ISP Forced Out of Business by DoS

flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse. The kids are getting more and more aggressive as time goes on and it gets easier and easier to launch a large scale DoS. As any techie knows, fixing the problem is far easier said then done... but as a frequent recipient of the sharp end of the DoS stick, I sure wish it wasn't an issue.

Re:whoops

[Tipsy McStagger]

The Register have the text of the announcement at the moment.

DoS attacks

[awgy]

The efnet (www.efnet.org) IRC network has had these problems for years. I'm not sure how some of their servers have survived, seeing as though many companies donate bandwidth to the cause. I know that a lot of people seemed to have strayed away from it due to the large amounts of DoS attacks, which caused the server links to go up and down (which in turn made a very unstable network). I wonder if they've learned any ways to cope with these attacks? Anyone know of any other networks that have had these issues and are still around?

Register coverage

[Zocalo]

The Register [theregister.co.uk] is an effective mirror of the article too, but they also have a *tiny* bit more information.

Re:I'd like to know

[Anonymous Coward]

one of the GBA sites was forced offline permanently due to the slashdot effect, look it up. cost him over 400 bucks...which for a high school kid was apparently enough to pull the plug on the site. /. screws people too.

Re:I'd like to know

[RC514]

The slashdot effect has been analyzed:

Traffic increase from slashdot effect [tweakers.net]
Increase in hits and bandwith requirements of a Linux related story being featured on Slashdot [dotat.org]
Analysis of several stories making it to the frontpage of Slashdot and other newslogs. [bnl.gov]

Especially the second link shows that the Slashdot effect can look very much like a DDoS attack. The severance depends on the story, probably on the time of day and of course on the link and hardware powering the /.ed site.

If you pay by the gigabyte for your webtraffic (who doesn't), the /. effect can be a financial DoS attack much more than a technical DoS.

Re:which side of the law is our community on?

[Catiline]

Counterargument to your very silly counterargument:

Doctors study illness not to cause it, but to cure it.

I know that politicians, when dealing with computer technology, like to follow your facetious argument. The problem is that the general public has a hard time realizing programs are more like a leatherman multitool (wide purpose) and less like an EEG machine (one purpose). I've used Word to doodle, or play games (it's quite fun mangling the program using VBScript). Is it a crime for me to do so? After all, the same skills have been used to write virii or munge the security of a LAN.

I understand the twin concepts of responsibility and accountability: those are what keep me from considering any hacking. I've almost always known how to break security on any computer system I used; those two ethical precepts kept me from actually doing it (despite often strong temptation to the contrary). And if they were taught in public schools- and made to stick- script kiddies probably would be managable.

This is not to absolve network admins of their responsibility (to have a good firewall, practice proper security, etc). I just think that maybe we need consider the possibility that where the slashdot community stands isn't pro or con, but a sensible and logical medium.

Kill the martians!

[leonbrooks]

i came upon an interesting article that talks about a reverse firewall

*All* of my servers block all traffic to/from private IPs - except subnets they know - and block outbound traffic not from an externally visible IP that they own; they've done this for years, it's a fairly simple set of ipchains/iptables rules. The 2.4 kernels have a heap more options such as automatic martian (alien packet, ``it can't have come from there'') assassination.

Oh, and they complain in the logs, which are monitored. They also use tools like portsentry to temporarily block all traffic from IPs that sniff them.

And they all stay updated (thanks Mandrake, even if it's not quite as simple as Debian).

These things are all easy under Linux, presumably most BSDs, and probably not that difficult under Solaris, HP-UX, OS/X et al. But Windows? Hmmm...

Shortlist of private IP subnets to drop: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.127.0.0/16; there are a few others you could use as well.

Do a traceroute 192.168.99.99 from your box (try a few other private IPs as well) and see what happens. From here, RadioWAN don't filter, EfTel don't filter, Paradox don't filter, and AlterNet only drop private IPs after a few hops into their LAN (hey, at least they don't route it!), which is all very sad from a bullshit-deterring POV.

Re:No technical solution, it's an apathy thing...

[Legion303]

The authorities won't do anything to offending script kiddies unless you can show a certain dollar amount of damages. Most admins probably don't bother calling the feds because they know the feds won't do a thing.

-Legion

Re:No technical solution, it's an apathy thing...

[macemoneta]

Even on home cable, it's not feasible. I had done this when I had gotten 1-2 scans a day. I never received a response to the report. A few trojans ago, the scan rate picked up (now over a dozen a day). It's gotten to the point where I just turn the monitoring for scans off (still watch for unauthorized access). This is just me at my home PC; it would be a full time job to keep up with this. It's just not feasible.

We need an automated tool for collecting the scan data, and depositing it in a repository. The respository can perform the correlations to track these to the source nodes. Higher level (towards core) IPSs can take the lower level (towards edge) ISPs off net until the DoS is terminated.

If done properly, but still mostly manual operation, a DoS would last at most an hour. The problem is getting cooperation between companies and organizations that are business competitors. You need a third party independant organization (jointly or government funded) to manage the repository and request the service deactivation.

Of course, then the repository would itself become the target for attack...

Re:Why hasn't this been solved?

[DotComVictim]

Try this [ietf.org]

Re:which side of the law is our community on?

[PlaysWithMatches]

Okay, whoever modded the parent "troll" is an idiot. It's an important point - DoS/cracking/whatever tools should not be illegal, but using them to attack someone (aside from instances where one has permission - say, for security stress-testing) should be.

Doing otherwise would be the same as saying we should make anything sharper than a butter knife illegal to make or possess, even if all you're going to do is slice bread with it.

You can't see how this could shut down an ISP?

[Anonymous Coward]

Stage One: ISP is under attack.

Stage Two: Floods of e-mail from customers, whining and screaming about the terrible lag on 'their internet'.

Stage Three: Techies figure out that they're being attacked. Inform management, attempt countermeasures.

Stage Four: Customers continue to complain, whining about taking their business elsewhere, how they should get refunds, free service, a new car, etc.

Stage Five: Someone up their has a clue and figures out they should try to limit damage to customers. Hey, if they're going after the ISP's servers.. They might start picking off random customers who are connecting. *yank cords*

Stage Six: Customers continue flooding ISP with angry letters.

At this point, people want refunds and free service, or they'll be jumping ship. In most areas, there's an abundance of ISP's. Many aren't huge, and many can't afford to give a large percentage of their customers 'free service'.

I don't know exactly how huge this ISP is, or if this could've happened to them - but it could easily happen to a small ISP.

Remember, kids, the average ISP user still bitches to their tech support people when, say, www.microsoft.com gets Slashdotted and is unresponsive, as if their ISP can do anything about it. Explain to them that the ISP was under attack, and they'll go into paranoid ramblings of 'being hacked', all while screaming for handouts of free service and refunds.

It's the criminals' fault but...

[Anonymous Coward]

... I am not off the hook either.

Two weeks ago somebody took over my home server using an sshd loophole and used it to attack sobobody else.

Now I only have a postgraduate degree in CS, so maybe I need to be educated.

Yeah, I was aware of the loophole and I was determined to patch it up one of these days... However, I was appalled to find out that even SuSE 7.3 was vulnerable and had to be patched.

Marko [mailto]

Re:which side of the law is our community on?

[Shimbo]

It's pretty easy to tell good laws from bad ones, using objective standards:...

Yes, but essentially arbitrary ones. However, they are uninteresting cases; the interesting ones are where the good of the whole conflicts with individual freedoms.

Lots of laws need to set dividing lines: for example, how drunk or short-sighted can I be and still be allowed to drive? If I proposed a law changing the current values either way by a factor of 10 it's pretty clearly bad law. But the principle of the law is unchanged, thus applying your 'objective' test would surely fail to distinguish between them.

I must say I am distinctly unimpressed with the idea that human laws have a certainty that doesn't even exist in the world of mathematics (Church-Turing and all that). It seems to me just another form of political correctness, with its implication that there are provably bad and good laws, and that people with other viewpoints are in some way irrational.

Re:which side of the law is our community on?

[perrin_harkins]

Here's one: http://slashdot.org/comments.pl?cid=1483822&sid=27 42 [slashdot.org]

There are plenty more like that. Some use lynx in a loop, some use Python, some use fancier Perl. There are also lots of comments saying "let's DoS them."

Re:whoops

[Alan Partridge]

well they are, aren't they? In the UK, you HAVE TO have a BT 'phone line to get anyone's ADSL, so all ADSL services are just BT's being resold by someone else. The same thing is predominantly true of unmetered dial-up access (surftime) in the UK. It's a total stitch-up, really. And BT's general policy towards their customers makes MS look caring and responsive.