Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

OpenProjects IRC Network Suffering DoS Attacks 197

Alowishus writes: "Open Projects Net, the IRC network which is home to Debian and other open source projects, has been suffering DoS attacks from a disgruntled customer of one of their server sponsors. Lilo, their sysadmin describes the attacks here, and asks for assistance." It's pretty terrible when a kid goes bananas and can damage the volunteer efforts of many people working really hard to create and support something so many of us use and enjoy. The sad part is that whoever is doing this feels self-righteous and justified in his actions, so nothing any of us say will matter. I hope they catch him. DoS attacks just aren't cool, ever.
This discussion has been archived. No new comments can be posted.

OpenProjects IRC network suffering DoS Attacks

Comments Filter:
  • It seems this world has got to a sorry state when a pathetic script kiddie can bring the whole of a network to a halt. One person, ruining it for 1000 others.
    On Efnet, servers are regualy attacked, because the people there are less specialised. But on OPN?
    How very very sad.
  • DOS was just a rip-off of CP/M

    ____________________
  • Mengmeng wrote:
    Have you read the linked articles? I don't think anybody has been able to, since advogato seems to be slashdotted. I would assume in one of those articles, lilo mentioned that the perpetrator actually is a kid, therefore Taco made that comment... (since he was able to read it before it got slashdotted, obviously :-P )
    Mengmeng,

    I'm probably the source of the 'kid' comment. I do not really know the age or gender of the attacker, and intended 'kid' as a description of maturity level than calendar age. Apologies to younger persons reading this, but I have frequently seen 14-year-olds act precipitously without considering the consequences of their actions to others. Obviously, though, maturity varies from person to person, and I've seen adults who never achieved a very impressive level of it either.

    Rob L.

  • In a variation of Make spoofed packets illegal simply block outbound packets from your network that have a source address other than from your network. While this can be a big problem for core routers, it's really only needed at borders to other administrations. Logic could be added to inspect incoming packets by applying routing lookup to the source address. If the incoming interface is valid (not necessarily best, but at least valid) for the incoming packet, then it's OK. Otherwise discard it. Linux 2.4 now has this in the kernel. I've heard Cisco IOS has a form of this, too. It should be made to be the default configuration.

  • I've searched...I've surfed...I'm perhaps ignorant...but what is 31337? Mike
  • Assuming that IS true, and I doubt that they KNOW that it was a kid, maybe I could agree with you.

    Nonetheless, I commonly see this assumption being made, whenever something gets h4x0r3d, its immediately 31337 skr1p7 kiddiez. Does anyone stop to think it might just be some lazy pissed off jackoff IT guy?
  • you can't blame him for the fact that people like that follow him. He is is own person, and the person who would do something like that because "the all mighty taco" said so is delusional. Judge a person on thier own merit.
    "Hex, Bugs, and Rockn'Roll" --The Programmer's Digest [sufftech.net]
  • I have an anecdote about how vigilante justice once worked, so now it's a good way to solve a completely unrelated problem. Firstly vigilanteism punishes unpopular rather than illegal and immoral acts. While they sometimes coincide, they are not always going to. Also there is nothing to stop viglantes going bad, while there are some fallbacks and protective measures in most control structures. Your idea relies on what I presume is a benevolent group who only have the best interests of the majority at hand and are only called in when all normal attempts have been exhausted. This is not really a good idea for the real world. But of course the internet is not the real world, an immediate punitive system like this is possible, because the consequences for a bad decision aren't very great. I've lost my internet access, it's like losing your TV aerial - it's prefereable not to lose, but if your life depends on it - it's time to lose it anyway. The other issues still exist, but the internet is not important, it's not (yet) real life, you won't die or lose an arm if you make an error. Of course unpopular things will still be punished, wonder how an upstart, free, unpopular with the major players OS would go in such an environment?
  • Nuke the script kiddie from orbit. It's the only way to be sure.

    -----
  • Either you're a troll or an idiot. But I repeat myself.
  • People seem to carry their moderation points as if they were swords around here. It's really sad, but most would rather mod down as many posts as they can (whether they deserve it or not) than mod up even one insightful post. Just another reason the moderation system around here sucks. When you rely on the egotistical morons that go for as much karma as possible to moderate, there are bound to be problems.


    Slow moving marsupials and the women that love them
  • What?? You mean you actually, really, honestly do sit there monitoring the page with the refresh button? Wow. Your index finger must be exhausted.
  • Er - I read the FAQ, but have you? If so you will note that I addressed the points made in the FAQ in my post.

    --

  • Gee Ron, do you think you may have just found your man?
  • As to items 1). Secure all servers. You're telling me they're not? *GASP* Heaven Forbid. 2). License ISPs. Make ISPs accountable? You're telling me their NOT? 3). Make Spoofed packets illegal? But, what about the legitimate use of a spoofed packet lets say for example by a FRAD programatically using probability to determine a session partner is heavily loaded spoofs a packet on its partners behalf to reset the ttl along a route. *GASP* You can do this? 4). Authenticate everything? You mean we dont make reasonable attempts? 5). Criminalize all scanning including pings and probes. And lets defeat other diagnostics such as tcpdump, traceroute, and the application of technologically sophisticated devices used as an assist to locate, isolate, determine and prevent problems before they become problems. Lets burn all the protocol analyzers. Lets do away with other tools such as nmap which make it very easy to thouroughly self-test the integrity of our networks. Hey... While we're at it. Lets forget all about this freedom and democracy noise. Voting for presidents and legislators who help to promote and work to make liberty and justice a reality and not just a pretty notion. Yea... thats it. Back to the good ol' days with Nikita encouraging nuclear war, economies and forms of government that had no clear chance of succeeding. Lets just toss our freedom and be equal to you. Small minded little drones who sing the song along company lines... Heaven forbid a creative thought.
  • Two points
    1) If the attack is coming from _within_ an ISP, all bets are off.
    2) How many people/corperations are there who do have 45Mb/s access? The last 2 fortune 500 IT companies (one 100, one 100-200) I worked for had 2Mb/s.
    Surely that must narrow the attacker down somewhat.

    I can't believe that ISPs are happy to _carry_ the attack. Why can't the ISPs be made responsible for the DoSs that they carry, maybe then they'd help trace them to their source as they pointed the fickle finger of blame further up the pipe.

    FatPhil

  • I suppose it might be cool to do a DoS attack against your brother/sister on an in house lan while playing an fps against them. But other than that...

    No this isn't something I've done, I'm an only child.
  • I left the network the instant I was asked to curb my language in one of the linux help channels. so much for a "free" exchange of ideas.
  • Vigilante justice ain't perfect, but I'm thinking it would at least put power back in the hands of the people again. Sure, a few unpopular people would get wrongfully accused, but that sort of shit happens every day anyway. Why not just make it a little more 'by the people'?


    Slow moving marsupials and the women that love them
  • by Anonymous Coward
    Hmm... is a "./" like the reverse of the /. effect? Would slashdot readers suck all the traffic away from the size, leaving them with infinite bandwidth?
  • I was k-lined for disagreeing with you. My position is the irc is a place for friends to meet and have a little fun and if we can help someone from time to time we do. You feel a need to make OPN a career. Fine for you but I have a career. I disagreed with your general philosophy in principal and never outloud until your endless rant forced me to decide that OPN just wasn't worth it. If you have doubts the lilo rant logs are still available for anyone who cares to see'm for themselves. As for your k-line. Your argument with me extended a k-line to an entire group of people. As you know all to well... You k-lined everyone, regardless of their relationship and/or affiliation with me. Even today there are at least 1/2 dozen extraordinary engineers k-lined who had no disagreement with you. No Fear Lilo Ol' Friend. We've got our own network where we can talk without your eavesdropping and nagging /msg's when something rubs you the wrong way. Which seems to be everything from you're ol' lady, to your ex-employers, to people you tried to bully, cajole, while begging for money or other favors using the IRC. In anycase... This is boring. I've got real work to do. Enough of wasting time on a long retired topic.
  • I've never been able to understand why it's the 'good' IRC networks that suffer this way. Something as wonderfully free as EFnet is going down the tubes, yet ultra-lame browser-based chat networks (yahoo, msn, AOL) all seem to be proliferating without any major problems.

    I remember when MS started bundling MS-Chat with IE and suddenly you had people getting on to IRC who wanted to "whisper" and always annoyed everyone in the "rooms" especially the "hosts". Yet, the same people who whined the most about this bastardization of IRC from MS, are the ones who end up destroying the networks where there are any 'true' IRC'ers left.

    I for one hope to see the day when I'm relegated to commercialized chat services to get in touch with people.

    ---

  • ummm that is nice but the ping will still hit the box itself. i am sure that any admin from one of the big 3 networks will agree with me here. you can filter all and block the whole universe but it will still hit your router or box or what have you and still knock you out. hitting a 5 meg link with a 45 megs worth of data something has got to give after a while and that 5 meg link is going down no matter what you firewall or block.
  • by vergil ( 153818 ) <<moc.liamg> <ta> <bligrev>> on Tuesday November 07, 2000 @11:34AM (#641516) Homepage Journal
    The more this type of activity occurs, the easier it will be for the media to publish superficial, hysterical "exposes" on the ability of tech-savvy adolescents with overpowered software to meddle with the goals of more responsible folk ... and the easier it will be for jingoist politicians to pass laws criminalizing the use of legitimate tools (debuggers, hex editors, etc.) thereby making life more difficult for us non-script kiddies.

    On the other hand, I'm not issuing a blanket condemnation on all hacking. Just saying -- For Jebus' sake -- at least do it artfully.

    Sincerely,
    Vergil

  • > People really still ignorant towards IRCnet? No, we just don't care :)
  • You forgot ...

    #5 Require ISP's to throw away packets outside of their assigned IP ranges.

    That would certainly help, but who'd police it? The enforcement is more problematic than the fix.

  • I assume, of course, that you never check out links in posted news stories.
  • I propose that we modify our network stack a little to get rid of some of these attacks.

    Instead of the three way handshake(TCP's connection intiator) taking place on the content provider lets have it take place on a new server called a identity verifier. Now when you want to connect to a content server whatever it may be httpd, ftpd, whathaveyou. You send your tcp request to the verify server. if approved your TCP connection is transfered to the content server. Now there should be multiple verify servers so that you can't just take them all down( a few thousand should do.). Now your content provider only accept connections from these trusted verify servers. If one comes from another source it is dropped. I think we could implement this but i'm busy with another project called dgroups(a decentrallized network) so i am a little busy. if you have any questions about implementation email me.

    slakowske@yahoo.com

    Time is Change.
  • You misunderstood my point, it was not about why a kid would *want* to do (this is obvious), but why a kid *could* do it.

    Your comment illustrated my point perfectly that people focus on the why "little Johnny" did whatever evil thing he did as opposed to why it was so easy for little Johnny to cause such havoc in the first place.
  • Being in network security, I can say that this impression comes from the fact that everyone that I have ever had contact with, and did this kind of thing, was under 20. Kids (and by this I really mean teenagers) have the double problem that they are just finding out that one of the largest technical achievements of the human race is available for them to play with and they also have the sense of adventure of... well... teenagers.

    A lot of the "script kiddies" and "DoS weenies" out there are doing what they're doing because it seems cool. As they grow older, most of them smarten up and a) put those skills to work in industry b) get a lot more selective and careful or c) end up in prison. The latter is less common, but getting more common, woefully.

    What I'd love to see is a computer security service where kids that get caught are put to work doing "community service". Nothing that they could exploit, but simple things like cross-checking log files; manning snail-mail campaigns to send out security bullitens and so on.

    Now, that would be a political program that I could get behind. But, of course, it's not the "throw the bastards in jail" approach that's so common these days....
  • OBVIOUSLY to disparage the mentality and maturity of the attacker.
    it's propaganda.
    maybe that was a troll, and I bit?
  • What's 31337? [watson-net.com]
    Beware, it's ASP!
  • I'm no Linux/Unix admin but shouldn't Linux Syn Cookies prevent DoS attacks. Syn Cookies [cr.yp.to]
  • And the real question is , if he is pissed at us, why didn't he just call me, sheeze, it's not like I'm hard to track down.

    Course, if he does track me down now, I don't think I'd be very kind to him or her.

    I personally think it's a red herring though.

    Chris DiBona
    VA Linux Systems
    --
    Grant Chair, Linux Int.
    Pres, SVLUG

  • by irq ( 68200 ) on Tuesday November 07, 2000 @12:26PM (#641527)
    As admin of adams.openprojects.net, one of the servers that was DoS'd, I felt that I should give my own attempt at trying to find out exactly what was fueling his rage... he wouldn't tell me, or state any reason at all as to why he was doing this; he told me to ask someone else, who also didn't know.

    This comment is mainly in response to one of the previous comments that basically scolded the slashdot crowd for not "understanding" the "pressure" this person was under, from VA Linux, apparently. How can we know what pressure he was under if he wont even tell us what happened? He's doing this practically as a "punishment", but we don't even know what we're being "punished" for.

    I hope this ends with him being prosecuted, and I fully plan on submitting the 22MB log of eth0 traffic during the attack to the FBI and whoever else will be investigating it. I eventually plan on publishing the entire thing so everyone can see exactly how he formed these attacks. They were mostly the standard UDP floods, but the originating IPs are the interesting part.
  • How many networks will totaly fail before irc finds some real solution to all its problems. Or will irc just fade into oblivion... a relic like my atari.
  • If you're running an IRC server, you have to expect this. I'd imagine every network with more than 3 users will be DoSed big time at least once. For the "big three" I'm sure it's almost constant.
  • Now I've... oh wait, THAT I've seen.
  • HEheheuhuh, ehehuhehehe, um, what?!? ;-)


    Slow moving marsupials and the women that love them
  • by Anonymous Coward on Tuesday November 07, 2000 @11:16AM (#641532)
    > DoS attacks just aren't cool ever.
    Except when it's called "the slashdot effect". Has anyone tried to get to mozillazine since 12:49 today?

  • So a childish mentality directly equates to a destructive nature? Children are inquisitive by nature, not destructive. Sure, that nature can sometimes cause them to commit bad deeds, but kids are not naturally malicious. If anything, its their parents and their environment that makes them that way. I have seen MANY more malicious adults than I will ever see in a group of children.

    Being a child is a natural part of human life... theres nothing wrong or evil about it, so why do we use it as an insult to people for commiting acts that are more likely to come from the attitudes of bitter old men than children? I motion that from this day forth we call them script fogies. Heh.
  • DoS attacks aren't cool unless it's Microsoft, Hotmail, or MSNBC getting f&cked.

    (not my feelings, but seems to be the general feelings in /.)
  • Isn't anyone else bothered by how it is always assumed that it is a kid thats making these attacks? I used to be a kid once, and didn't appreciate everything being blamed on my generation. Be realistic, people, it takes EXPERIENCE to become a true asshole; kids are amateurs at best... the REAL jerks are the seasoned veterans


    True, maybe it's just easier on the ego to say it's some pimplefaced 14 yearold kid that doesn't know a tenth of what you do. Maybe one of the reasons we are so succeptable to DoS attacts is because we underestimate the ability of the attacker. Just because he didn't root your system doesn't mean he can't, DoS attacks are very dangerous and attract alot of attention because they can last a very long time.

  • Here's a question for you folks:

    Is it that the protocol for IRC is inherently instable?
    Or is it just the implementations?

    --
    Give a man a match, you keep him warm for an evening.

  • With all the DoS activity that's been going on for the past year or two, I have to wonder when the ISP's are going to take it seriously enough to filter "spoofed IP" packets originating from their customers. If the packet-stormers are denied the veil of spoofing, they should be easy enough to deal with... assuming of course that the upstream providers actually give a sh*t. (I've been ignored by several large ISP's when offering logs of their users attacking my servers). Unfortunately, the rapid growth of broadband internet access hasn't been accompanied by an equal growth of responsibility... hence the script kiddies can play their games ::sigh:: (disclaimer: I refer to them as "kiddies" to reflect the aparent level of maturity, NOT age.. my 14 year old son is far more mature than these bastards)
  • So - the site is slashdotted already - this is why I think Slashdot should mirror websites in Freenet. I understand that there is a problem relating to banner ads - however if the mirroring is done correctly the links to banner-ads can be retained (there is already a utility for mirroring websites for Freenet). I also understand that /. is concerned about the delay imposed by seeking permission to do this - however they could suck the website - publish it on /., while simultaenously seeking permission. When permission is granted the mirror can be made available.

    --

  • Nah. Last I heard, he was attacking OPN because one of it's servers is hosted by linux.com. Maybe if someone can produce a mirror of the article in question we can get real answers.
  • I'm sorry but if somebody threatens to DoS me over IRC, and then proceeds to do so, CALL THE POLICE. CALL THE FBI. You know who he is. You know where he's IRCing. Log the information, and TRACK THE ASSHOLE DOWN. If he's IRCing from his own ISP (unlikely, but IRC is full of stupid kids), call the ISP and shut the account down. If he's bouncing from one or two sites, look up the IP address (do a WHOIS against ARIN) and call them up. Solicit their help in tracking him down. It should be obvious where he's connecting from (a 'finger' or 'netstat' should make that apparent, assuming the machine isn't compromised, in which case a network sniffer or 'tcpdump' will let you do the same), and back-track.

    I know we all seem to think script kiddies have these l33t ways of hiding their identities, but it all boils down to a few responsive phone calls and you can nail anybody back to their ISP. Any competant ISP will have caller ID records for the incoming call. Granted, they won't give you this information, but they will certainly note it. Let the feds do the rest.

    Why do people not even think about taking these steps? If you can't reach an ISP's network center, GO OVER THEIR HEADS. Contact their uplink.

    The more we whine and say DoS attacks suck, and the more we DON'T pursue and put these fuckers in jail and slap enough damages on them so their parents lose their house and car, the more powerful and untouchable they feel, and the more bolder they get.
  • 2)How many people/corperations are there who do have 45Mb/s access? The last 2 fortune 500 IT companies (one 100, one 100-200) I worked for had2Mb/s

    I think He has 22x2mb or something similar. Not one 45mb link. Most of his boxes are probably rooted.
  • Keep your jealousy off /.

    It has no place here.

    The only reason you fantasise about 133t j03 being homosexual (quite untrue, BTW) is because then he would be willing to screw you, and you would enjoy it.

    You are jealous of the stable of adoring femmes that j03 services on a daily basis.

    Well, nomatter how you try, you will never turn j03 into a faggot, so you'll need to take your dreams elsewhere.

  • `I've never been able to understand why it's the 'good' IRC networks that suffer this way.' Good IRC Networks have many users. Many users means many lusers. They get into trouble on IRC and want usually want to annoy a certain individual and are not really aware they're also annoying other IRC-users.

    This specific attack is - in my opinion - an extraordinary one; it's target is the IRC-network itself and the one doing the attack is perfectly aware of the harm he or she is causing. I don't think you can compare this attack to the `everyday-attacks'.

  • I was referring to the more general process of pinging someone to calculate latency.


    --

  • Numbers two, three, and five would only help if the US were the only country with net access.
    As for items 1 and 4, the damn .jp admins can't even close their open mail relays, so I don't think items 1 and 4 will be happening on a global basis either.

    Maru
  • Not caring is one thing, getting your facts straight is a different one. If you don't care about the _facts_ regarding a certain subject, keep your mouth shut and your fingers of your keyboard in matters related to that subject. If you don't know or CARE that there are in fact four big IRC networks where there was only three three years ago, don't go spreading your ignorance regarding IRC. At all.

    :/

    -

  • Rules are NOT there to be broken. The are there so stupid people don't mess it up for others. When the stupid people break them, the stupid people will be punished.

    You also claim you have been on the network for yonks. If you have, then perhaps you should know the rules, what is accepted and what isn't.

    I think before threatening an Oper, you should give due consideration. He offered to voice you if you promised to be reasonable. Since you clearly couldn't do this, I don't think it's his problem that he didn't voice you.

    And not at one point did Jim act like a bastard. You couldn't even apologise for causing trouble, you may have not intended to do this, but from the reactions of the people in the channel, you did. You had the option to leave, but didn't. You were warned. He backed down when it should quite clearly have been you.

    And I somehow doubt you could do the job of Jim, or any other Oper. If you call that peaceful, you'd probably call WWII a convention of Greenpeace.

  • Nobody's attacking DOS. They're attacking DOSattackers. So they're defending DOS.
  • The worst loophole I saw so far was when someone searches posts for mods a person they didnt like made, then metamods those posts. I saw some long decription about it once, but dont got a link handy. In theory if this is actually possible, a load of people could gang up one someone, mess with his moderation, and screw his karma VERY quick.
  • "Don't bother wasting your time trying to teach these kinds of people how to live in society."

    Great. Let's start with you, since you seem to not have the same sort of social graces as I. I recommend something between prison an a concentration camp... or, did you mean "other people".

    "Weither they are 10 or 30, they should have learned this kind of anti-social behavior is inrolerable."

    Well, let's see. When I was 10, I was shop-lifting (seemed harmless enough to *me*) and getting in fights at school. Would I have been a script kiddie? Probably. Would saving my future by showing me the concequences of my actions have been useful? Certainly!

    "[If they had good parents] maybe we wouldn't have so many mentally unstable people."

    Woah! There's a whole lot of mistakes all in one phrase. What makes you think that your average script kiddie is "mentally unstable"? I think most of them are just a) currious and unaware of the damage their doing, b) bored and/or c) trying to get a little attention from their peers (which even the most "mentally stable" among us do).

    These are mostly younger people who have no real idea of what they're playing around with or why. Many of them are our future sysadmins and security experts. Treating them like rapists and murderers is not the correct solution. I proposed a way to deal with the problem which could probably even MAKE a little money, and CERTAINLY cost less than prison (community service always does, as you don't have to house, feed and provide medical services for your convicts).

    What exactly was your problem with my proposal, or were you just looking for a place to flame?
  • by bruns ( 75399 )
    These damn packet kiddies dont know when to quit. I was the one which brought in a server to help hub the net... Then hell broke loose. Before we even knew what hit us, it was over. Several T1s worth of bandwidth hit us suddenly and left us with no way to access the server to figure out what had happened. Then a second later we had recovered and things were back to normal.

    One of those times where a cluebat or a clue-by-four would come in handy to bash this kids head in...
  • And what, exactly, do you have against fart jokes?

    Sometimes jokes get funnier with repitition. If your mind can't handle it, then perhaps you need an infusion of squirel juice.;-)


    Slow moving marsupials and the women that love them
  • Adults don't bother DoSing IRCs, or committing other acts of petty vandalism.

    It's like asking "Why is it always 'some kid' who spraypainted 'Sckool Suks!' on the cafeteria wall?"

    Adults commit crimes for profit or principle, make annoying fools of themselves in public, or play mean and petty pranks on individuals who they feel have wronged them, but it is vanishingly rare for one to anonymously commit an act of public vandalism. Attacking the whole community out of pure spite is something that can't possibly produce any useful effect or profit, and even the worst "veteran jerks" learn this by their early 20's.

    --------
  • If you noticed, Taco also wondered out loud whether he could "kill him." Are you going to now claim Rob is homicidal?

    Now, if you've got an example of Taco *seriously* advocating a DoS on anyone, come back and post it. Otherwise, go back to the hole you crawled out of.

  • Someone who still uses these tactics as an adult as usually told to "grow up". Go figure.

    ------------------
  • by msuzio ( 3104 ) on Tuesday November 07, 2000 @12:47PM (#641577) Homepage
    With all the notes about how hard it is to prosecute this sort of activity, I really have to wonder... how long will it be before someone in a maddening situation like this cracks and puts a *real-life* hit on the luser?

    I mean, sure, he's 31337 and all... but someone out there probably knows who he really is. And could be persuaded to go over there with a baseball bat and DoS his head.

    Not that I advocate this at all :-). I just know I was sorely tempted at times when as an undergrad, high-school kids kept hacking into our school network. These were known to be local kids; hell, sometimes they would just walk in to the lab and shoulder-surf until they got a password, then sit down and log in. Our head admin chased one haX0r all the way out of the building and onto the dirt bike the kid had sitting outside the door...

    Anyway, I predict the development of Black ICE soon :-).
  • This would never, NEVER work in todays fucked-up, PC(that's politically correct) world.

    I used to work with a guy (during my farming days) that talked a lot about the "good ol' days" when people could get by with things like that. He told a story about how this guy kept beating his wife and kids. The nieghbors found out about it and the guy telling the story, along with four or five other neighbors, paid the wife-beating shit-head a little visit one evening. They basically left him close to death, and the hospital refused to see him (because they knew why he had had the shit knocked out of him). He eventually did recover, who knows how. But he never again laid a finger on his wife or kids.

    I'm sorry if the above story offends you, but there are some people in this world that simply do not understand any language other than violence. And at some point we need to get over this "I feel your pain" bullshit approach and say, "Heh, you fuck with me and I'll take your goddamned head off." It isn't necissary in ever situation, and I'm not a real hard-ass about it. But for god's sake, let's be realistic. If someone doesn't understand repeated warnings, you don't need to go looking for all kinds of reasons that it's not his/her fault. I don't care if his parents abused him. I don't care if his god has forsaken him. I don't care if he lost his puppy at the wrong time in his childhood. If he is acting as an adult it doesn't matter what happened in his childhood. He should be fucking responsible for what he has done. Get over your childhood and move on.

    Psychology is just as damaging to the human race as religion. And in the end, it will leave us all a bunch of homogenized, slobbering, drewling idiots. Equal but different isn't "fair". And some people just won't be happy until the world is completely "fair". So say goodbye to original thought. Original thought leads to conflict. And conflict is "unhealthy" (even if it is the way we progress). Bye, bye reality. Hello psycho-shit!

    Sorry for the rant, but the above poster hit on one of my favorite bitches about the PC world of today. Kick some ass when it's necissary! And get over it if you think "it's not their fault". If you are the one doing it, it's your fault. Deal with it.


    Slow moving marsupials and the women that love them
  • stop saying hella!!!!!!
  • by SuperQ ( 431 ) on Tuesday November 07, 2000 @12:53PM (#641581) Homepage
    I sponsor an openprojects server, vinge.openprojects.net, It's just for testing, we only have 5 users attached to it, yet this person felt it should be offline, so he sent over 100mb/sec down the pipe, slowing down the local backbone, (3 45mb DS3's at visi.com) and choking my poor ISP off for 15min.. that's not a long time, but to a modem customer who is surfing, or trying to get email, it's the end of the world. I just moved to this ISP recently, and I've allready got a bad rep with the admins. luckly I've known them for years, and they are personal friends, but it looks really bad when all i do is attract flooding, and DoS. they have enough problems with wu-ftpd scans, and netbios crap. I pay for the hosting, and the box out of pocket, so a few of my friends can get email and IRC, I ask myself, is it worth it? this is the closest i've come to saying no in the 2 years i've run nerp.net.
  • (Score:0, Troll)
    wow, harsh mods!

    looks like I can't even make a joke, one poking fun at MYSELF, without gettin modded down.

    oh it is a sad day when passing ruffians can say "troll" at will to young posters. Why, even those who type and post insightfully are at considerably moderating stress at this period in history
  • by Eric Seppanen ( 79060 ) on Tuesday November 07, 2000 @11:49AM (#641584)
    Advogato seems a little slashdotted. Here's the text of the article:

    Open Projects Net: Denial of Service Attacks

    Posted 7 Nov 2000 by lilo [advogato.org]

    Open Projects provides interactive facilities for coordination and support to groups and projects involved with open source. We run between 1,500 and 2,000 clients and are home to such projects as Debian GNU/Linux and Enlightenment. We've had our share of difficulties recently, but we're continuing on.

    The past few weeks have been quite an experience. Last week one of our hubs on Open Projects started going up and down like a yoyo. I'd seen that behavior in this normally very reliable server in recent weeks and not thought much of it, since the company in question was in the process of moving its facilities and reliability issues do sometimes creep in during such moves. But we soon obtained a little bit more insight into the problem. After watching the server perform a loop-de-loop, I received a /MSG from a rather peremptory and anonymous skript kiddie informing me that if I didn't permanently remove the sponsor's server from the network, he would kill my home ADSL line and take down Open Projects until he got his way. It seems he feels the sponsor owes him money. I'm afraid I wasn't very polite in my response. Feeling that one can hardly allow psychotic delinquents to dictate network policy, I explained to him that while he might very well be able to take down our network, he was not going to set policy, and specifically I would not entertain the notion of removing our sponsor's machine.

    The last week has been interesting. Apparently this petulant child has something over 45Mbps to play with, and he's moderately competent with SYN attacks and so on. In various incidents throughout the week he packeted ISP's and universities and small companies to death to demonstrate his, uh, prowess with borrowed equipment. Currently he has proclaimed that he'll be taking down our network once a day for an hour until his wishes are granted. All I can say is that he's going to be doing it for a long time if that's the case; the heat death of the universe isn't due to arrive for some time.

    Throughout this experience I have noticed it's very difficult to coordinate much of a response from ISPs and backbone providers. An unofficial contact at uu.net explained that we must notify his security people while an attack was taking place for them to have any chance of thwarting it. They thoughtfully provided him with an email address rather than a telephone number to give to us, explaining that this is a matter of policy. Perhaps they don't understand that packeting can affect services like email. Or perhaps they are simply extremely comfortable, their owners having cornered much of the backbone market after the last round of industry mergers. My employer's ISP was targeted, and so far the people at the ISP seem a little bewildered, though they're game to fight the good fight. Some folks with very nice bandwidth contributed a server today to see if we couldn't keep our hubbing working through an attack, and the skript kiddie seems to have gone after their routers, leaving very little in the way of evidence behind him as to his point of origin.

    As a first, one of our admins contacted the FBI at our request. I'm not sure this will accomplish anything useful, but it's certainly worth a try. It is worth noting that, as a philosophical anarchist, I'm usually not inclined to bring in the muscle of a law enforcement agency to resolve such disputes, preferring to reason with the party or parties involved. But in cases where the problem user has learned his manners from repeated viewing of Robocop, well, there's not much one can do but consider the business to be a declaration of war.

    At any rate, it seems to me that this otherwise very mundane set of attacks points to a long-standing problem with the Internet: Denial-of-service attackers have location indirection, but content services and users are left in plain sight as targets for their efforts. I'm hoping Corridors [advogato.org] will helpful in dealing with this problem, though it's a fairly long-term project (and constantly in search of additional expertise to finish the design and begin the actual implementation). Meanwhile, we go on, attempting to devise kludges to improve the robustness of ircd in the face of all-out attack.

    Any assistance from the readership in combatting problems which we have never experienced in quite this magnitude would be greatly appreciated.

    Thanks to the Magenet people and Diane Bruce and F. John Rowan of the hybrid ircd project for their assistance. Thanks to the many users and admins of OPN, whose patience and support have been impressive. And thanks especially to VA Linux for their help and support; they've been real heroes and deserve a great deal of praise. And no, we're not going to delink their server, however many or few seconds we have to comply. ;)
    --

  • by Anonymous Coward
    DoS attacks just aren't cool ever.

    From:
    http://www.slashnet.org/for ums /Slashdot-05Oct00.html [slashnet.org]

    [21:17:34] <CmdrTaco> bob_jones_iii is being an annoying prick.
    [21:17:43] <CmdrTaco> can we kill him? someone dos him ;)

    Sheesh. Not cool. Ever. Except when it's convenient. (I Quote from comment #125 by arcade [mailto] on the comments thread from http://slashdot.org/articl es/ 00/10/07/0025253_F.shtml [slashdot.org]:

    Cmdrtaco sounded a lot more like a scriptkiddie than I really liked. Comments like:

    bob_jones_iii is being an annoying prick. can we kill him? someone dos him ;)

    Really really disappointed me. Sure, he's got a smiley there, but still. I wouldn't be surprised if someone actually DoS'ed the sucker because "o allmighty Taco told them to".


    Slightly offtopic? Perhaps. Making a point? Absolutely.
  • It makes us protocol developers think about how to combat them. Eventually they(DoS attacks) will be harder to execute and more likely to be tracked. Unfortunatly in the meantime we have to bear with it. Be patient we'll get there, hopefully sooner than later.

    Time is Change.
  • Nahh, IRC will last forever, just like Citizens Band. 10-4 good buddy!
  • 31337
    eleet
    "elite"

    Note that "eleet" should be in caps, but of course SlashDot's "lameness filter" stopped me from posting when I used all caps. Brilliant guys, just brilliant. Could you also filter out all "18+" links on the basis of a simple checklist?
  • There was an O(n^2) inner loop for reading the trust metric cache, because it was using the Apache table functions. Also, as a more minor problem, this cache file was being stored as an XML file, which took a little while to parse.

    After a little on-the-spot programming, it's now stored as a plain text file.

    So thanks to Slashdot for motivating me to do this fix. I had noticed the performance was getting a little clunky, but it was good enough until now.
  • I think I'd rather be a "DoS attacker" than a "DOS Advocate" I think it's kinder to take down a site than promote M$ software.

    Steven
  • Its pretty terrible when a kid goes bananas and can damage the volunteer efforts of many people working really hard to create and support something so many of us use and enjoy. (Not an *exact* quote, my spellchecker fixed the "bananas" misspelling)

    I think the fact that "a kid" can bring down such a system with relative ease is the real problem here.

    I hate to say it, but people tend to ignore the root of the problem (ugh, a pun) and focus on the fall guys involved to draw attention away from the shortcomings of the system being discussed.

    And this is not a slam of Debian, Linux, or any OS specifically, it is more a commentary on the overall lack of concern over the underlying reasons why "a kid" can do such things in the first place.
  • All that proves is that the network has some pretty good ops, while this "rendition" guy is a whiner who did something wrong (by his own admissions) and can't deal with the consequences of it.

    Finkployd
  • Right...

    1) Secure all servers

    This works with cars and businesses with a high initial cost. OTOH, anyone with a decent OS can run an Internet service. You probably run a few at home. We've tried to stop Napster, drugs, and alcohol; so far, one out of three has been only slightly better than a huge failure. In addition, even well-known servers have holes discovered in them after they've been out for quite some time.

    2) License ISPs
    Can be done, but remember that the big ISPs are just as bad. Remember today's spam article? The top sources of spam were all massive ISPs.

    3) Make spoofed packets illegal
    See #1. In fact, this would be harder to track down than #1, since the packets are spoofed :-)

    4) Authenticate everything
    Like you said, Duh! :-)

    5) Criminalize all scanning, including pings and probes
    Re pings: The author has obviously never played Quake before. And about probes, where do you draw the line between legal and illegal? Is trying a few ports illegal? What if I go to a server and connect to telnet, http, and sendmail? Those ports all have legitimate uses; see #1. Ah ha, you (or the author) say, but I would only outlaw automated attacks. This is dubious at best, and it still runs into the same issues as #1.

    Again, like you said, the Internet is structured as to be vulnerable. At this point, no amount of words can change that fact.
    --
  • by romco ( 61131 ) on Tuesday November 07, 2000 @11:16AM (#641621) Homepage
    Someone find a ip # on this kid so we can ./
    him.
  • by MustardMan ( 52102 ) on Tuesday November 07, 2000 @11:16AM (#641622)
    Isn't anyone else bothered by how it is always assumed that it is a kid thats making these attacks? I used to be a kid once, and didn't appreciate everything being blamed on my generation. Be realistic, people, it takes EXPERIENCE to become a true asshole; kids are amateurs at best... the REAL jerks are the seasoned veterans
  • When you act like a two year-old...
  • by Nidhogg ( 161640 ) <shr.thanatosNO@SPAMgmail.com> on Tuesday November 07, 2000 @11:20AM (#641626) Journal
    Nine comments into this and it's already /.'d.

    Didn't you JUST say that DoS attacks weren't cool?

    Hypocrite.

  • Our head admin chased one haX0r all the way out of the building and onto the dirt bike the kid had sitting outside the door...
    Too bad (for the admin) it wasn't a British motorcycle...

    --
    Americans are bred for stupidity.

  • by BugMaster ChuckyD ( 18439 ) on Tuesday November 07, 2000 @11:20AM (#641628)
    DoS attacks just aren't cool ever

    Good one Taco.

    Looks like the link is getting the most effective DOS attack known to man: "The Slashdot Effect"
  • NOW it's offtopic :)

    and there goes my karma

    but thats ok, I will call myself a martyr.

    Oh, how my life was ruined by the evil karma nazis.

    I bet I'll get an NBC TV Movie. :)

    'Course, I COULD use my +1 bonus to post this drivel, but I am being good
  • by toastyman ( 23954 ) <toasty@dragondata.com> on Tuesday November 07, 2000 @12:00PM (#641644) Homepage
    I've been involved with IRC in one way or another for about 7 years now. It's reasons like this that I do NOT run an IRC server anymore.

    Around 5 years ago, I ran toast.ne.us.dal.net, part of the DALnet [dal.net] IRC network (obviously). The bandwidth for it was generously donated by a local ISP, in exchange for borrowing some of my expertise from time to time. We only had a frame relay T1, but easily held more than 1000 users at a time.(Which was a record, for a short period) With popularity, attacks started coming.

    The first thing that hit was SYN floods. Linux added the TCP cookies feature, which helped a bit. Then raw ICMP echo request floods, which caused us to get icmp blocked at our uplink, which hurt our customers, but was deemed worth while. Then when ICMP didn't work, people flooded the crap out of us with UDP. Then the Smurf attacks started. It came to a point that more often than not, during the evening, I was spending my time on the phone with our increasingly annoyed uplink getting things filtered and blocked.

    In 1996, I moved to Illinois, and took the server with me. I started my own ISP on two T1's, and pretty immediately decided to pull the DALnet server, when the period of time that we're getting flooded exceeded the time we weren't. I then moved my IRC server to a much smaller network called NewNet [newnet.net]. While the floods were much worse, it still was a perpetual annoyance that some brat in Israel decided he didn't like us, and would reguarly flood us from hacked .jp servers, who we could never get the admins to fix. I'd also get people attacking my router directly, affecting thousands of customers, all over a silly IRC matter...

    Then one day, the "script kiddies" discovered Wingate. Wingate is a highly useful Windows proxy system, that was unfortunately shipped for quite a long time in a highly insecure state. They had a telnet and SOCKS4 proxy sitting wide open, with no passwords necessary. One script out there would go scanning through cable modem and DSL netblocks, gather a list of a few thousand insecure wingates, and connecting them ALL to our network, using them to flood the crap out of us. No longer could we even ban naughty users, because they had thousands of hosts they could choose from.

    One VERY frustrating day, I ended up writing a little tool to scan EVERY user who connected to our network, to see if they were actually connecting from an insecure proxy server. Worked wonders, but we had thousands of nasty e-mails from people asking why we were trying to hack them (by connecting to port 1080 then immediately disconnecting?). Much education was required, and many notices of "You're about to be scanned, disconnect if you don't want this to happen" were necessary to prevent some idiots with a firewall they didn't understand from flooding abuse@dragondata.com with nonsensical complaints about hack attempts.

    Today, floods are much more sophisticated than the ones we saw 5 years ago. Current floods are completely legitimate TCP/IP packets, that look real. Not floods of SYN's, but real looking data, that you can't just slap a simple filter in to get rid of. Now, unless you're using a stateful firewall that can detect this sort of thing, you're pretty much screwed. (FreeBSD's ipfw system is now stateful, and works quite well for this sort of thing.)

    Really, here are the major problems.

    1) Network administrators don't secure their networks. They may secure their machines, but they let their routers blindly pass off spoofed packets, when it would be pretty easy in 99% of the cases to block packets with source addresses coming from a port that they don't belong in.

    2) Any complaint to any abuse@ address that involves IRC seems to go into /dev/null. A wonderful discussion has gone on on the NANOG(North American Network Operators Group) mailing list, the past few weeks about this very problem. "IRC is stupid, don't make yourself a target" is something heard all too often. If people would just secure things now, when someone's attacking a web server, or something else of yours, you won't have that problem either. What if someone decided to DoS one of the major political party's web pages today, with the same types of floods? It's the same problem, but somehow this is worth investigating, but not if it's IRC? Yes, IRC isn't as philosophically important, but it's a very popular service, none the less...

    3) It's nearly impossible to prosecute the people who do this. I've talked at great lengths with the FBI and other law enforcement agencies. While they sympathize, unless they have a huge dollar amount in damages they can show, there's little they can do.

    4) The same companies and universities get hacked over and over again. I'd like to see someone sue one of them for negligance one of these times.

    5) Stupid battles like this are really putting a drain on the IRC community. IRCD server software has pretty much gone untouched over the last few years, because any technically competant coders are busy coming up with proxy detectors and fighting floods, than writing code. There are things with IRC that could be done that would blow people away. But, I'm burned out. 7 years of fighting with people who need psychological help, because they do things like take down a huge network, instead of dealing with their issues in a constructive ways....

    6) People take IRC too seriously. It's just for fun, people.

    Kevin Day
  • that 45Mbps could be 1000 56k modems from as many dialup ISPs. Now who are you going to contact? This is what DDoS is all about :(

    Bill - aka taniwha
    --

  • I have a suggestion. Instead of linking directly to the tiny web server running on leech neurons or in a pizza box, can't slashdot just be nice and link to a Google cached copy (if one is available) instead of directly? For those who *really* want to pull directly from the poor victim, it's easy enough to read the big glaring "This is a Google cached copy" disclaimer and click through.
  • This is already answered [slashdot.org] in the faq [slashdot.org].
    --
  • This would be analogous to accidentally walking into someone else's house because you were distracted and misread street names, or accidentally trying to open someone else's car in the parking lot. The first is not breaking and entering, the latter is not attempted car theft, and there are ways to make that obvious in a legal dispute.
  • by toastyman ( 23954 ) <toasty@dragondata.com> on Tuesday November 07, 2000 @12:05PM (#641652) Homepage
    One other thing..

    I moderated/ran the Bruce Perens IRC Chat [slashdot.org] that was mentioned a few months back here. Idiots decided to ping flood his DSL line out of existance during the chat, and I had to call him on the phone and type his answers for him.

    People will ruin anything that can, I swear. :)

    -- Kevin
  • Yes, and it's very unfortunate that ISPs don't fight things like this more rather than just caving in.

    But you should also consider the ISP's position. Attacks like this often throw the entire ISP off the net, affecting *all* of their customers. Only the very largest ISPs can handle such attacks -- which waste large amounts of expensive connectivity.

    It's *much* cheaper to just get rid of the offending site in most cases, and since most ISPs are businesses looking to make a profit, that's what they do. They'd like to fight it, only the largest ISPs can afford to fight it.

  • Why must we endure *repeats* of jokes that were marginally funny the first time? BTW, the "Slashdot Effect" isn't a Denial of Service attack. Instead it's a "buttload o' people trying to hit the same resource at the same time" attack. They tend to be legitimate requests, not random DoS requests, unless Slashdot's audience is make of up drooling sub-human mouthbreathers who click on anything on the screen that's underlined.
  • by Anne Marie ( 239347 ) on Tuesday November 07, 2000 @11:24AM (#641657)
    According to Bill Machrone [zdnet.com], the way to stop DoS attacks is:

    1) Secure all servers
    2) Liscense ISPs
    3) Make spoofed packets illegal
    4) Authenticate everything
    5) Criminalize all scanning, including pings and probes

    Now, would any of these solve openprojects.net's malaise? #1 wouldn't, because it's not their server which is launching the attack; #2 is a structural change which would take too long to implement (even if it's desirable); #3 is promising but would be an administrative nightmare; #4 we should be doing regardless; and #5 is perhaps a necessary evil.

    The internet is fundamentally structurally vulnerable to DoS attacks. It's only a matter of pissing someone off and getting picked as a target. With the increasing politicization of everything on the net, the problems will only get worse.
  • SYN cookies only prevent SYN flooding. They don't prevent UDP flooding, ICMP flooding, TCP connection flooding, or any other DoS method.
    --------
    Life is a race condition: your success or failure depends on whether you get the work done on time.
  • #s 1 and 4 are desirable; the others are catastrophically bad ideas. Licensed ISPs aren't much different from a licensed press--and as any First Amendment lawyer can tell you, a licensed system of presses is illegal in the United States, as no government agency has that authority.

    Spoofed packets being criminalized is tempting only on its face. While Congress could very well make interstate transport of a ham sandwich illegal, this law would be impossible to enforce. Criminalization of spoofed packets would be in the same boat.

    Criminalizing all scanning is a case of throwing the baby out with the bathwater. Suppose that I own two machines, A and Z, and I traffic between the two is vanishing into the ether. Do I have the right to make a nonintrusive investigation into the cause of the outage? My instincts tell me yes, that the Ninth and Tenth Amendments cover legitimate inquiry into the world in which we live. Therefore, my use of traceroute and ping to locate the network outage is perfectly legal--after all, lacking mens rea, no crime can be committed.

    Securing all servers is an extremely good idea, as is authentication and verification of data. Unfortunately, 90% of the programmers I know can't be bothered to worry about anything as trivial as making sure it's Done Right, instead of Done Fast.

    The [I]nternet is fundamentally structurally vulnerable to DoS attacks.

    Agreed, but I like to approach things from a slightly different perspective. The Net was designed to be immune to a huge array of meatspace problems. The Net was not designed, nor could it have been designed, to be immune to netspace problems; after all, netspace didn't exist at the time the fundamental protocols of the Net were being developed.

    As the English techno band Shriekback noted, "[e]very force evolves a form." DoS attacks are just the form which force has evolved into on the Net.
  • by pjrc ( 134994 ) <paul@pjrc.com> on Tuesday November 07, 2000 @01:37PM (#641676) Homepage Journal
    3) Make spoofed packets illegal

    What about asymetric routing?

    I have two ISPs. One is a 128kbps frame relay, and the other is a radio link and a 33.6k modem. The radio link is approx 2 Mbit/sec with a reasonable latency, about 50 ms. The frame relay circuit has 20 ms latency. The modem just plain sucks, slow and high latency. The modem isn't even plugged in. I use use the radio receiver as a one-way link.

    If all spoofed packets were illegal, then it'd probably be illegal for me to send packets up the frame relay line, with the IP number belonging to the radio link. The ISP providing the upstream for the frame line says "we don't mind and we won't stop you unless someone starts abusing our network, and we'd probably have to upgrade the router to do it". The ISP providing the radio link doesn't really know... it's hard to actually get to talk to anyone there that knows anything... but from what I can tell, their scarce resource is the pool of inbound modems, they have more bandwidth than they know what to do with on the radio link.

    It's a pretty sweet setup, and it's all possible due to asymetric routing (linux) and that my upstream provider lets me send spoofed packets!

  • Tell him that when we do find him, we will rip off his head and piss in the hole. Then, once you mobilize us, we will start doing random stuff like cutting his phone line, setting fire to his dog, and leaving... let's call it "illegal" material in his mailbox right before we report him to the FBI.
    Just an idea. I hate people that jack with me and my friends, and I have a soft spot in my heart for seeing people get pissed on unfairly.
    If I ever meet up with this clown and find his email, I'll subscribe him to every "lolitasex" mailing list I can find. Especially if I can find some covertly operated by the boys in blue.

The only problem with being a man of leisure is that you can never stop and take a rest.

Working...