More DoS Attacks: CNN, Amazon, eBay, Buy.com... 672
gatech writes "After hitting Yahoo yesterday those crackers set their sights on several more sites including CNN.com, Amazon.com, and eBay.com. Here is the story at ABCNews.com."
Comment: 02/08 23:26 by michael : So far, the best explanation I've seen for the massive network problems is here. Is it paranoid to note that we're being hit with unprecedented attacks, with no known motive, at the same time as the government is pushing for yet another expansion of their surveillance powers? People are focusing on how it's being done. Nobody seems to be asking who.
Packet Monkey (Score:1)
It could be worse... (Score:1)
Altavista? (Score:1)
And what about Yahoo today? Their site has been dog slow all day long, with mail unavailable for several hours.
Maybe I lack clue... (Score:3)
Last time I checked, most everyone who knows enough to do a distributed attack had a static IP and just the right amout lacking in knowledge to get caught...
It's hard enough for one man to keep a secret, so how do you suppose dozens could?
Yeah and you know what would fix it (Score:2)
Filtering spoofed packets involves setting up a few simple rules on your router. Maybe some legislation to require ISPs to do this in the US and other countries is in order.
Adobe.com unreachable (Score:1)
Adobe's main webservers and product registration have been unreachable
since about 9:30 ET, at least that's how it looks from here.
The packet storms continue... :[
LaoK
Re:Packet Monkey (Score:1)
<i>The opinions expressed are my own, no one elses. The email address is an anonymous one, but I do read it from time to time.</i>
Talk about lame (Score:1)
I mean, anyone can do this, its not like it takes any talent or anything. Basicaly it's like saying "were to lame to crack this site, so were going to DoS it".
[ c h a d o k e r e ] [dhs.org]
This is really strange.... (Score:2)
I may be wrong, but it seems that usually when we see a high-profile media 'hacker' story, it's about some website that was cracked, and some script-kiddie who left behind graffiti. Or, in recent cases, people who wanted money. But, with these latest rounds of extremely-effective DoS attacks, nobody's stepped forward. It's bad enough that this sort of thing is happening, but it's perhaps even worse that we dont even know why.
cause it's a DISTRIBUTED DOS attack (Score:3)
Dozens of PEOPLE don't need to keep the secret. Dozens of COMPUTERS do. And 1 person.
DOS Solution? (Score:5)
Last month I got with an old college roommate of mine (Hi Jimbo!) who now works at a major hardware powerhouse, and we threw ideas around that may help combat the problem of crackers and l33ts nailing systems to the wall. I suppose this is as good a place as any to publicly gather feedback.
Our first idea was for a "safety net" of sorts, gathering IPS and validating DNS, packet info, etc before return transmitting data. The system, the Gathering, Researching, Intelligent Transport System (GRITS) could theoretically decrease the DoS attack exponentially.
One problem we found with GRITS was its effect on servers running Apache. We dubbed the problem the Nailing Apache Transport Access Line Interface Expansion, or NATALIE. It seems that GRITS petrified the NATALIE port, man.
Our next theory was pretty clever, if I do say so myself. Transit of packets is a genuine problem on servers hit by DoS, and rerouting these packets to low-level systems is imperative. So to counter DoS, we developed the Transit Rerouting Of Low-Level Systems, or TROLLS. TROLLS worked well, as not only did it prevent GRITS from petrifying the NATALIE port, man, but it eliminated cracker attacks.
I hope this helps. I am always glad to assist fellow engineers here on good old
General Chalupa
Re:Maybe I lack clue... (Score:2)
go read about it... Cert warned about this TWO MONTHS ago... didn't do much good, eh?
and it's not THAT easy... they're spoofed IPs...
I'm thinking a lot of this is from schools... they don't pay their tech people enough, they're overworked, and don't have as much knowledge... they have huge bandwidth... and open systems. Right there is cause for trouble. Then all these attacks are comming from Spoofed IPs, which are prob. changing as the attack is continuing.
So basically they've gotta block out a moving target... and 50 (or more) of those moving targets from the distributed attack. like the article says... at one point over 1GB/s of traffic... that's frickin' intense... lets ponder that number for a moment... 1GBit/s... (I'm hoping bit and not byte) t3 = 45Mbit/s == 22 t3s... that's some amazing bandwidth being shoved in there...
Re:more problems... (Score:2)
Misinfo: Distributed DoSs are not new (Score:3)
This probably is a little different from what people are theorizing, but it works essentially the same way (or even better). Basically the perpetrator sends out a few spoofed ICMP packets with the victim's IP as the source address. These packets have subnets as their destination, so theoretically thousands of machines reply to these false ICMP packets towards an unwitting victim while the perpetrator only sent maybe a few packets.
How is slashdot prepared (Score:2)
--
Hephaestus_Lee
Revolution? (Score:3)
I've spoken out against the brainless JDs currently known as "Script Kiddies" (known a generation ago as "vandals") on numerous occasions. I've also spoken out repeately against the bloodthirsty commercialisation of the web (and by extension, the whole 'net).
Now the vandals are attacking the bloodthirsty marketers, and using the most non-damaging method they can. More than that, they're doing it in an organised and persistent manner, from the looks of it. This is the equivalent of a blockade--a formal, organised protest. Not throwing rocks through windows so much as linking arms in front of a police line.
For the past year, I've been saying that a massive revolution was in the works (echoing my beliefs of 15 years ago, when as a high school student, I belived I'd see the next social revolution in my time).
I find myself prepared to grudgingly admire a group I've detested for a few years now. The brats and miscreants may have gotten their shit together and started to fight for something worthwhile, rather than simply for the hell of it.
I kid you not, folks. There is a slight (ever so slight) chance that last night, with the crippling of Yahoo, we witnessed the very beginning of history's next social revolution.
Of course, this could all blow over in three days, when the MPAA announces that they own Sony, as well Microsoft, Netscape/AOL, and Time-Warner. I could be entirely full of shit here.
But, the fact still stands. We _will_ see a real revolution in our day, and it will probably start right here, online.
Hold onto your hats kiddies. It's going to be a bumpy ride.
Not DOS just /. (Score:2)
Is this a rolling attack? (Score:2)
Would be even know? (Score:3)
Re:wall street likes it... (Score:2)
Tort legislation, not criminal legislation (Score:4)
Either get a legislature to enact new tort legislation or get some enterprising judges to extend the common law. Either way, you won't need an overseeing regulatory agency. Ronald Dworkin would approve, I suspect.
Re:Yeah and you know what would fix it (Score:2)
We basically need to get all backbone providers and ISPs to include allowing spoofed packets, harbouring spammers, and other offenses on their no-no list, so that the backbone provider can shut down sites that allow this. We saw how effective the UDP was on @home, and being on the RBL makes ISPs comply PDQ. Something similar where allowing DOS attacks simply got the whole network blacklisted until the attack stopped or the bugs were fixed would be good.
If it was part of the standard agreement then it wouldn't require government intervention and would be applicable worldwide, not just in some countries.
AMD as well? (Score:2)
I think they're getting hit also.
The Tick - "Spoon!"
AMD as well? (Score:2)
I think they're getting hit also.
The Tick - "Spoon!"
FBI warned about "DoS preparation". (Score:2)
"During the past few weeks the NIPC has seen multiple reports of intruders installing distributed denial of service tools on various computer systems, to create large networks of hosts capable of launching significant coordinated packet flooding denial of service attacks. Installation has been accomplished primarily through compromises exploiting known sun rpc vulnerabilities. These multiple denial of service tools include TRINOO, and Tribe Flood Network (or TFN & tfn2k), and has been reported on many systems....
Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial of service attacks."
Here is the site:
http://www.fbi.gov/nipc/trinoo.htm
Enjoy,
-ben
www.exocortex.org
The NSA and DoS (must we counter FUD?) (Score:2)
Seriously, why is no one talking about the update which proposes that this is an NSA stunt to increase their power and funding. I know people don't want to talk about conspiracy theories, but there is a really good reason to take action: The NSA will use this to their advantage even if it were to turn out to be just a network hickup, so we should lauch a premptive strike and tell all the news people that there is a good chance the NSA is behind this. It would mean a FUD attack against the NSA, but it may be warented since they are about to do it to us. I would like to hear some other people's views before Istart calling the more fringe libratarian talk show hosts in my area.
Jeff
BTW> it is possible that this is MS's fault, i.e. remember the WebTV thing?
Re:Revolution? (Score:2)
"Or, is it the safest method that they can? Speaking for myself, I would choose the way that was less likely to get me caught."
Nah. There's not really any substantial difference in personal security between launching a DoS and, for instance, a defacement.
"Where's the statement of intent then? A protest without any aim is just similar to throwing rocks through any old window"
You're right, of course. HOWEVER, yesterday this was just a huge DoS against yahoo.com. Today it appears to be more organised. Maybe tomorrow or Friday or next week, we'll get a formal statement from (whoever). Who can say from where we sit right now that it won't happen?
Again, remember that I freely admitted I could be full of shit, this time, but someday it's going to happen for real.
Re:Tort legislation, not criminal legislation (Score:2)
I smell da man. (Score:2)
Give me a break! 50 ~possible~ addresses? I've worked on a large network (approx 10k nodes) and it never took more that 1/2 hour to find a NIC that was spewing garbage, or one with a duplicate IP. And that was with an old 386 laptop running an old 1992 packet sniffing program!
I'm sorry, but I know what some of these 'companies' are capable of, and they would have to be totally inept to take 4 hours to narrow it down to 50 IP's, and then lose the trace! Only to have it pop up again the next day! Oh! Look there it is again! Hit it with the fuzzy hammer!
It cannot be co-incidence that Prez Clinton wants broader powers for law inforcement; that backdoors will not be included in new internet protocols and that these attacks are ocurring!
These attacks are costing these companies millions and they can't narrow it down!?! Because the man doesn't want it narrowed down!
That's how it begins kids! Fear group X, and let's hunt them down and parade them through town square tarred, feathered and GNU zipped!
Re:Revolution? (Score:4)
I won't try and tackle your label of "Bloodthirsty marketers" in full. You're going to have to accept that we live in a capitalist society, and given the technology to organize businesses on a large scale, large companies are going to form for the exclusive purpose of making money. That's the way it is. Nothing will eliminate the Big Evil Corporations save for complete social reform, which doesn't look too likely (communism's not looking too hot as a replacement). And reform will certainly not stem from the Internet, we're just all too rich! Look at yourself! Do you own the computer you're reading this with? Do you have a job? Your own house? Congratulations, you're safely ensconced in capitalism. You can whine and kick and scream, but knocking down web sites is not going to touch off any revolution. All it'll do is give the Powers That Be excuses to implement more security to protect the livelyhood of the folks at yahoo, eBay, Amazon, and CNN. This effort is counter-productive. You know of better ways to educate people about the problems of North American society than this! Please don't support the script kiddies (if that is who did this, the NSA's not ruled out for sure).
Moderators, realize that not every message with "Moderate me down if you must" deserves to be moderated up! Ignore that trash!
Announcement to the Script Kiddies (Score:2)
Steven E. Ehrbar
If I were to conduct a large-scale DoS .... (Score:5)
"Wise man may write Trin00 but any idiot with backhoe on Fiber Optic lines cause much packet loss."
Just another way of trolling (Score:2)
Re:Revolution? (Score:2)
Nope, and I've said the same thing many a time. If we used the same defense in the real world, then we'd all have to have Fort-Knox level security for our houses. Personally, I would NOT be thanking the first person to come along and point out to my sleepy town how stupid it is that we trust each other with unlocked doors. (to borrow an analogy from Cliff Stoll once again)
But there's something about this that <i>feels</i> different. it feels like something is in the air, and if it doesn't come to a head this time, then maybe next time.
Bottom line--it doesn't feel like 'just because we can' is the underlying reason for this one.
Re:Revolution? (Score:2)
Take a look at the targets, friends. Someone already mentioned that pillars of morality like GNU.org, W3C.org, etc. aren't (yet -- big yet) being taken down. It's your upstarts who've launched a thousand-squared newbies onto the net, a thousand-squared clueless idiots.
Take a look at the rest of the list of currently downed servers then ask yourself, "Who have they pissed off recently?" Judging by other sites others have mentioned prior to this post, it looks as though someone is going after the companies that are pervasively commerializing the Web -- the companies which have fenced off their portion of the commons, and pissed on whatever parcel they left the rest of us.
(And who the hell moderated the original post as a troll? Would somebody please mark it insightful? It'll get fixed in meta-mod., hopefully))
----
Re:Big Hat, No Cattle??? (Score:2)
*Sigh* (Score:3)
Don't like the fact that the Web is a "corpoplayground"? That's just a curmudgeony "these are my toys, and I'm not sharing" argument, sorry. The whole wide Internet world got massively bigger in the last ten years, as you've probably noticed. I'd say it's reasonably certain (though I can't prove it) that there is an order of magnitude more free interesting non-corporate content on the Internet now than there was ten years ago. And, surprise, where people went commerce went too. But if you think of barnesandnoble.com as the Internet, do you also think of the real world as just a big Barnes & Noble bookstore? Just like in the real world, there's lots of room on the Internet for big corporations to spread out and make themselves look big and important. (Think of all those TV ads and billboards with URLs as one big cyber-Champs Elysees.) Also just like in the real world, if you spend all your time hanging out there, you'll end up unsatisfied. And also like the real world, there's a place for commerce and a place for community.
Unfortunately, also like the real world, there are people who absolutely refuse to play nice. But on the Internet it's worse, because it's so easy to ruin systems and there's no repurcussion for doing so. There are no social or legal rules, so people do what they please, and some people like to break things. (Hi there trolls! Have fun storming the castle!) It has been that way for the history of public networking, it's not something that just got invented with Slashdot trolls and the DoS attacks this week- CommuniTree (aka Slash version
And the anarchic solution is the romantic notion that people always seem to argue in these circumstances, and as you are arguing now. Guess what? It doesn't work on the Internet. There's more net.abuse than there has ever been, and vigilante groups haven't ever really been effective in combatting them. Assuming you're right about the DoSers' motives, and they don't turn around and DoS your favorite site tomorrow, do you think that it will make all the bad people go away? I doubt it.
This is the part that the freedom lover in everyone hates: the only solution that mankind has ever come up with that works is to make rules and enforce them. That's what governments are for. That's why they were invented. The wild west is a fun, romantic place, but we can't live there forever, because given enough time the outlaws will always outnumber the sheriffs and Billy the Kid is only fun to hang out with for so long.
Far from your argument that the DoS attacks represent that the Internet community is somehow rejecting a bad part of itself, I'd say that the DoS attacks signal the end of the free Internet era. It was fun, yep, I was there for a little bit of it too and I know. But oh well. We have to grow up someday. =(
Potential government involvement (Score:2)
This isn't so crazy. If any of you have ever read the books by Phillip Agee (Inside The Company) and John Stockwell, men who were actual CIA operations directors, you would be surprised at the horrible things these organizations do to "encourage" trends in the US and our allies.
According to some reports, the CIA has been known to plant bombs in airliners... naturally these types of events are always blamed on middle eastern countries and terrorists, and we certainly DO like to hate middle-eastern countries.
How to protect yourself? (Score:2)
Imagine that I'm Joe ISP. How the hell do I protect myself from this? Asking everyone on the net to do their job and filter spoofed packets ain't a reasonable answer. It is simply not enforcable, not on an international scale.
Stopping a server-level DoS attack (e.g. grinding my servers into the ground with dynamic pages, DB lookups, etc) should be possible; identify the source(s) and block at the firewall for example. The catch is identifying the sources, but it is at least possible.
But if it is a network-level DoS attack, in other words, too much is being forced down my pipe, I don't have much of an option but call up my provider and beg them to filter. I can't see this as a reasonable solution. Providers aren't going to be happy adding filter rules to their routers every time a customer gets nailed. It is too much overhead on their routers and on their administrative staff.
So what is a long term solution to this problem? This is only going to become a bigger and bigger problem as the common user's pipe gets bigger and bigger.
Imagine: an email-spread trojan horse, set to pound the hell out of www.bigguy.com at a certain time a month from now. Let it spread to a couple thousand unspecting newbies (wow, cool, look at the fireworks!, lets send that to tom, dick and harry)... Insert your distributed DoS attack method here.
Re:smt old, smt new, smt borrowed, smt tangerine (Score:2)
Anyway, just a random bit of nonsense on my behalf. (Oh, my Mac isn't fruit-flavored. It's beige. An old beige clone.)
----
Re:Revolution? (Score:2)
But it isn't just the bloodthirsty marketers that they are targetting. Those just happen to be the ones who get the publicity.
They cause *huge* problems for the people who run, for example, IRC servers. These people are paying out of their own pockets to provide a free service, and are getting hammered for it. What's the purpose in that?
And they aren't using their own resources for these attacks. They're using resources stolen from other people. My university went through a period of time last year when there were so many hacked accounts being used for outgoing DoS attacks that we'd be dropped off the internet for hours at a time.
And do you think they were truly doing this as an attack on the bloodthirsty businesses? Or just to show off that they have the power to take down such a large site?
This may finally force action and accountability. (Score:2)
The point is that at least people are finally taking notice of the effects lax filtering is causing on the internet as a whole.
CERT was formed to provide rapid responce to exploits, it's time an agency was formed by the major backbone providers (and NOT any government body) to enforce filtering agaist outgoing spoofing traffic.
The consequence of being the source of a DoS should be simple, fix it within an 30 minutes or your upstream pulls the plug until _you fix it_.
There is just _no excuse_ for tolerating this anymore. This means being the source of spoofed
packets _or_ a network that responds to broadcast icmp/udp/whatever with more that X (16?) number of replies (DoS amplifier) should be grounds for removing your clueless hide from the ether until you prove your connectivity is not a hazard to the rest of the net.
Justifying no filtering to maintain speed is bogus, and I think this week has pretty much proven that action needs to be taken quickly and the penalties enforced quickly and severely enough to force accountability.
God save us all.
Re:Revolution? (Score:4)
"Sorry to be sarcastic, but honestly. History's next social revolution? All we have here is a bunch of computer users..."
and
"It's not a protest unless the participants state their opinions and goals and the public has a chance to understand why the shutdown of XYZ matters to the protesters."
Yeah, but as Red Green (OK, and a thousand others before him) said, 'first you have to get their attention.'
I said that this could be the beginning of a revolution. This isn't the revolution by itself, and in fact may be nothing.
As for the bloodthirsty marketeers, I won't deny capitalism, or even that it's a (fairly) good thing. However, we're starting to see the results of the gross abuses of capitalism, as it runs smack into the power of the Information Age(tm).
I'll be the first to admit it--I'm living well. I rent an apartment and drive a 20-year old beater, but I own my computer, have a good (and fun!) job as a sysadmin, and was drinking outrageously good wine last weekend (Yalumba Octavia, 1990 was the highlight for anyone who cares). Capitalism Is Not Inherently A Bad Thing(tm).
But that said, I'm starting to fear for my privacy more and more; and so are others. Look at the (serious) WTO protests. Listen to the cynicism growing in people. Look at the number of Americans who are starting to venerate Richard Fucking Nixon, because they don't believe that they've seen anyone less corrupt since then!!! The middle class is gradually dissappearing. I honestly and truly believe that revolution is in the air, and will start on the internet. (specifically, on the web, since that's most of the internet these days). Maybe not today, but in my life. However, I don't think it'll be a revolt against capitalism, as much as a revolt against abuse.
As for the moderators, don't worry. They've moderated me down almost exactly as much as they've moderated me up on this post. :-)
Bahaha! (Score:2)
You've been on the net since '94? Give me a break. You don't even know what the old days are. Sheesh, you arrived after the Web existed. You never knew the internet in the pre-Web, pre-graphics, pre-PPP "everyone has their own IP" days
.
And by the way, Slashdot and Bluesnews *make money* and the owners are Slashdot are easily millionaires now.
Furthermore, the internet is interconnected, and by pissing in the water, your spoil if for everyone. If you try to take down Yahoo, you end up taking down lots of intermediate networks that host your beloved moral, commercial free,hippie sites. However, no one ever accused socialists/anarchists of logical thinking.
Re:Yeah and you know what would fix it (Score:2)
I remember hearing about 2 years ago that smurf attacks would be completely phased out due to tier 1 (and to a lesser degree smaller) ISP's filtering at their borders -- but apparently this has not happened yet, as there are plenty of broken networks around and plenty of unfiltered networks that are able to exploit these vulnerabilities.
Re:Tort legislation, not criminal legislation (Score:2)
War of the Worlds Effect (Score:2)
Rememeber the stories everyone hears about Orson Welles Halloween broadcast of War of the Worlds? This is sounding strangely similar to me. There are some real crashes going on, but I am seeing a lot of reports of sights being down that are, as near as I can tell, still entirely up and running. Some big sights went down today, and now every time that someone can't load a webpage, or hits a server that blocks pings someone claims that they've been crippled by a DOS.
Someone mentioned earlier that Adobe may have taken themselves down because they were afraid they might get hit next (as of 09/02/2000 12:53 EST, I can get to the page; it did seem to be down earlier). I wonder how many sites are unplugging or blocking partial traffic out of fear of a hit. Whatever else is going on tonight, we're getting a good view of the power of the Internet as a rumor mill and propigator of memes. Pretty impressive.
Never attribute to malice... (Score:2)
While I'm as willing to blame the guys with the black choppers on this as the next guy, the fault lies with poor network administration.
Not that the targets have any choice about landing hard on their knees when beaten over the head with a DoS. There are things they can do... As has been elloquently pointed out in this post [slashdot.org]. In a nut-shell, shut down unused ports, shut down unneeded services, filter out the offending networks (would you rather limit your availability, or end it?), and most importantly LOG IT ALL.
Logging is crucial when you are being beaten. You may not be able to prevent it, but you CAN collect evidence.
As for the poor network administration... Universities, small/midsize ISPs and break-neck businesses leave far too many doors open. These are the people to blame - unwitting accomplices.
Legislation may help, but it has to be careful. It must require proof - and in cases such as these it's hard.
The conspiracy theory does bring to mind an interesting scenario though. What if all 1 billion Chinese, all running Linux, suddenly started pinging all of the US biggest eCommerce sites? Global slashdot effect levied directly against our infrastructure, and indirectly against our fast-movers on Wall Street. And no amount of legislation would get our servers off their knees.
What scares me... (Score:2)
The net has been pretty slow for me, and these "attacks" are either very widespread and very undetectable, or they aren't attacks at all.
Remembering The Hacker Crackdown once again, what started the whole nasty thing were widespread phone service outages that were blamed on hackers. The problem was eventually traced to a cascading phone switch bug, but the damage was done even then, and many hackers and crackers had their equipment (unlawfully?) seized by the government. After the DeCSS fiasco and now this, I don't want to see a world-wide repeat of this travesty.
So what can we do to check this out, guys?
---
pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
Re:Yeah and you know what would fix it (Score:3)
For a good distributed DoS you don't need spoofed packets. It is much more devestating to use real addresses. Using real addrs you can establish connections and request files to download. You can chew up far more bandwidth, processor time, and RAM this way then simply flooding the link with bogus traffic. If you want to be particularly nasty you start screwing around with the packets you (should) send back to the server. That is left as an execise for the reader as well the guestimate for how many attackers you need. (hint: not that many)
Although I do agree that it would be nice if ISPs would start dropping spoofed source packets. It is trivial to do. It is a standard feature for most routers and can be done on the cheap with OpneBSD or Linux boxes. I don't however think a law is need. I hate legislateing common sense.
Re:How is slashdot prepared (Score:2)
--
Re:Yeah and you know what would fix it (Score:2)
Told you so (Score:2)
It is worth noting that malicious, as opposed to merely badly-behaved, hosts, can overload the network by using many different source addresses in their datagrams, thereby impersonating a large number of different hosts and obtaining a larger share of the network bandwidth. This is an attack on the network; it is not likely to happen by accident.
That's the fundamental problem; there's no way in IP to validate source addresses. There's IPsec [nist.gov], which provides cryptographic authentication at the IP level, but nobody uses it yet. This new attack may result in a move to implement IPsec more broadly. This is the proper technical fix.
A related problem is that attacks based on taking over a large number of unsecured hosts and using them as zombies to attack a single site is indistinguishable from heavy load. If the zombies simply make legitimate HTTP requests, the traffic looks completely normal.
Re:Revolution? (Score:4)
Re:Revolution? (Score:2)
I remember the media and government going batshit when antiwar activists threatened to shut down Washington D.C. with demonstrations and blockades on major roads and bridges. The police and National Guard made mass arrests of everyone who was perceived to be a threat to public order, around 10,000 people were arrested.
DoS tools (Score:2)
They claim they've been finding a client called Stacheldraht on compromised hosts, sometimes with up to 100 connections to other compromised hosts.
This is consistent with security claims at Dave Dittrich's site at U Wash [washington.edu]
Basically, someone uses known remote root exploits (lpr, named, ssh, to name a few recent ones) and compromises hosts. Then he synchronizes them to DoS some target from someplace very safe. One person can thus appear to be a few hundred clients all attacking some target simultaneously. By making a trivial change he could move his target.
This is NOT a large synchronized group of people. It is one or at most a few good crackers just having a good time, hardly believing how much damage they are doing so easily.
The report names linux and Solaris as the machine types with makefile rules defined in the program, and the program has only been seen on Solaris 2.* in the wild.
German for "barbed wire".
Re:*Sigh* (Score:3)
And we're supposed to be thankful for this??
they made it possible for normal people to find the web sites they wanted to go to
Because they invented the search engine? Oh...wait, they didn't. Veronica and WebCrawler were cataloging categorizing, and searching the web before Yahoo was around.
And Amazon and eBay were also pioneers in their respective fields
Stupid patent lawsuits and black market kidney sales, respectively?
Don't like the fact that the Web is a corpoplayground"? That's just a curmudgeony "these are my toys, and I'm not sharing" argument
No, it's a sad commentary on the direction the internet is taking. Radio used to be an exciting new technology, promising instant communication, like the net.hype promises today. Then it was dominated by large corporations, and today it is nothing but top-40 crap and insipid talk shows. Anything creative or thought-provoking has been squeezed out in favor of safe, easy to digest, bland, boring, profitable pablum.
the only solution that mankind has ever come up with that works is to make rules and enforce them
I don't see what you're driving at here, there are already laws against this.
There are no social or legal rules
Tell that to Kevin Mitnick, or the DeCSS defendants.
DoS the entire Internet? (Score:2)
Interestingly, it looked like the Internet was doing slightly better than average during the Yahoo attack.
Could some backbone actually have been attacked?
Re:Revolution? (Score:2)
Not even DoS attacks!!! (Score:3)
First off, you have to consider that most servers are NOT going to have the capability of participating in this kind of attack.
1. Bandwidth - um...50 servers, over t-1 or less links? Nope. They HAVE to be located at a Tier 1 provider (running on the Tier 1 provider's LAN, or on colo sites that are generally capped at 10 - 100 megs). That Tier 1 provider HAS to have private peering established over large pipes - this kind of attack would have melted down PAIX.
2. The colo customers would have to be completely blind to the fact that their sites are running up bandwidth charges (charged per meg/s), but getting NO hits for services offered. Also, their security would have to have been completely compromised - ie, bypassing load-balancing proxies in advance, compromising firewalls, bypassing access-lists.
3. ALL of the above would have had to have happened in a coordinated fashion, such that traffic would have to be sent to a DoS client on the servers in question, enable the attack, which said attack would bypass then aforementioned barriers and smack down Yahoo! for more than 1Gig of damage.
Now, how many machines do you have to compromise AND install clients on AND run without being caught, taking up sizable chunks of bandwidth which generally WILL be noticed, and still make the attack possible to occur without making yourself a huge effing target?
Possible, but not very credible - though my hat is off to anyone who could compromise much more than 50 sites and hide the massive amount of work that would have to be done to set this up and make this work. Of course, I don't think that it is likely, since we would have seen multiple reports at CERT and Bugtraq from pissed off sysadmins about some boosheet DoS client hidden on their systems.
Consider the alternatives instead. Consider that some of these outages -especially the eBay outage- were not caused by DoS attacks, but by faulty equipment/software from proprietary vendors - a certain network equipment manufacturer comes to mind on that one. Consider that none of these businesses have to suck up the cash damage if these were "unforseen" occurrences.
1. The Yahoo "DoS" attack may not have been the kind of attack they admitted to. There is always the possibility that equipment upstream was b0rked, causing packets to be sent promiscuously all over the network. I've seen it happen before, just not to Yahoo.
2. Consider that the eBay problem MAY have been a DoS attack, but not the kind you think. I know of at least one showstopper bug that has come up with no less than TWO different major router vendors that could cause the crash they had.
3. I've been able to reproduce similar problems in a lab environment with one vendor's equipment that I was demo'ing. Many of these "DoS attacks" can usually be chalked up to a configuration that the vendor never bothered to test or consider.
I am not calling ANY of the companies mentioned liars, or defaming their stories. I am just pointing out that they may be mistaken, or that their public relations people may be using "evil hackers" to point people away from problems that may have been alleviated but still exist. Please consider that these events could have been caused more by ignorance and greed than by a heretofor unknown elite cadre of super 'net ninjas.
One way to track down the "masterminds"... (Score:4)
Of course, no-one will ever see this post buried hundreds of messages down but with any luck they'll at least find a few of them.
My Next to be Hit Predictions (Score:2)
Earlier a few people (myself included) theorized that this whole issue is about enacting a bit of vengence [slashdot.org] upon those who have "wronged" the Internet.Based on that supposition, here's an off-the-top-of-my-head list to see who might be next:
Feel free to add or challenge the above>
Sites that very likely won't be attacked:
Again, feel free to add or challenge.
----
Re:haiku (Score:2)
That's six syllables, dolt.
So, what can I do? (Score:2)
Someone MODERATE THIS UP (Score:2)
If the parent comment got an "Informative" then the counter deserves it too - esp. this one which seems quite well reasoned for Slashdot.
Re:DoS like stealing cars (Score:2)
or the manufacturer for providing an unsafe lock.
This would equate to not the company being responsible per se, but rather those who
supply/setup the servers and software.
On a sidenote.. the FBI in this? I'd say this is like 700 people picketing in front of some store,
making it impossible for everyone to get in. picketing isn't illegal, is it?
//rdj
No need for root. (Score:3)
One of the most frightening things about these kinds of attacks is that there is no need to get root. In most cases any user account will do. Think about the big hosting providers: they have machines with excellent connectivity with thousands of users connecting with telnet, ftp and pop3 exposing their passwords to snooping. It doesn't help if the system has excellent local security against gaining root access and and the administrators use only ssh. The attacks look exactly like regular web traffic - connections from unprivileged ports to port 80 - any user can initiate such connections.
----
Re:This is really strange.... (Score:3)
Yeah, I'm sure it's just a coincidence that these DoS attacks start up just after Kevin is let out of jail.
:-)
Regards, Ralph.
This is long overdue. (Score:2)
Revolution? Maybe Not. (Score:2)
Re:haiku (Score:2)
Gods, can I never be free of you people and your tumescent lobster posts ?
Re:Revolution? (Score:2)
Umm.. hello? These stupid rebels attacked CNN. Why? For the hell of it. That's so phenomonally obvious that it's nauseating to see your comment rated a 5 when it's such hogwash. I am increasingly amazed at how little it takes to impress the Slashdot moderator. Maybe I'm overreacting; about 10% of me thinks that your post is sarcasm.
Social revolution against lame web sites? Give me a break. That's like blowing up Burger King because lots of stupid people in your town eat there.
Your assertion that they aren't throwing rocks at windows, but rather protesting is also entirely absurd. Let's see.. this analogy should be a tough one to come up with. Try this on for size: Sending packets to break a service is analogous to throwing rocks to break a window. Wow, that's complex. They are breaking companies' web sites. In addition, they broke buy.com's on the day they went public.
You don't think there's anything wrong with silly kiddies running around the Internet breaking random web sites in the name of
Re:AMD as well? (Score:2)
The Tick - "Spoon!"
Re:Revolution? (Score:2)
Yahoo.com. Started as a nice little index running in a dorm room. Now? Collects marketing statistics first and foremost and THEN runs an index on a server farm.
ABC. Owned by Disney. (Nuff said.... no offense, Rob.)
eBay. Relatively okay company, but they won't allow outsiders to provide searches into their pages. Not a good thing.
CNN. I don't have a bone to pick with CNN. I'm guessing this is a notierity issue.
Now, let's take another look at the targets. Yahoo, CNN, ABC, Disney...the connection I see is that they are all high profile sites. You're right, GNU.org and W3C.org didn't get hit, that's because, in general, no one would give half a shit. Do you think these kiddies would have made every major news program for taking down GNU.org? Not a chance. Just because these sites are the "pillars of morality" on the internet doesn't mean people care about them. If GNU.org went down, how many people would notice? Maybe a tenth of the people the noticed Yahoo or Ebay being down (and that's being generous). You say yourself you can't find a reason for CNN being attacked, using your reasoning. That's because there is no reason other than these kiddies can see more of their handy work on the TV.
Re:So, what can I do? (Score:2)
Couple of things of the top of my head:
make sure you're using tcpwrappers to secure any services that are running - ftp especially.
Abacus portsentry: sits on well-know ports and blocks/logs any unauthorized activity - even scans.
Turn off any unneeded services - if you don't use portmapper - turn it off - turn off all rpc services.
If you need to access the box remotely, use ssh.
Make sure you're running the latest apache server.
That's a start.
Re:DOS Solution? (Score:4)
Exactly. The solution lies in what I like to call the Primary Array Network Transaction Service, a wrapper of sorts for the GRITS subsystem. When you put the GRITS into the PANTS, you'll find that most of your DoS woes disappear, to be replaced by a sensation of warm satisfaction.
Only one side: (Score:3)
There are countless others out there (way more than you and anyone else you speak of), that are going to be starting a revolution of their own kind. And I am speaking a subtle revolution...
A lot of people are scared to death about this, about Columbine, about Seattle, about guns, about pornography and about the internet in general. They are "concerned" about their children. They read the news and believe it. They want more control. They demand less freedom. They need more protection.
I am going to go out on a limb and make a guess that you are twenty-something. Well, we are quite the minority right now, and are not taken seriously. How much respect does the "Slacker Generation" get?
I too believe we are starting to lose a lot of our freedoms, I really do. It genuinely frightens me when I see this shift away from people taking responsibility for their own actions. But that is what the majority of people want right now.
The problem with the movement that you advocate (and so do I), is the way it comes across to these people. We want to watch porn, do drugs, crash systems, listen to songs and play games endorcing benevolent violence, build plastic explosives, vandalize and corrupt children... but it's all in the name of freedom. I think this is what a lot of people see. What we are fighting is a lot more difficult to see and understand than, say, the civil right's movement. There is an instance where a young generation actually made a difference... but they were not fighting for porn and violence!!!
The trouble is going (and always has been) to be trying to get people to see around that.
And someone will say, "And your point was?"
I have absolutely no idea.
Re:Was abcnews.com haX0rEd?? (Score:2)
"Once you're done," says student ***** **, "you push 'submit.' They ask, 'Are you sure?' and you say, 'Yes, submit.' And then, one minute later, they send the score right back to you because it's all automatic."
Y2K / Leap Year (Score:2)
bad analogy (Score:2)
By all means, hold the commercial OS manufacturers at fault also. There's too much shoddy work on all sides, and it's time to shift the burden of that shoddiness back onto the people with the most power to prevent its occurrence and away from the innocent bystanders.
Re:Maybe I lack clue... (Score:2)
the ocasional paranoid delusion can provide some
entertainment anyway
its not like worl dgovernments haven't
given us enough real examples of abuse of power
to be distrustful of their motives.
> 2.An act of the United States government against
> its own people, possibly for the reasons
> described in the post michael linked.
Ok as was mentioned...this apears to be a HUGE
smurf attack of some sort (possiibly a new
variation on the smurf theme that sliips through
many of the old fixes)
Just looking at the logistics of it...a direct
government attack doesn'r makes sense. While
yes 1 GB/s of bandwidth would probably limit it
to government if it were a single point attack.
However, a single point attack would saturate
everything between the originator and the
target. This would mean that it would be easy to
trace back through the route to a government
setup.
However, from hundreds of machines all over the
net, each with fairly differnt yet all high
bandwidth paths....1 GB/s would be easy to
generate.
So for the super paranoid delusion. Consider this
scenario... (the most likely of the far out of
left feild ideas)
1) NSA or equivalent figures a way to crack
into some systems, and at least get user
accounts, and a client that can be used to
mount an attack from the machine remotely.
2) (optional) they break into a bunch of machines
and install the client.
3) they obscure their starting adress with said
acounts and other stuff...they get on irc and
find som estupid script kiddies. Give them the
"tools". and set them to work.
now...the script kiddies launch some attacks on
high profile sites for shits and giggles.
The advantages:
1) no way to prove direct government involvement
2) script kiddies who can take the fall for the
incidents, and don't even know themseleves that
they were given the tools by the NSA (or equiv.)
There...nice model for a paranoid delusion.
Just as Hitler burned down the Reichstaag, its
actually a viable way to get public support
behind the theings they wish to acomplish.
Of course...its much more likely that a bunch
of script kiddies are doing this just for
"shits and giggles". Then again, it could be
a small band of hackers who are hopeing to
raise awareness about these things and
scare network admins and sysadmins into
beefing up security internet-wide.
(kind of a "propaganda by example" of sorts)
However...its more "fun" to blame it on evil
agents with political goals...as such, Carp's
law is applied which states, "Whichever
possibility is the most fun to assert as true
should be asserted as true"
-Steve
Re:So, what can I do? (Score:2)
Even comes complete with a tool for converting your /etc/inetd.conf file to its own format... c'est cool.
--
Authority, hell, question reality.
How would you announce it? (Score:2)
How do they claim responsibility in a way that people will know it is them without revealing enough information to land them in Jail?
If you deface a website, you can at least leave your message behind. With a DOS, you don't get that opportunity so there is no direct association between the attack and the related political message.
All of the targets have been the big names in commerical internet sites. CNN was probably targeted over other news sites because it is part of the AOLTimeWarnerTurner cabal. So, it would seem that this attack was launched by either people with issues against commercial sites, or it was part of a government conspiracy. I lean towards the latter, but then look at my e-mail address and it will become self explanatory
---
Re:Yeah and you know what would fix it (Score:2)
> hurts the evildoers. No one has a legitimate
> reason for sending packets out with the wrong IP
> address.
I don't mean to rant...but i can't stand that
attitude. So i guess I am gonna rant.
Why is it that as soon as a problem or possible
soultion to a problem is identified, someon
invariably says "lets make a law". Forget trying
to use social force or suggestion to get all
or most ISPs to adopt the policy, jump right
to law making.
Do you realize that when you say "We should make
a law", you are really saying "If someone doesn't
do this, they deserve to have men with guns apear
at their house and take them away". I am sorry
but I don't think that a person who runs an ISP
deserves to be strong armed by the threat of
physical force into application of configs at
his router.
The "lets make a law" mentality is responsible for
the fact (to paraphrase shulgin) a person who
can read war and peace in a week, would have to
read at that same rate for 25,000 years to read
all of the laws of the Unites States that are
in effect as I write this (actually that figure is
several years old...its probably somewhat larger
now)
Now, I agree that generally speaking, there is
little reason to allow IP spoofing. Yes, ISPs
can and generally should block it. Why not
do it in a similar way to UDP (Usenet Death Pen.)
Get a bunch of organizations together, and when
there is a problem with users spoofing from an
ISP, threated with routing death penalty.
I think that ISPs would generally be glad to
impliment such protections, if it was presented
in a sane manner, and peopl epresenting it were
willing to help them get it implimented.
Hell, they could stop spoofed packets right at
the PPP interface. Or better yet...log all spoofed
packets and contact anyone sending them.
Believe it or not...som epeopl emay have a reason
for sending spoofed packets (or may not even be
aware something "bad" was going on from their
box)
Maybe I am a network admin and want to test my
own anti-spoofing stuff at my router, so i want
to go home and send spoofed packets to my router
at work using spoofed intenal adresses, that way
I can make sure it works.
Once I sent spoofed packets because a friend asked
me to demonstrate something on his box (so I sent
some spoofed packets that crashed his box)
as such I think a much better way to aproach the
subject is just ask ISPs to set up monitoring
for spoofing. Ask them to make a policy on it and
enforce it. If ISPs logged all spoofed packets
through them and the user sending them....it would
make finding these people EASY.
No laws required.
ZDNet also hit. (Score:2)
ZDNet was hit this morning by the exact same type of attack. See the story here [go.com]. After seeing all the anti-Linux FUD on ZDNet, maybe there is something to the "revolution" theory?
Oh yeah...for what it's worth, ABCNews did an analysis [go.com] of these attacks; an analysis which I find refreshingly honest. To sum: people who whine about these outages have unhealthy, unrealistic expectations of their technology.
The web is not the Internet (Score:2)
Great,so the web made connectivity popular and faster. Fine. wonderful. Yahoo was instrumental. Fine. Wonderful. They have a nice, no-frills interface compared to most other portal sites. (which is why I rarely use portals, but hey)
But Yahoo did NOT begin communities online. Maybe you haven't bee around long enough to know what a shell account is, or to remember what connecting from home was like without your very own TCP/IP stack. Maybe you were never good friends of Veronica, Archie, or Eric.
That the Internet is so handy and ubiquitous is a great thing. But the original point of the poster was that the Internet is still, despite pressure against it, a place where all soapboxes can be equal.
That being said, I'd rather this newfound dDoSes be used for good rather than hitting high-profile sites (whatever happened to hactivism?), but even this will possibly spawn increased security awareness. L0pht claimed they could take the 'net down in 30 minutes. Most of us believed 'em, now maybe the rest of the world will figure out that this is indeed possible and not limited to the exclusive knowledge of the l0pht crew.
Alert - DoS attacks move to online traders . . . (Score:2)
What is becoming clear to me is that someone has been planning this out very carefully. I'm wondering if there have been any quiet blackmail messages sent to site owners -- "Send us a cool half milliion or you're next."
to whoever is doing it: lay low for a bit (Score:2)
As a citizen of an ever-encroaching big-brotherlike planet, this kind of stuff makes me sleep better at night.
To whoever is pulling off these attacks:
You're our well-armed militia. I think it's important that people can do this if necessary. I think it's crucial to the freedom of future inhabitants of this planet that people have the ability to do this.
The more you pull stuff like this off, the better their defenses are going to be. Every time you whack a site, they're gonna analyze every move you made and figure out ways to defend. Don't give them the bits they need to put it all together.
I can't stress enough how important it is that the people have the ability to do this in an age when government surveillance is reaching ludicrous bounds. Our cell phones and cars will be tracked, our movements will all be known, and it's not too much of a leap to see that all of this will be done electronically. It is absolutely essential that the people have the ability to throw off the system if need be.
I'm not even pro-militia in the sense of today's publicized militias... I'm not some wing-nut, I don't even own a gun, or even like them. I just realize the importance of the people's ability to defend themselves from oppressive governments or "New World Orders" if push comes to shove.
OT: Hackernews.com is down (Score:2)
with a last updated stamp of 01/01/97.
Re:CIA planting bombs / Gov't sponsored DoS attack (Score:2)
And you're basing this on WHAT? Your friend the postman?
READ THE BOOKS BEFORE YOU CRITICIZE ANYTHING.
That's just naive. How do you explain the CIA projects that our government has ADMITTED TO wherein the CIA injected people with horrible toxins and exposed them to horrible amounts of radiation to see what would happen?
Patriotism is the reason people DO this stuff. I remember a former government employee being asked questions about a nuclear test in the deserts of nevada. They KNEW fallout would land on this particular town (I forget which one) and the interviewer accused this guy of being a criminal for exposing american citizens to ratiation and not telling them. He said, "I did it for my country, how else were we going to beat Hitler and Japan?"
That sounds like blind patriotism to me.
Basically, your argument is based on this naive belief that our government "wouldn't do anything wrong cuz we're the GOOD GUYS" when if you'd open your eyes, you'd see that the history of our government is no different than any other's. It's littered with deceipt and dead bodies.
I could give you a list of references indicting out government, but I suggest you start with the two I already mentioned.
But I'm sure you'll just dismiss them as the works of angry, former US gov't employees who have an axe to grind because they didn't get their pension or something.
Noam Chomsky has a great phrase to explain these kinds of arguments.
They're true because they have to be. No reason, they just have to be.
Discussion on NPR's Talk of the Nation (Score:2)
I'm listening to Talk of the Nation right now on npr. They've opened a forum to talk about the recent DoS's. They have two guys - security fellas - didn't catch the names. They are covering pretty much what's been discussed here, but it's still neat to listen to.
Re:Never attribute to malice... (Score:2)
Here's my take on the extreme case, disclosing first that I don't know backbone capacities, and the point may be moot if they're adequate.
Since after all, the internet was designed to withstand a nuclear war, with all the damage and (possibly) EMP issues that go with it.
There's a quote by Robert(?) Reinhold (from Virtual Communities): "The Internet interprets censorship as a failure, and routes around it."
Well, considering that, the 'ping tidal wave' (tm) would just go the other way, wouldn't it? China would effectively sever itself from the internet, but in the process cut all westbound links from the Americas, and all the eastbound links from EurAsia and Africa... (Yeah, they can do that with a backhoe too) The trans-Atlantic links would buckle under the added strain of valid traffic... Mayham.
I guess my question becomes: Just how reliant/dependant are we (we being variable) on their (again variable) infrastructure.
Re:Maybe I lack clue... (Score:2)
a small band of hackers who are hopeing to
raise awareness about these things and
scare network admins and sysadmins into
beefing up security internet-wide.
You just have to look at who benefits mosts. Seems to me it could either be the gov't (hoping for more surviellance rights), a hacking group (l0pht is for profit now, eh?), or even some really enterprising young geek pissed at the world or just curious about it.
I just hope folks don't panic, but watching CNN's talkback live (an interview with Mitnick no less, what a dork) it seems like thats where the media wants to push it, surprise, surprise. If no other news happens this week, expect a whole bunch of idiots to spread a whole buncha FUD about the whole thing.
Re:The web is not the Internet (Score:2)
At Least Mitnik is ok (Score:2)
Re: Revolution? ---Don't Speculate! (Score:2)
We have no idea what kind of people are behind this or what their actual agenda is. Until they do we shouldn't try to make judgements about:
1. Who They Are
2. Why They're Doing It
Honestly, no one is going to like it if it turns out it was members of an underground cult called "The Fourth Reich" operating out of Austria to celebrate the Freedom Party's victory and crush the United States.
I refuse to own these people until I know who they are. I much prefer people who speculate the NSA is behind it, because that would have a more positive outcome if revealed.
Ok, suppose it turns out the they are all freedom-loving Libertarians who love Lunar: Eternal Blue and have decided to take the battle to "the Man?" All that means is that I've now got to worry about being interrogated by Secret Service agents (since I'd fit the profile) and that eBusiness leaders are not going to have much sympathy for hackers. Oh, and Jack Valenti is sure to mention it in his next Op-Ed Piece about the "strange hacker ideology."
I wouldn't be surprised if this turned out to be entirely different than people's speculations about it, so let's keep the "Vivé Le Revolucion" comments to a minimum until we know what "revolution" we are are supporting, ok?
Re:Revolution? (Score:2)
Real revolutions in the sense of historical revolutions have usually meant a lot of people dieing for someone's pocket book or ego, while backed up by some sort of political dogma. I'm not a big advocate of them myself.
Re:bad analogy (Score:2)
Re:Revolution? (Score:2)
Remember him? Arrested? Detained? Property seized? All at the behest of the movie industry in a foreign country?
Re:Revolution? (Score:2)
<p><i>"It's true, the middle class is gradually thinning out, the wage gap between rich and poor is widening, and things are starting to become slightly tense here and there... But don't underestimate the power of greed and desire. The poorer North American citizen (who is not really poor in comparison to the rest of the world, don't ever forget that) will, 95% of the time, it seems, stick to his job, buy lottery tickets, anything to try and achieve the material opulence that commercials tell us is desireable."</i>
<p>The crucial point is that historically as the middle class gets smaller (they split into richer or poorer), the lower class gets poorer. By the time the middle class is gone, the lower class is _really_ lower class, usually subsistence level or below. That's when revolution starts.