordinated DoS (smurf?) attack. The other website was eBay [ebay.com]. The Yahoo attack used one gigabyte of traffic per second, according to ABCNews. Full story is here [go.com].

  • Some DoS attacks take advantage of server software. However, I believe the attack here was an attack on bandwidth. In such attacks, the target is generally flooded by more pings/TCP SYN packets/etc than their pipe can handle, even if the computer itself responds immediately and is well within an acceptable load. These attacks generally work by tricking a large number of inoncents, in conjunction with cracked accounts, into sending traffic to the same target.

  • The NYTimes has an article on the dsitributed attack on eBay today here [nytimes.com].

  • Had they not been running FreeBSD, they actually might have crashed. But FreeBSD is remarkably resistant to network DoS attacks, and this resistance has recently been further strengthened.

    --Brett Glass

  • The fact that two more attacks have been carried out in the same manner on two sites of similar size and renown in the past 24 hours seems to kind of punch some holes in the theory that it was a server misconfig. It's possible that Yahoo going down inspired some script kiddies somewhere to try and take down a few other 'big ones', but I doubt that three sights of this size were all suffering from simultanious server problems.
  • It doesn't really matter what version they were using. I would assume that any competent administrator does not use any

    development kernels, and doesn't upgrade their stable kernel everytime a new one is announced. It doesn't do anyone a bit
    of good to say "oh, you were using 2.2.x, that's you problem, use 2.2.y with the z patch instead".


    umm... duh.

    That's not the point though... if they're on 2.2.x and they see panic XYZ and don't tell us "hey I got a panic XYZ on 2.2.x when I ran stream.c" then in 6 months when they're ready to move to 2.4.x because it's been "stable" for months now odds are they're still going to get panic XYZ!

    while this isn't the forum to report that panic, they mentioned it and were asked for info by someone who would do something about it (at least make sure the right people knew about it) and responded with a non-answer answer.
  • The person you're hurting most, when you use the GPL, is the little guy -- the programmer who does not have the bucks to hire programmers to reimplement the code. This was Stallman's intent: to destroy programmers' prospects for success. He has said so, repeatedly.

    Advocates of the GPL tend to invoke the bogeyman of large, evil corporations just spoiling to use your code. But if you buy this argument, you'll in fact be hurting the little guy who might challenge the big ones.

    It's unethical to participate in an agenda whose purpose is to hurt others -- especially out of spite. Therefore, you should not use the GPL.

    --Brett Glass

  • by jedinite (33877) <{moc.etinidej} {ta} {moc.todhsals}> on Tuesday February 08, 2000 @05:53PM (#1294680) Homepage
    More relevant links that have emerged:

    ---------
    Question: How do I leverage the power of the internet?
  • The question is about who own's your code. Stop saying someone is stealing the code when it was freely given to them. The BSD encourages massive code reuse, which means the programmer, corperate or not, wont have to re-implement the world all over again. That's how technology progresses, everything builds upon everything else.

    The idea behind BSD is to help the community, for the comman person, the programmer, the corperation, and the user. It works, as helping one in turn helps the rest. If I gave you a lemonade, or a coke, told you it was absolutely yours to use, sell, give, etc. Even had a contract between us, and then after you drank it accused you of stealing, who would you think was nuts?

    The GPL believes that no one should own the code, yet their advocates are afraid of someone stealing it, or even NON-GPL code. BSD believes in helping further technical advancement, and thus allows for reuse and splinters. In the end, splinters are a BOON, because (especially with open source) the best one comes out on top, or is applied in very new directions. If not the best standard is derived and pushed by a huge company, killing the smaller, the larger must still compete because no one will follow it if there are absolutely no benefits. And, would these features even come about if it wasn't for the free code? If they would have, obviously at a later date. The problem?
  • I find it hard to believe that Yahoo wasn't set up to cope with the denial-of-service attacks I've seen described so far. I'm sure that everyone who works on a web site with more than 10-20 million hits/day has dealt with these attacks.

    For example, for the venerable SYN flood attack all one needs to due is tune the kernel to cope with it. SYN floods happen to most large sites on a daily basis.

    The connect-to-port-80-and-hold attack is hard for a multiprocessing server like apache to deal with since it has to fork() for each connection. For a multithreaded server it's no problem at all-- it just needs a large pool of threads at its disposal. Each open connection takes up a thread until it times out, but thread creation takes up minimal resources. These connections are not always logged with the IP address in the web server, though perhaps they ought to be.

    A worse problem, and perhaps this is what happened, is if an actual GET takes place. In this case the thread has to do something other than merely exist. Each IP address is dutifully logged, making it possible to track down the participants in the attack. (Of course this leads into the other thread here on whether people who are not malicious, but whose systems were hijacked, should be liable.)

    Does anyone know exactly what kind of attack this was? Was it directed at the Yahoo site and the routers just melted, or was it directed at the routers themselves? (E.g. bogus routing messages flooding the routers with false updates or other routing-level attacks.)

    I'd hate to see Yahoo's networking bill for this month.

  • On MSNBC:

    "A SOURCE CLOSE to the investigation of the Web site attacks told MSNBC he had read a threatening 18-page letter written by the alleged attacker. Included in the letter: "This is a watershed event of Net security debacle. We have shot across the bow of Yahoo. It's a real wake up call. This attack is just the first of the assaults that we will be launching on the Web ... three cheers for us."

    In the letter, the purported attacker complained about companies "capitalizing" on the Internet; the investigator MSNBC spoke to believes online brokerage companies such as eTrade could be his next target.

    Check it out at:
    http://http://www.msnbc.com/news/367495.asp

    -ben
    http://www.exocortex.org
  • Nobody's mentioned this yet that I've seen, but I've been unable to get through to The Hunger Site [thehungersite.com] today. Are they being hit too?
  • Just as serial killers are often caught by their patterns rather than the details of any one crime, I'm sure these distributed DOS attacks have their own fingerprints too. Given that a lot of these attacks use the same unwitting hosts, there's also opportunity to trace these back to the originator from that angle. Or just go after the guys who're writing these distributed DOS programs in the first place.
  • This was Stallman's intent: to destroy programmers' prospects for success. He has said so, repeatedly.

    You're twisting his words, and you know it. I could as well say "Brett Glass's intent is to give all the big corporations a free ride at the expense of the little guy." You might not agree with RMS. I myself don't agree with a lot of what he says. But I don't go spreading lies about him.

    RMS created the GPL to make sure source code would always be available, no matter where it was or what it was incorporated into. You don't have to agree with this, but your policy of countering RMS's ravings with your own just hurts your cause.

    The decision to use the GPL rests purely with the developer. Some people like the concept of code that cannot be incorporated into a closed source project. I kind of like it myself. Others want to foster code reuse as much as possible, and don't mind it being used in a close source project. When you come along and attempt to dictate what the developer should use, you are doing the same thing RMS does -- trying to force others to have your opinion.

    Don't be a hypocrite, Brett.

  • You're twisting his words, and you know it.

    No, I'm not. In his more candid moments, Stallman states his intentions loud and clear. You may have seen him in "propaganda mode," in which he makes vague, warm fuzzy claims about "freedom."

    Here are two quotes from Stallman -- spaced 14 years apart! -- which show that Stallman's intention is, and always has been, to hurt programmers via the GPL.

    The first comes from Stallman's "GNU Manifesto," in which he says, explicitly, that his intent is to sabotage commercial developers and limit their career prospects so that they could make no more money than starving graduate students. In 1984, Stallman wrote:

    "For more than ten years, many of the world's best programmers worked at the Artificial Intelligence Lab for far less money than they could have had anywhere else. They got many kinds of non-monetary rewards: fame and appreciation, for example. And creativity is also fun, a reward in itself.

    Then most of them left when offered a chance to do the same interesting work for a lot of money.

    What the facts show is that people will program for reasons other than riches; but if given a chance to make a lot of money as well, they will come to expect and demand it. Low-paying organizations do poorly in competition with high-paying ones, but they do not have to do badly if the high-paying ones are banned."

    In short, enraged that some of his colleagues were leaving the lab to pursue a commercial venture, he sought to sabotage them as a way of discouraging anyone from doing this in the future.

    Stallman's more recent writings, speeches, and interviews confirm that this malicious intent still exists 14 years later. Here's what Stallman said when interviewed by a reporter for Forbes magazine:

    [Stallman] retaliated [against the computer scientists who left the MIT AI Lab to form Symbolics] by sabotaging his former colleagues' sophisticated commercial programs for powerful computers, singlehandedly hacking up his own versions and giving them away. "They accused me of costing them millions of dollars," he says. "I hope it's true."

    (For the full text of the article, see http://www.forbes.com/forbes/98/0810/6203094a.htm. )

    Thus, we can see that the GPL is a tool of spite. Its purpose: to attack commercial programmers and software businesses, and to reduce programmers' salaries to those of starving graduate students.

    Now, I don't know about you, but I believe that to attack one's colleagues and hinder their progress out of spite and malice is unethical. Thus, I believe it's unethical to use the GPL. I hope that, now that I've told you some parts of the story that you may not have heard, you'll reconsider your stance regarding the GPL.

    --Brett Glass

  • Its relevant because some of us might want to know if our versions are suceptible. It does me no good for you to tell me to switch from Linux to FreeBSD does it? No. It makes sense for me to know you were using Redhat 6's 2.2.5 kernel and I'm using 2.2.14 and am better off ... (for example).

  • "was a redhat box" ... ooh, does us all a lot of good. Redhat's Linux kernel isn't that much different from anyone else's and it may have been RH 4.2 for all I know.

    Thanks for the plethora of information.

    "Wouldn't want GPL contamination ..." or general information contamination either, it seems. Wouldn't want to support your claims at all?

    Sure, we all know that xBSD has a better */IP kernel ... but why does that make it irrelevant if us Linux people want to know what version you were testing?
  • And so should people who do lots of other criminal activity against society. It seems everyone thinks that there are 'good' and 'bad' people out there ... that the people who do harm to your financial success are all 'bad'.

    Has it ever occured to anyone that we might want to all take responsibility and work together for a better society in more ways than jailing the 'bad' ones? Lets not produce them (abuse, neglect -- including latch-key, etc.).

    I knew the kid who hacked NASA from Sudbury, Ontario a couple years ago ... he was a nice kid. His family went through stuff and he did the 'retreat into the computer' thing ... (not like anyone here would identify) ... and now he's in jail.

    ... bah ... nobody on Slashdot ever feels like getting philisophical unless its about personal individual rights (you know, my life matters, yours doesn't, go away).

  • There's a great little store and forward proxy mail daemon you might want to put in front of your sendmail. Allows you to block IP ranges, block spam, etc.
    Take a look here [obtuse.com].
    -John
  • What you say is very true - that's why I started this [dubbele.com]

    -John
  • By hurting others, you mean not letting them take my code, close source it, and sell it?

    First of all, programmers who build on BSD-licensed code are not "taking" it. It's still there, for all the world to see and use. What's more, because the functionality of that code is already availble for free, they can only make money from a derivative work if they add substantial value. And all the money they do make will be the result of the functionality they added. Thus, they haven't "taken" anything from you. They've created value and deserve to be rewarded for that.

    Hrm. You have a weird defination of hurt...

    No, it's quite a normal definition of hurt. If you offer the code to anyone in the whole world to use as he or she pleases except a developer, you're playing a vicious game of "keep-away" with that developer. You're destroying the market for the functionality by making it available for free. At the same time, you're asking the developer to reimplement it before forging ahead. This is, indeed, hurtful. It holds developers back by requiring them to reimplement the wheel needlessly instead of making forward progress. And it deters standardization by requiring them to create and use a different code base. Not good.

    it's my code.

    In that case, why use it as a weapon to hurt people?

    If the little guy wants to challenge the big guys, how about he offers to pay me to write code for him? I could use the cash.

    So could he! Unfortunately, once you've given the code away to everyone else, it's not fair to ask him to pay for it. He can't make money off it, since its market value is now zero. So, you're asking him to pay for something which he cannot get his customers to pay him for! He's starting out "in the hole," and that's not fair.

    But he can't run off with my code and hide it.

    He can't hide it -- not if you've published it. He can only keep his improvements. (And that's fair; they're his improvements and his only way of making a living.) Nor can he "run off" with it. It's still there for anyone to use.

    I don't see how failing to let someone else close-source code I wrote is either unethical or immoral.

    Again, see above. They can't "close-source" your code; they can only decide to keep theirs.

    Failing to do things for other people with no reward isn't unethical in any system of ethics I can think of. Certainly not mine.

    Well, in that case I think you'll agree that programmers should not be forced to publish their work for free. But this is what the GPL tries to do.

    However, what the people who take the code (no matter what their size) of BSD programmers, close source it, and give them no credit,

    Actually, the BSD license allows the author to ask for credit. Ironically, this is something that Richard Stallman vehemently opposes. He's opposed to authors' rights -- not only for code, but for books and music, too.

    while they are acting 'ethically' (because they were give permission to, however remotely), skirt the edges of morals in my book.

    Again, the author can ask for this. But the trend is toward not doing so. Under the BSD or MIT X licenses, it's not required; the code has virtually no strings attached. Which is what open source should be about! The GPL is an attempt to turn open source -- which is otherwise a good thing -- into a weapon designed to hurt programmers. The motivation: pure spite and malice. This is not a good thing and is certainly not ethical, and so we should oppose it.

    --Brett Glass

  • <i>To think or even say so is very dangerous: If something you do supports somebody else, wouldn't it be a good idea for that certain someone to do it himself, and blame you? Arguing like you do is useful only to convince the neutral why they shouldn't act evil, but those who are already evil will use it to their own advantage, and try to make the good guys responsible! </i>

    I'm becoming more and more of a believer that very few people are genuinely evil, most are just supremely selfish. That "all is fair in love and war" is no surprise in that context; both come from the same source.

    A little to think about as Valiumtine's Day rolls around. (D.O.H.)

    Anyway, I'm pretty much saying flat out that nobody's going to be thinking these geniuses are all K-Rad 3133+ hackers when their behavior is successfully used to turn some of their best supporters--the tech industry--against the right to be anonymous online.

    That's not associating with them. That's saying, there's no good reason for what you're doing, because you're just doing what certain governmental forces want you to do anyway.

    And incidentally, yes the government could blame it on the nonexistent evil, but why do it themselves when they merely need to wait for a patsy to do it for them?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • If your system is cracked, and then used to attack me, can I sue you for negligence?

    I doubt it. Legal decisions rest on precedent as much as possible, rather than an objective decision. Although it's not a good analogy, I suspect that a legal case on this basis woould be treated as an extension of burglary. There's already a precedent that when premises are burgled by entering the unsecured premises next door, then breaking through between the cellars, there isn't a case for negligence against the premises holder of the first place entered. IANAL

  • It's well recognised that FreeBSD's networking stack is an outstanding piece of engineering which the Linux kernel folks are racing to catch up with, and certainly as capable of withstanding this DoS as any OS out there. However, Glass overstates the problems with Linux here: there are no known ways of crashing a Linux server running the most recent production kernels over the network without special privilege, even using a coordinated DoS.

    This is because Glass is a fulminating anti-GPL fanatic; facts unfortunately come second. Let the reader beware.
    --
  • My point is that it's a crime not just a bit of mischief. Yahoo's financial losses at being down for that time are figured in the millions. What if they hit E*TRADE next, and you personally suffered financially - would you still be feeling so philosophical about it then?

    The law already has ways of handling juveniles and first time offenders that may have "fallen astray", and certainly those should be applied if applicable - no difference because it's a cyber-crime. Similarly, though, cyber-crimes need to be treated in *all* ways the same as any other... we're talking disruption of inter-state commerce here, as well as causing millions of dollars of losses.... not exactly kids play.
  • I'm not the only person who has reported Linux kernel panics in tests using stream.c. Other similar problems were reported on Bugtraq and elsewheere.

    Apparently, you're so much in denial about the notion that there could be a bug in Linux that you've felt compelled to resort to name calling and personal attacks when one is mentioned.

    --Brett Glass

  • ...to get up in the middle of the night and go all the way to the lab to answer your question? Especially when the machine is now set up for a different test? In any event, I believe it was Red Hat 5.1. Since we're primarily concerned with BSD UNIX and do not contribute to GPLed code (We believe that the GPL is fundamentally unethical and that it would therefore be unethical to do so), we tried Linux to compare the systems' reactions to the DoS -- not to debug Red Hat. We noted the problem and moved on.

    You might find that some of the other folks who have reported crashes under stream.c can help you more, since I'm sure that some of them have systems that are still running as they were.

    --Brett Glass

  • FreeBSD also has two special kernel options -- ICMP bandwidth limiting and TCP/IP RST restriction -- which can help with some DoS attacks. (No OS can do anything about a swamped pipe, of course, but if it knows how to throw away bogus packets and does not fall into the trap of trying to respond to them all, it'll be in much better shape. And, of course, it should never crash.)

    Do you have more information on this? Linux kernels have options to not repsond to ICMP echo broadcasts (or any ICMP echos at all) and also have the rp_filter which drops packets originating on an ip that the interface is not part of, but these other methods you mention are intriguing.

  • I feel one should blame the person who breaks the law not someone who innocently contributed to the possibility of the law being broken. To blame the owner of the cracked system used for a DoS attack is like blaming the owner of a stolen car for it's use in a bank robbery...

    If a swimming pool has not been fenced up, and a child sneaks onto the property and drowns, the owner of the pool can be held partly liable. If you own a gun and neglect to lock it up or its ammunition, you can be held liable when someone steals the gun and kills someone with it.

    This is known as the "attractive nuisance" principle. If you are responsible for some resource that presents an attractive nuisance to some miscreants, and you fail to take reasonable measures to secure it, you can wind up taking some of the heat for the damage they cause.

    Computer security is so generally lousy that I'm reluctant to say that this principle should apply to system administrators in general. Not knowing the nature of this particular DoS attack, I'm particularly doubtful that it should qualify as an "attractive nuisance" -- for example, as far as I know there is no good way to prevent someone from launching a smurf attack from your network.

    But the point is that it is a well-established principle that someone who maintains their property carelessly, in a way that facilitates theft or misuse, can in fact be held liable for negligence.
  • But another useful trick, if there are certain machines you want to accept mail from and others that you don't, is to run sendmail under tcpd so that it obeys /etc/hosts.allow and /etc/hosts.deny, by adding this to /etc/inetd.conf:

    Sendmail has supported this internally since 8.8 or 8.9, by means of /etc/mail/access.db. There are good instructions in the cf subdirectory in the source code, but the short version is that if you add the following to /etc/mail/access:

    example.com REJECT
    192.168.0 REJECT

    and run makemap hash access < access, sendmail will automatically reject mail coming from example.com or the 192.68.0 network.

    Sendmail's rules are a bit looser than tcpwrapper's rules; for example, doing this will reject mail with an envelope sender from example.com as well as mail coming from a host in the example.com rDNS space. And Jamie's points about centralization of access files are well taken. But you can basically do this in sendmail without using tcpwrappers, if necessary.
  • Just so everyone knows where I stand: I personnally respect Richard Stallman wholeheartedly,

    Perhaps you haven't met Richard personally. Have you seen the way he leers at every passing female?

    Recently, a female acquaintance told me that she and other women had specifically asked that Richard not be invited to a party they planned to attend. They further noted that, if he was present, they would stay in a different room to avoid being stared at, slobbered at, and bluntly propositioned -- as they had been at previous gatherings where Richard was present.

    At the Fall 1999 LinuxWorld Expo, I watched as Richard, having just stepped off the dais after a panel discussion, ostentatiously scanned each woman in the group from head to toe as if he was mentally undressing her.

    This is not exactly what I'd call behavior worthy of respect.

    and morally support the FSF in most all of its activities.

    The FSF is neither moral nor ethical. Attacking people out of spite never is.

    However, I can understand someone disagreeing with Stallman. But to disagree with someone, you first have to understand what they are seeing. You, obviously, do not.

    I've talked with Stallman at length and have reviewed his writings, speeches, and activities. I have also interviewed others about his behavior. I probably don't know more about him than his closest friends, but I daresay I know exactly what his views and aims are.

    You say Richard Stallman created the FSF and the GNU GPL out of anger. I think you are probably partly right.

    His writings, his speeches, and accounts of his behavior at the time fully support the notion that the FSF and the GPL were created entirely out of anger and spite.

    You say it was out of spite towards some ex-colleagues, or the typical programmer. There, you are wrong.

    Not so. Read Stallman's GNU Manifesto, where he explicitly states his aim: to ensure that no programmer can ever make more for his work than a starving graduate student.

    Richard Stallman was screwed, and screwed good by proprietary software companies.

    Not true at all. All of the work which was used by the spinoffs of the MIT AI lab was bought and paid for by grants from government and industry. It was the express intent that the concepts developed at the Lab be incorporated into government and commercial projects. Richard, unable to see the big picture, resented this -- even though this process was the entire reason he could live in an academic playground in the first place!

    Of course, when the commercial spinoffs did happen, Richard couldn't go himself; he was a creature of academia and not one who "played well with others." In a fit of rage, So, he vowed vengeance on those who would threaten his small, cozy academic nirvana by leaving.

    If you have read the GNU Manifesto, you know this. And the truth is, we all have. Yes, he was angry. But all I can say about that is "How could I be so comatose as to have not been angered by it?"

    I think you might want to reread the document from a broader and more informed perspective. Again, this was Richard's perception -- warped, as it was, by horrible rage, anger, and spite.

    Today, I am angry when I have to click "I agree" to some outrageous claims just so I can play a game. I'm glad I get angry. It shows me I've woken up. And Richard Stallman is one of the people who did that.

    Actually, the GPL itself is a "shrink-wrap" (or "click-wrap") license, with terms every bit as onerous to developers as the ones to which you refer. The GPL, as a cure, is worse than the disease.

    Richard Stallman does not wish for free software programmers to be poor.

    He desires all programmers to be put "on a treadmill" (to borrow a phrase from a Microsoft executive) so that they cannot prosper. This intent is explicitly stated in The GNU Manifesto and in other documents and speeches.

    He does wish for proprietary software manufacturers to make less money.

    If software vendors charge too much, others who charge less will come along and compete with them. It's a self-correcting process.

    Is he wrong?

    It is always unethical and wrong to attack anyone's livelihood out of spite.

    Exploitation will make you rich. Slave traders (they still exist) have never been poor.

    Commercial software developers are, by and large, neither exploitative nor rich. And to label them as "slave traders" is a deceptive and nasty slur. Most software companies fail, and the ones that do succeed often barely manage to remain profitable. Only a few, such as Microsoft, have done inordinately well. These can be counted on the fingers of one hand -- and you won't use up all the fingers.

    Richard Stallman believes proprietary software to be exploitation.

    By this logic, owning my own house or car and not letting anyone use it at any time would also be exploitation. "Exploitation" is a loaded and pejorative word. There's nothing wrong with owning property -- intellectual or physical. Unless you're just plain spiteful about the other guy having it.

    Looking at how much money Microsoft is worth, I'd agree.

    That's paper worth. Red Hat is worth billions on paper too, incidentally, though it has never made a dime and in fact has lost millions of dollars per employee. Want to talk about exploitation? I think enticing them to buy stock in a company that has always lost money and has virtually no assets (Red Hat doesn't even own what it sells) is exploitation.

    RMS would like software making to no longer exploit the end user.

    He clearly wants to exploit programmers instead. ;-) Seriously, though, "exploitation" is an unjustified pejorative. Asking people to pay to license the intellectual property you produced via your own hard work is perfectly reasonable and fair. If you created something good, you deserve to be rewarded. Stallman wants to deny programmers a just reward for their work.

    That will undoubtedly mean less money for those who try to exploit. All the better.

    Again, the pejorative. By this logic, the person who asks you to pay for your food at a restaurant or supermarket is also "exploiting" you.

    A few months ago, it was reported that Linus Torvalds had already cost Bill Gates several billions in shares value. I, for one, cheered.

    It sounds as if you are spiteful.

    Many others did as well. Yet when you quote Richard Stallman as having done the same to proprietary Unix companies, he is somehow evil.

    It is never ethical to hurt anyone else out of spite or malice.

    When people are free, the slave traders go bankrupt. That does not mean the the liberators were the bad guys to begin with.

    "Slave traders?" "Liberators?" Sorry, but it's code, not people, that we're talking about here. One of the most misleading (and, at times, silly) parts of Stallman's rhetoric is his anthropomorpism of code. He talks about software as being "free" -- and uses the word "free" in multiple senses, that is, as a "pivot word," in an attempt to lead the reader to fallacious conclusions.

    Richard Stallman paid the rent for many years by selling tapes with GNU Emacs on it.

    Good for him. Why, then, does he begrudge other programmers a livelihood?

    So stop the "He's a commie!" lingo already.

    If you look at any of my postings, you'll see that I've never called Stallman a communist. However, his propaganda does borrow heavily from that of communism. And, alas, it is intended to mislead.

    --Brett Glass

  • I sincerely hope they are not asking this. System and Network security is far to big and vital a topic to be covered in forums such as this.

    There are many, well publicised portals and locations for such information, both system specific and universal. www.securityfocus.org, bugtraq, and many other environments provide up to the minute information on security for a wide range of systems, and any systems administrator should follow these closely, as well as system specific sources.

    Those on a lesser scale, DSL and modem, should also pay attention. If you feel unwilling to take the time to secure your system, you should invest in an operating system that is Secure By Default. OpenBSD is the most publicised of these, but there are several hardened variants of linux, and hardeners for popular operating systems like RedHat (check out http://bastille-linux.org/).

    For linux guys, I recommend reading the Linux Admin Security Guide (http://metalab.unc.edu/lasg/) and learning about IPChains, or for the bleeding edge people, Netfilter (Which is proving to be very powerful)

    Unfortunately I have no pointers for Windows, but perhaps other users can contribute URLs where information like that can be located. A quick search in a search engine may help too.
  • I'm saying that we'd be having less attacks if society started being a little more philisophical about it and started caring about our intelligent youth instead of allowing them to exert their interests in these ways.
  • Now wait a minute, we are not talking about resisting tyranny in a police state, we are talking about civil disobedience which is, in essence, a propoganda tool designed to raise public awareness in a democracy, or, in a more repressive political climate, to incite a majority to action.

    Partisan action against a violent repressive government is not "civil disobedience," it is guerilla warefare or an "underground."

    Perhaps we were not in agreement about terms here. Resistance to Hitler's regime, from providing information to the Allies to slashings tires on government vehicles would not be, to me, acts of civil disobedience. And I absolutely agree with you that such acts are honorable in such a context. But the United States is NOT, no matter how upset you may legitimately be with it, in no way comparable to Europe under Nazi occupation.

  • Actually, here's one more thought to throw your way. What if people in Germany had risen up and decried the Nazi philosophy and fought it, openly and publicly, before the consolidation of the power of the Chancellor following the infamous Reichstag fire? Would partisan action have been necessary?

    I don't remember whom I am quoting here, so if one of you knows, please give appropriate credit: "The only thing necessary for evil to triumph is for good men to do nothing."

To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard

Working...