OpenProjects IRC Network Suffering DoS Attacks 197
Alowishus writes: "Open Projects Net, the IRC network which is home to Debian and other open source projects, has been suffering DoS attacks from a disgruntled customer of one of their server sponsors. Lilo, their sysadmin describes the attacks here, and asks for assistance." It's pretty terrible when a kid goes bananas and can damage the volunteer efforts of many people working really hard to create and support something so many of us use and enjoy. The sad part is that whoever is doing this feels self-righteous and justified in his actions, so nothing any of us say will
matter. I hope they catch him. DoS attacks just aren't cool, ever.
Pathetic (Score:1)
On Efnet, servers are regualy attacked, because the people there are less specialised. But on OPN?
How very very sad.
Re:Leave DOS alone!!!!! (Score:1)
____________________
Re:Why is it always "some kid"? (Score:1)
I'm probably the source of the 'kid' comment. I do not really know the age or gender of the attacker, and intended 'kid' as a description of maturity level than calendar age. Apologies to younger persons reading this, but I have frequently seen 14-year-olds act precipitously without considering the consequences of their actions to others. Obviously, though, maturity varies from person to person, and I've seen adults who never achieved a very impressive level of it either.
Rob L.
Re:How to stop DoS attacks (Score:2)
In a variation of Make spoofed packets illegal simply block outbound packets from your network that have a source address other than from your network. While this can be a big problem for core routers, it's really only needed at borders to other administrations. Logic could be added to inspect incoming packets by applying routing lookup to the source address. If the incoming interface is valid (not necessarily best, but at least valid) for the incoming packet, then it's OK. Otherwise discard it. Linux 2.4 now has this in the kernel. I've heard Cisco IOS has a form of this, too. It should be made to be the default configuration.
Re:IRC is example of open protocol failing miserab (Score:1)
Re:How long before this goes into meatspace? (Score:1)
Re:Why is it always "some kid"? (Score:1)
Nonetheless, I commonly see this assumption being made, whenever something gets h4x0r3d, its immediately 31337 skr1p7 kiddiez. Does anyone stop to think it might just be some lazy pissed off jackoff IT guy?
Re:Coming back to haunt you. Boo! (Score:1)
"Hex, Bugs, and Rockn'Roll" --The Programmer's Digest [sufftech.net]
Re:6) Put the smackdown on these punks... (Score:1)
To take him down... (Score:1)
-----
Re:Typical feminazi (Score:1)
Re:Why is this offtopic? Pretty relvant (Score:2)
Slow moving marsupials and the women that love them
Re:FRIST (Score:1)
Re:Mirror in Freenet (Score:2)
--
Re:Why am I not surprised? (Score:2)
Re:How to stop DoS attacks (Score:1)
Re:Most large ISP's Don't Care. (Score:2)
1) If the attack is coming from _within_ an ISP, all bets are off.
2) How many people/corperations are there who do have 45Mb/s access? The last 2 fortune 500 IT companies (one 100, one 100-200) I worked for had 2Mb/s.
Surely that must narrow the attacker down somewhat.
I can't believe that ISPs are happy to _carry_ the attack. Why can't the ISPs be made responsible for the DoSs that they carry, maybe then they'd help trace them to their source as they pointed the fickle finger of blame further up the pipe.
FatPhil
Cool DoS attacks. (Score:1)
No this isn't something I've done, I'm an only child.
SCREW opn (Score:1)
Re:6) Put the smackdown on these punks... (Score:1)
Slow moving marsupials and the women that love them
Re:attack! (Score:1)
Re:Why am I not surprised? (Score:1)
Death of IRC? (Score:1)
I remember when MS started bundling MS-Chat with IE and suddenly you had people getting on to IRC who wanted to "whisper" and always annoyed everyone in the "rooms" especially the "hosts". Yet, the same people who whined the most about this bastardization of IRC from MS, are the ones who end up destroying the networks where there are any 'true' IRC'ers left.
I for one hope to see the day when I'm relegated to commercialized chat services to get in touch with people.
---
Re:How to stop DoS attacks (Score:1)
Another Consequence (Score:3)
On the other hand, I'm not issuing a blanket condemnation on all hacking. Just saying -- For Jebus' sake -- at least do it artfully.
Sincerely,
Vergil
Re:That's Life (Score:1)
Re:How to stop DoS attacks (Score:1)
#5 Require ISP's to throw away packets outside of their assigned IP ranges.
That would certainly help, but who'd police it? The enforcement is more problematic than the fix.
Re:Ha-ha funny funny, okay we *GET* it already. (Score:1)
Maybe its time for TCP2 (Score:2)
Instead of the three way handshake(TCP's connection intiator) taking place on the content provider lets have it take place on a new server called a identity verifier. Now when you want to connect to a content server whatever it may be httpd, ftpd, whathaveyou. You send your tcp request to the verify server. if approved your TCP connection is transfered to the content server. Now there should be multiple verify servers so that you can't just take them all down( a few thousand should do.). Now your content provider only accept connections from these trusted verify servers. If one comes from another source it is dropped. I think we could implement this but i'm busy with another project called dgroups(a decentrallized network) so i am a little busy. if you have any questions about implementation email me.
slakowske@yahoo.com
Time is Change.
Re:Which is worse? (Score:2)
Your comment illustrated my point perfectly that people focus on the why "little Johnny" did whatever evil thing he did as opposed to why it was so easy for little Johnny to cause such havoc in the first place.
Re:Why is it always "some kid"? (Score:2)
A lot of the "script kiddies" and "DoS weenies" out there are doing what they're doing because it seems cool. As they grow older, most of them smarten up and a) put those skills to work in industry b) get a lot more selective and careful or c) end up in prison. The latter is less common, but getting more common, woefully.
What I'd love to see is a computer security service where kids that get caught are put to work doing "community service". Nothing that they could exploit, but simple things like cross-checking log files; manning snail-mail campaigns to send out security bullitens and so on.
Now, that would be a political program that I could get behind. But, of course, it's not the "throw the bastards in jail" approach that's so common these days....
Re:Why is it always "some kid"? (Score:1)
it's propaganda.
maybe that was a troll, and I bit?
Re:How long before this goes into meatspace? (Score:1)
Beware, it's ASP!
Syn Cookies (Score:1)
Re:discussion with the attacker (Score:2)
Course, if he does track me down now, I don't think I'd be very kind to him or her.
I personally think it's a red herring though.
Chris DiBona
VA Linux Systems
--
Grant Chair, Linux Int.
Pres, SVLUG
discussion with the attacker (Score:5)
This comment is mainly in response to one of the previous comments that basically scolded the slashdot crowd for not "understanding" the "pressure" this person was under, from VA Linux, apparently. How can we know what pressure he was under if he wont even tell us what happened? He's doing this practically as a "punishment", but we don't even know what we're being "punished" for.
I hope this ends with him being prosecuted, and I fully plan on submitting the 22MB log of eth0 traffic during the attack to the FBI and whoever else will be investigating it. I eventually plan on publishing the entire thing so everyone can see exactly how he formed these attacks. They were mostly the standard UDP floods, but the originating IPs are the interesting part.
And again irc goes down the toilet (Score:1)
That's Life (Score:2)
IRC network? DoS attacks?! (Score:1)
Re:Ha-ha funny funny, okay we *GET* it already. (Score:1)
Slow moving marsupials and the women that love them
DoS attacks. (Score:3)
Except when it's called "the slashdot effect". Has anyone tried to get to mozillazine since 12:49 today?
Re:Why is it always "some kid"? (Score:1)
Being a child is a natural part of human life... theres nothing wrong or evil about it, so why do we use it as an insult to people for commiting acts that are more likely to come from the attitudes of bitter old men than children? I motion that from this day forth we call them script fogies. Heh.
Re:Hrmm. (Score:1)
(not my feelings, but seems to be the general feelings in
Re:Why is it always "some kid"? (Score:1)
True, maybe it's just easier on the ego to say it's some pimplefaced 14 yearold kid that doesn't know a tenth of what you do. Maybe one of the reasons we are so succeptable to DoS attacts is because we underestimate the ability of the attacker. Just because he didn't root your system doesn't mean he can't, DoS attacks are very dangerous and attract alot of attention because they can last a very long time.
Re:And again irc goes down the toilet (Score:1)
Here's a question for you folks:
Is it that the protocol for IRC is inherently instable?
Or is it just the implementations?
--
Give a man a match, you keep him warm for an evening.
::sigh:: (Score:2)
Mirror in Freenet (Score:2)
--
Re:It's probably just... (Score:1)
TURN HIM IN (Score:2)
I know we all seem to think script kiddies have these l33t ways of hiding their identities, but it all boils down to a few responsive phone calls and you can nail anybody back to their ISP. Any competant ISP will have caller ID records for the incoming call. Granted, they won't give you this information, but they will certainly note it. Let the feds do the rest.
Why do people not even think about taking these steps? If you can't reach an ISP's network center, GO OVER THEIR HEADS. Contact their uplink.
The more we whine and say DoS attacks suck, and the more we DON'T pursue and put these fuckers in jail and slap enough damages on them so their parents lose their house and car, the more powerful and untouchable they feel, and the more bolder they get.
Re:Most large ISP's Don't Care. (Score:1)
I think He has 22x2mb or something similar. Not one 45mb link. Most of his boxes are probably rooted.
Re:i got (Score:1)
It has no place here.
The only reason you fantasise about 133t j03 being homosexual (quite untrue, BTW) is because then he would be willing to screw you, and you would enjoy it.
You are jealous of the stable of adoring femmes that j03 services on a daily basis.
Well, nomatter how you try, you will never turn j03 into a faggot, so you'll need to take your dreams elsewhere.
Re:Death of IRC? (Score:1)
This specific attack is - in my opinion - an extraordinary one; it's target is the IRC-network itself and the one doing the attack is perfectly aware of the harm he or she is causing. I don't think you can compare this attack to the `everyday-attacks'.
Re:How to stop DoS attacks (Score:2)
--
Re:How to stop DoS attacks (Score:1)
Numbers two, three, and five would only help if the US were the only country with net access.
As for items 1 and 4, the damn
Maru
Re:That's Life (Score:1)
-
Re:Yeah it sucks... (Score:1)
You also claim you have been on the network for yonks. If you have, then perhaps you should know the rules, what is accepted and what isn't.
I think before threatening an Oper, you should give due consideration. He offered to voice you if you promised to be reasonable. Since you clearly couldn't do this, I don't think it's his problem that he didn't voice you.
And not at one point did Jim act like a bastard. You couldn't even apologise for causing trouble, you may have not intended to do this, but from the reactions of the people in the channel, you did. You had the option to leave, but didn't. You were warned. He backed down when it should quite clearly have been you.
And I somehow doubt you could do the job of Jim, or any other Oper. If you call that peaceful, you'd probably call WWII a convention of Greenpeace.
Re:Leave DOS alone!!!!! (Score:1)
Re:With regards to moderation (Score:1)
Re:Why is it always "some kid"? (Score:2)
Great. Let's start with you, since you seem to not have the same sort of social graces as I. I recommend something between prison an a concentration camp... or, did you mean "other people".
"Weither they are 10 or 30, they should have learned this kind of anti-social behavior is inrolerable."
Well, let's see. When I was 10, I was shop-lifting (seemed harmless enough to *me*) and getting in fights at school. Would I have been a script kiddie? Probably. Would saving my future by showing me the concequences of my actions have been useful? Certainly!
"[If they had good parents] maybe we wouldn't have so many mentally unstable people."
Woah! There's a whole lot of mistakes all in one phrase. What makes you think that your average script kiddie is "mentally unstable"? I think most of them are just a) currious and unaware of the damage their doing, b) bored and/or c) trying to get a little attention from their peers (which even the most "mentally stable" among us do).
These are mostly younger people who have no real idea of what they're playing around with or why. Many of them are our future sysadmins and security experts. Treating them like rapists and murderers is not the correct solution. I proposed a way to deal with the problem which could probably even MAKE a little money, and CERTAINLY cost less than prison (community service always does, as you don't have to house, feed and provide medical services for your convicts).
What exactly was your problem with my proposal, or were you just looking for a place to flame?
Gah (Score:1)
One of those times where a cluebat or a clue-by-four would come in handy to bash this kids head in...
Re:Or do we? (Score:1)
Sometimes jokes get funnier with repitition. If your mind can't handle it, then perhaps you need an infusion of squirel juice.;-)
Slow moving marsupials and the women that love them
Because it always is "some kid" (Score:2)
It's like asking "Why is it always 'some kid' who spraypainted 'Sckool Suks!' on the cafeteria wall?"
Adults commit crimes for profit or principle, make annoying fools of themselves in public, or play mean and petty pranks on individuals who they feel have wronged them, but it is vanishingly rare for one to anonymously commit an act of public vandalism. Attacking the whole community out of pure spite is something that can't possibly produce any useful effect or profit, and even the worst "veteran jerks" learn this by their early 20's.
--------
Smileys mean he was joking, pal (Score:2)
Now, if you've got an example of Taco *seriously* advocating a DoS on anyone, come back and post it. Otherwise, go back to the hole you crawled out of.
Re:Why is it always "some kid"? (Score:2)
------------------
How long before this goes into meatspace? (Score:4)
I mean, sure, he's 31337 and all... but someone out there probably knows who he really is. And could be persuaded to go over there with a baseball bat and DoS his head.
Not that I advocate this at all
Anyway, I predict the development of Black ICE soon
Re:6) Put the smackdown on these punks... (Score:2)
I used to work with a guy (during my farming days) that talked a lot about the "good ol' days" when people could get by with things like that. He told a story about how this guy kept beating his wife and kids. The nieghbors found out about it and the guy telling the story, along with four or five other neighbors, paid the wife-beating shit-head a little visit one evening. They basically left him close to death, and the hospital refused to see him (because they knew why he had had the shit knocked out of him). He eventually did recover, who knows how. But he never again laid a finger on his wife or kids.
I'm sorry if the above story offends you, but there are some people in this world that simply do not understand any language other than violence. And at some point we need to get over this "I feel your pain" bullshit approach and say, "Heh, you fuck with me and I'll take your goddamned head off." It isn't necissary in ever situation, and I'm not a real hard-ass about it. But for god's sake, let's be realistic. If someone doesn't understand repeated warnings, you don't need to go looking for all kinds of reasons that it's not his/her fault. I don't care if his parents abused him. I don't care if his god has forsaken him. I don't care if he lost his puppy at the wrong time in his childhood. If he is acting as an adult it doesn't matter what happened in his childhood. He should be fucking responsible for what he has done. Get over your childhood and move on.
Psychology is just as damaging to the human race as religion. And in the end, it will leave us all a bunch of homogenized, slobbering, drewling idiots. Equal but different isn't "fair". And some people just won't be happy until the world is completely "fair". So say goodbye to original thought. Original thought leads to conflict. And conflict is "unhealthy" (even if it is the way we progress). Bye, bye reality. Hello psycho-shit!
Sorry for the rant, but the above poster hit on one of my favorite bitches about the PC world of today. Kick some ass when it's necissary! And get over it if you think "it's not their fault". If you are the one doing it, it's your fault. Deal with it.
Slow moving marsupials and the women that love them
Re:wrong (Score:2)
What did I do? (Score:4)
Re:Why is this offtopic? Pretty relvant (Score:2)
wow, harsh mods!
looks like I can't even make a joke, one poking fun at MYSELF, without gettin modded down.
oh it is a sad day when passing ruffians can say "troll" at will to young posters. Why, even those who type and post insightfully are at considerably moderating stress at this period in history
Link text (Score:5)
Open Projects Net: Denial of Service Attacks
Posted 7 Nov 2000 by lilo [advogato.org]
Open Projects provides interactive facilities for coordination and support to groups and projects involved with open source. We run between 1,500 and 2,000 clients and are home to such projects as Debian GNU/Linux and Enlightenment. We've had our share of difficulties recently, but we're continuing on.
The past few weeks have been quite an experience. Last week one of our hubs on Open Projects started going up and down like a yoyo. I'd seen that behavior in this normally very reliable server in recent weeks and not thought much of it, since the company in question was in the process of moving its facilities and reliability issues do sometimes creep in during such moves. But we soon obtained a little bit more insight into the problem. After watching the server perform a loop-de-loop, I received a /MSG
from a rather peremptory and anonymous skript kiddie informing me that
if I didn't
permanently remove the sponsor's server from the network, he would kill
my home
ADSL
line and take down Open Projects until he got his way. It seems he
feels
the sponsor owes him money. I'm afraid I wasn't very polite in my
response.
Feeling that one can hardly allow psychotic delinquents to dictate
network
policy, I explained to him that while he might very well be able to take
down our network, he was not going to set policy, and specifically I
would
not entertain the notion of removing our sponsor's machine.
The last week has been interesting. Apparently this petulant child has something over 45Mbps to play with, and he's moderately competent with SYN attacks and so on. In various incidents throughout the week he packeted ISP's and universities and small companies to death to demonstrate his, uh, prowess with borrowed equipment. Currently he has proclaimed that he'll be taking down our network once a day for an hour until his wishes are granted. All I can say is that he's going to be doing it for a long time if that's the case; the heat death of the universe isn't due to arrive for some time.
Throughout this experience I have noticed it's very difficult to coordinate much of a response from ISPs and backbone providers. An unofficial contact at uu.net explained that we must notify his security people while an attack was taking place for them to have any chance of thwarting it. They thoughtfully provided him with an email address rather than a telephone number to give to us, explaining that this is a matter of policy. Perhaps they don't understand that packeting can affect services like email. Or perhaps they are simply extremely comfortable, their owners having cornered much of the backbone market after the last round of industry mergers. My employer's ISP was targeted, and so far the people at the ISP seem a little bewildered, though they're game to fight the good fight. Some folks with very nice bandwidth contributed a server today to see if we couldn't keep our hubbing working through an attack, and the skript kiddie seems to have gone after their routers, leaving very little in the way of evidence behind him as to his point of origin.
As a first, one of our admins contacted the FBI at our request. I'm not sure this will accomplish anything useful, but it's certainly worth a try. It is worth noting that, as a philosophical anarchist, I'm usually not inclined to bring in the muscle of a law enforcement agency to resolve such disputes, preferring to reason with the party or parties involved. But in cases where the problem user has learned his manners from repeated viewing of Robocop, well, there's not much one can do but consider the business to be a declaration of war.
At any rate, it seems to me that this otherwise very mundane set of attacks points to a long-standing problem with the Internet: Denial-of-service attackers have location indirection, but content services and users are left in plain sight as targets for their efforts. I'm hoping Corridors [advogato.org] will helpful in dealing with this problem, though it's a fairly long-term project (and constantly in search of additional expertise to finish the design and begin the actual implementation). Meanwhile, we go on, attempting to devise kludges to improve the robustness of ircd in the face of all-out attack.
Any assistance from the readership in combatting problems which we have never experienced in quite this magnitude would be greatly appreciated.
Thanks to the Magenet people and Diane Bruce and F. John Rowan of the hybrid ircd project for their assistance. Thanks to the many users and admins of OPN, whose patience and support have been impressive. And thanks especially to VA Linux for their help and support; they've been real heroes and deserve a great deal of praise. And no, we're not going to delink their server, however many or few seconds we have to comply. ;)
--
Coming back to haunt you. Boo! (Score:2)
From:
http://www.slashnet.org/for ums
[21:17:34] <CmdrTaco> bob_jones_iii is being an annoying prick.
[21:17:43] <CmdrTaco> can we kill him? someone dos him
Sheesh. Not cool. Ever. Except when it's convenient. (I Quote from comment #125 by arcade [mailto] on the comments thread from http://slashdot.org/articl es/ 00/10/07/0025253_F.shtml [slashdot.org]:
Cmdrtaco sounded a lot more like a scriptkiddie than I really liked. Comments like:
bob_jones_iii is being an annoying prick. can we kill him? someone dos him
Really really disappointed me. Sure, he's got a smiley there, but still. I wouldn't be surprised if someone actually DoS'ed the sucker because "o allmighty Taco told them to".
Slightly offtopic? Perhaps. Making a point? Absolutely.
Granted DoS isn't cool but... (Score:2)
Time is Change.
Re:And again irc goes down the toilet (Score:2)
Re:How long before this goes into meatspace? (Score:2)
eleet
"elite"
Note that "eleet" should be in caps, but of course SlashDot's "lameness filter" stopped me from posting when I used all caps. Brilliant guys, just brilliant. Could you also filter out all "18+" links on the basis of a simple checklist?
Advogato performance problem fixed (Score:2)
After a little on-the-spot programming, it's now stored as a plain text file.
So thanks to Slashdot for motivating me to do this fix. I had noticed the performance was getting a little clunky, but it was good enough until now.
Re:Public Service Announcement (Score:2)
Steven
Which is worse? (Score:2)
I think the fact that "a kid" can bring down such a system with relative ease is the real problem here.
I hate to say it, but people tend to ignore the root of the problem (ugh, a pun) and focus on the fall guys involved to draw attention away from the shortcomings of the system being discussed.
And this is not a slam of Debian, Linux, or any OS specifically, it is more a commentary on the overall lack of concern over the underlying reasons why "a kid" can do such things in the first place.
Re: (Score:2)
Re:How to stop DoS attacks (Score:2)
1) Secure all servers
This works with cars and businesses with a high initial cost. OTOH, anyone with a decent OS can run an Internet service. You probably run a few at home. We've tried to stop Napster, drugs, and alcohol; so far, one out of three has been only slightly better than a huge failure. In addition, even well-known servers have holes discovered in them after they've been out for quite some time.
2) License ISPs
Can be done, but remember that the big ISPs are just as bad. Remember today's spam article? The top sources of spam were all massive ISPs.
3) Make spoofed packets illegal
See #1. In fact, this would be harder to track down than #1, since the packets are spoofed
4) Authenticate everything
Like you said, Duh!
5) Criminalize all scanning, including pings and probes
Re pings: The author has obviously never played Quake before. And about probes, where do you draw the line between legal and illegal? Is trying a few ports illegal? What if I go to a server and connect to telnet, http, and sendmail? Those ports all have legitimate uses; see #1. Ah ha, you (or the author) say, but I would only outlaw automated attacks. This is dubious at best, and it still runs into the same issues as #1.
Again, like you said, the Internet is structured as to be vulnerable. At this point, no amount of words can change that fact.
--
attack! (Score:3)
him.
Why is it always "some kid"? (Score:5)
Re:Why is this offtopic? Pretty relvant (Score:2)
Hrmm. (Score:5)
Didn't you JUST say that DoS attacks weren't cool?
Hypocrite.
Re:How long before this goes into meatspace? (Score:2)
--
Americans are bred for stupidity.
DOS (Score:3)
Good one Taco.
Looks like the link is getting the most effective DOS attack known to man: "The Slashdot Effect"
Re:Why is this offtopic? Pretty relvant (Score:2)
and there goes my karma
but thats ok, I will call myself a martyr.
Oh, how my life was ruined by the evil karma nazis.
I bet I'll get an NBC TV Movie.
'Course, I COULD use my +1 bonus to post this drivel, but I am being good
This is nothing new (Score:5)
Around 5 years ago, I ran toast.ne.us.dal.net, part of the DALnet [dal.net] IRC network (obviously). The bandwidth for it was generously donated by a local ISP, in exchange for borrowing some of my expertise from time to time. We only had a frame relay T1, but easily held more than 1000 users at a time.(Which was a record, for a short period) With popularity, attacks started coming.
The first thing that hit was SYN floods. Linux added the TCP cookies feature, which helped a bit. Then raw ICMP echo request floods, which caused us to get icmp blocked at our uplink, which hurt our customers, but was deemed worth while. Then when ICMP didn't work, people flooded the crap out of us with UDP. Then the Smurf attacks started. It came to a point that more often than not, during the evening, I was spending my time on the phone with our increasingly annoyed uplink getting things filtered and blocked.
In 1996, I moved to Illinois, and took the server with me. I started my own ISP on two T1's, and pretty immediately decided to pull the DALnet server, when the period of time that we're getting flooded exceeded the time we weren't. I then moved my IRC server to a much smaller network called NewNet [newnet.net]. While the floods were much worse, it still was a perpetual annoyance that some brat in Israel decided he didn't like us, and would reguarly flood us from hacked
Then one day, the "script kiddies" discovered Wingate. Wingate is a highly useful Windows proxy system, that was unfortunately shipped for quite a long time in a highly insecure state. They had a telnet and SOCKS4 proxy sitting wide open, with no passwords necessary. One script out there would go scanning through cable modem and DSL netblocks, gather a list of a few thousand insecure wingates, and connecting them ALL to our network, using them to flood the crap out of us. No longer could we even ban naughty users, because they had thousands of hosts they could choose from.
One VERY frustrating day, I ended up writing a little tool to scan EVERY user who connected to our network, to see if they were actually connecting from an insecure proxy server. Worked wonders, but we had thousands of nasty e-mails from people asking why we were trying to hack them (by connecting to port 1080 then immediately disconnecting?). Much education was required, and many notices of "You're about to be scanned, disconnect if you don't want this to happen" were necessary to prevent some idiots with a firewall they didn't understand from flooding abuse@dragondata.com with nonsensical complaints about hack attempts.
Today, floods are much more sophisticated than the ones we saw 5 years ago. Current floods are completely legitimate TCP/IP packets, that look real. Not floods of SYN's, but real looking data, that you can't just slap a simple filter in to get rid of. Now, unless you're using a stateful firewall that can detect this sort of thing, you're pretty much screwed. (FreeBSD's ipfw system is now stateful, and works quite well for this sort of thing.)
Really, here are the major problems.
1) Network administrators don't secure their networks. They may secure their machines, but they let their routers blindly pass off spoofed packets, when it would be pretty easy in 99% of the cases to block packets with source addresses coming from a port that they don't belong in.
2) Any complaint to any abuse@ address that involves IRC seems to go into
3) It's nearly impossible to prosecute the people who do this. I've talked at great lengths with the FBI and other law enforcement agencies. While they sympathize, unless they have a huge dollar amount in damages they can show, there's little they can do.
4) The same companies and universities get hacked over and over again. I'd like to see someone sue one of them for negligance one of these times.
5) Stupid battles like this are really putting a drain on the IRC community. IRCD server software has pretty much gone untouched over the last few years, because any technically competant coders are busy coming up with proxy detectors and fighting floods, than writing code. There are things with IRC that could be done that would blow people away. But, I'm burned out. 7 years of fighting with people who need psychological help, because they do things like take down a huge network, instead of dealing with their issues in a constructive ways....
6) People take IRC too seriously. It's just for fun, people.
Kevin Day
Re:Try contacting the company who leased the ATM (Score:2)
Bill - aka taniwha
--
Mirror (Score:2)
http://www.personal.psu.ed u/u sers/d/r/drb210/198.html [psu.edu]
Mitigate Slashdot DoS (Score:2)
Re:Mirror in Freenet (Score:2)
--
Re:How to stop DoS attacks (Score:2)
Re:This is nothing new (Score:5)
I moderated/ran the Bruce Perens IRC Chat [slashdot.org] that was mentioned a few months back here. Idiots decided to ping flood his DSL line out of existance during the chat, and I had to call him on the phone and type his answers for him.
People will ruin anything that can, I swear.
-- Kevin
Re:Most large ISP's Don't Care. (Score:2)
But you should also consider the ISP's position. Attacks like this often throw the entire ISP off the net, affecting *all* of their customers. Only the very largest ISPs can handle such attacks -- which waste large amounts of expensive connectivity.
It's *much* cheaper to just get rid of the offending site in most cases, and since most ISPs are businesses looking to make a profit, that's what they do. They'd like to fight it, only the largest ISPs can afford to fight it.
Ha-ha funny funny, okay we *GET* it already. (Score:2)
How to stop DoS attacks (Score:4)
1) Secure all servers
2) Liscense ISPs
3) Make spoofed packets illegal
4) Authenticate everything
5) Criminalize all scanning, including pings and probes
Now, would any of these solve openprojects.net's malaise? #1 wouldn't, because it's not their server which is launching the attack; #2 is a structural change which would take too long to implement (even if it's desirable); #3 is promising but would be an administrative nightmare; #4 we should be doing regardless; and #5 is perhaps a necessary evil.
The internet is fundamentally structurally vulnerable to DoS attacks. It's only a matter of pissing someone off and getting picked as a target. With the increasing politicization of everything on the net, the problems will only get worse.
Re:Syn Cookies (Score:2)
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.
Re:How to stop DoS attacks (Score:2)
Spoofed packets being criminalized is tempting only on its face. While Congress could very well make interstate transport of a ham sandwich illegal, this law would be impossible to enforce. Criminalization of spoofed packets would be in the same boat.
Criminalizing all scanning is a case of throwing the baby out with the bathwater. Suppose that I own two machines, A and Z, and I traffic between the two is vanishing into the ether. Do I have the right to make a nonintrusive investigation into the cause of the outage? My instincts tell me yes, that the Ninth and Tenth Amendments cover legitimate inquiry into the world in which we live. Therefore, my use of traceroute and ping to locate the network outage is perfectly legal--after all, lacking mens rea, no crime can be committed.
Securing all servers is an extremely good idea, as is authentication and verification of data. Unfortunately, 90% of the programmers I know can't be bothered to worry about anything as trivial as making sure it's Done Right, instead of Done Fast.
The [I]nternet is fundamentally structurally vulnerable to DoS attacks.
Agreed, but I like to approach things from a slightly different perspective. The Net was designed to be immune to a huge array of meatspace problems. The Net was not designed, nor could it have been designed, to be immune to netspace problems; after all, netspace didn't exist at the time the fundamental protocols of the Net were being developed.
As the English techno band Shriekback noted, "[e]very force evolves a form." DoS attacks are just the form which force has evolved into on the Net.
Re:How to stop DoS attacks (Score:3)
What about asymetric routing?
I have two ISPs. One is a 128kbps frame relay, and the other is a radio link and a 33.6k modem. The radio link is approx 2 Mbit/sec with a reasonable latency, about 50 ms. The frame relay circuit has 20 ms latency. The modem just plain sucks, slow and high latency. The modem isn't even plugged in. I use use the radio receiver as a one-way link.
If all spoofed packets were illegal, then it'd probably be illegal for me to send packets up the frame relay line, with the IP number belonging to the radio link. The ISP providing the upstream for the frame line says "we don't mind and we won't stop you unless someone starts abusing our network, and we'd probably have to upgrade the router to do it". The ISP providing the radio link doesn't really know... it's hard to actually get to talk to anyone there that knows anything... but from what I can tell, their scarce resource is the pool of inbound modems, they have more bandwidth than they know what to do with on the radio link.
It's a pretty sweet setup, and it's all possible due to asymetric routing (linux) and that my upstream provider lets me send spoofed packets!
Do you really want to stop him. (Score:2)
Just an idea. I hate people that jack with me and my friends, and I have a soft spot in my heart for seeing people get pissed on unfairly.
If I ever meet up with this clown and find his email, I'll subscribe him to every "lolitasex" mailing list I can find. Especially if I can find some covertly operated by the boys in blue.