Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Post-mortem of a DOS Attack 242

MartinB writes: "Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a network of compromised IRC bots being used to flood vulnerable targets. Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets, making it impossible to spoof IPs. However, he warns, even consumer versions of WinXP won't have this safety 'feature'. Is there time to prevent this? Is implementing the standard always A Good Thing?" Gibson uses too many exclamation points in his article. But it's still interesting, if only to note the number of exploited personal machines on cable modems.
This discussion has been archived. No new comments can be posted.

Post-mortem of a DOS Attack

Comments Filter:
  • by Anonymous Coward
    In the past week I've been emailed 3 "funny joke" executables for windows from different people (one of who is an engineer at a large software company and should know better). The cc list on one was over 50 people, and the forward list was even higher. How the hell can you stop DoS attacks and home PC hacking when people are so clueless?
  • by Anonymous Coward
    Gibson is not a well-known security expert, he is just a well-known security blowhard. There is a difference. Just last year he passed off 'nmap' port-scanning has his own invention 'micropackets'. It wasn't because he was malicious, it was only because he didn't know security well enough to understand what 'nmap' does.

    He claims: "It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods"

    This is not true: it is easily done under such systems -- just not with the sockets layer. People have been doing it for a long time using such things as the TDI layer or direct NDIS calls from applications.

    Steve Gibson is well known because he communicates well with ignorant users and has a flare for the dramatic. However, he really just doesn't understand security.

  • by Anonymous Coward

    Personally, I think that it is important that every OS has a full TCP/IP implementation and I think that Gibson is barking up the wrong tree: It's important that ISPs don't route packets into the wild that don't have correct source IPs! That should be a trivial thing to do and would more or less remove IP spoofing.
    The problem of DDoS attacks still exists, of course, but it could be removed by 'intelligent' routers that don't route traffic that behaves in certain patterns, eg. heaps of SYN packets from one IP to another.

    There's no use in crippling the TCP/IP implementation, more sensible routing is what is needed to get rid of such attacks and to be able to find its originators.
  • by Anonymous Coward
    There are already high level people calling for
    the next generation internet to be a cluster of
    VPNs, to cut back on the DDOS stuff. Guess what?
    It's probably gonna happen that way.

    The Internet is based on far too much of a
    consensus model. Consensus models don't scale
    well. Bye-bye.
  • by Anonymous Coward
    this kinda irc botnet is probably a lot easier to trace than non-irc based DDoS as every trojaned program contains in it the exact server/channel/key as he shows in the article, did you read it? :)

    If the hosts are spoofing the sources of the packets then you're probably screwed but these aren't. They are installed on windows systems that can't spoof (without rewritten tcp stacks) and installed on so many that the likelyhood of being able to track down the owner of one and get co-operation in locating the trojan file is high.

    The problem is like he said the FBI won't get involved unless $5000 worth of damage is done, or business lost and even then they are already overworked with the cases they have. Its not an untraceable system but anyone who traces you is unlikely to do much.

  • by Anonymous Coward
    Gibson is most definately a blowhard, as most any educated individual can tell from the general tone of the article. But at the same time, he presents a body of interesting research. It's great that he's taken some time to properly dissect a DDOS attack. The detail of the discussion is certainly something that I haven't seen in other similiar articles and is welcome, even if the subject matter is somewhat geared towards the compsec newbie.
  • by Anonymous Coward
    Frost_Byte
    ----------
    frost_byte_si
    AT SYMBOL
    hotmail.com

    Just because Winsock does not support the
    "IP Header Include" flag does not mean that
    packets cannot be spoofed from a 9x machine.

    The Winsock DLLs are just interfaces for the
    Ring0 VxDs for transport.

    If 9x will not construct and send spoofed packets,
    then look at Exploit Generator:

    ftp://ftp.technotronic.com/denial/expgen085.zip

    Hopefully no one actually takes him seriously.
  • by Anonymous Coward
    Windows is the target of choice because there are large numbers of clueless people with good connectivity running Windows.

    However the clue level among random Linux users is not great, and Linux has implemented the full protocol all along. If the same people were all using Red Hat, that would be just as bad as everyone using Windows XP.

    Sadly as long as there is no real penalty for running a compromised machine, there will be no pressure on ISPs to care. And as long as that is the case, there will be armies of bots ready to go.

    If you want to fix the problem, have a fine of $500 per compromised machine the FBI finds that you have online, and a similar fine for every compromised machine an ISP connects whose activity pattern over at least a week indicated was likely compromised. With that kind of financial bait, the police would be motivated to enforce, ISPs would be motivated to do something about the problems, and consumers would have a reason to care about security.

    Nothing less will even slow DDoS. Certainly not putting the same naive people on a more capable OS (like Linux).
  • IP spoofing is NOT impossible on win9x boxes. Take a look at winpcap and the windump developer's pack sometime. It is very difficult and you have to build the packets yourself from the link-level header on up, but it IS possible... I've done it.
  • When these 13 year olds are hijacking planes, blowing up buildings, and hurting people, then I'll call them "terrorists."
    OK, I'll admit that "terrorist" is a bit much, but that's semantics. The problem doesn't go away.

    There are no major consequences yet because nothing truly important has been hooked up to the internet yet. There were no deaths due to car accidents for a long time after the automobile was invented, but that's only because they all went 10 mph back then. [insert cliched information superhighway analogy here]
    Just what I'm looking forward to, a total government clampdown on the Internet
    You are completely missing the point. No intervention would be necessary if the users themselves would wake the hell up and manage their computers properly.

  • I don't mean the server, I mean the users of the individual computers which were hijacked and then used in the DDoS without their knowledge. A few minutes going over their configuration, or buying ZoneAlarm or a similar product (which Gibson found to be effective against this particular bot) prevents any one computer from being used.

    I agree that bugs in the computer itself are also a bad thing, but through some small effort by the users (less effort than, say, buying a burglar alarm system or a Club) the bug's effects can be reduced or eliminated.

  • by Have Blue ( 616 ) on Thursday May 31, 2001 @05:38AM (#187044) Homepage
    That was hands down the coolest article on computer security I've ever read. :)

    Everyone always writes about cracking in a condescending, "when-will-they-learn" tone, as if it's all a mildly amusing game (which it is to them, because the authors are rarely the ones being cracked). Gibson, who did get attacked himself, looks at cracking as the serious and dangerous problem that it really is. This article describes a real war, with first strikes, counterattacks, espionage, and so on.

    This really opened my eyes to what a huge problem the internet's technological loopholes have and will become. More mainstream articles after this form would surely help raise the awareness about security issues that was sadly lacking in all the unknowing carriers of Zombies.

    (And no, I do not consider this "fearmongering". Fearmongering does not offer solutions or point out that none of this would have happened if people would just GET A CLUE.)

  • These attacks are verydifficult to defend against, because they simulate actual valid traffic. And you can't block the source address, because it's invalid.

    If the address is invalid it should have been blocked by the outgoing routers or the router at your edge. i.e. my firewall won't pass any of the private IP blocks and the routers at my ISP drop packets from IPs in those same private blocks.

    Now spoofing routable address is a different story but again if the edge routers simply dropped traffic from IPs it shouldn't see on that particular interface you'd see a hell of a lot less DDoS than you do now.

  • Maybe you do this, but most of the internet does despite efforts to the contrary -- MFS once threatened to disconnect people who weren't blocking spoofed traffic entering and leaving their network.

    I tend to think that far less of the edge routers are doing this than you may think. As you said, filtering becomes expensive as the routing tables become larger and companies are not wanting to spend the money on new equipment. That's why I'm suggesting that only the edges perform this type of filtering. You have a limited number of interfaces and the IPs flowing between them are far smaller than the number of acceptable addresses flying through a core router's interfaces.

    Also, I'm not talking about the dialup providers. The amount of bandwidth a single (or even 1000) dialup users can provide doesn't even register on the map of these DDoS attacks. But every DSL and cable provider should be filtering their incoming traffic.

  • ou gotta read how he complains about the standart socket implementation of Win2k / XP. First people complain about the lack of, now because its there, damn give MS a break.

    I don't know about you, but my routers simply drop traffic which doesn't come from an IP that isn't from the interface it's coming in on. I don't care what they users run because the edge routers won't allow spoofed traffic... well not unless they spoof another IP within the block(s) on the interface. :-)

  • There are only ten (10) exclamation points in the article, excluding the ones during the IRC chat log. Considering the article is SEVERAL pages long, I find it hard to consider this *excessive* use of exclamation points!

    -Michael
  • Firewalls don't help against valid traffic flood attacks.

    Of course they can. Any half way decent intrusion detection system will notice the pattern of a DoS attack, and dynamically add a firewall rule to block *all* traffic from the offending IP for a period of time. DDoS attacks are trickier, because you need to block several (often hundreds or even thousands of IP addresses or ranges), but the same principle still applies. The concern here is that a large scale DDoS attack will cause the firewall to be processing so many rules for each packet that it's unable to keep up with the traffic. The undesirable packets won't get past the firewall, but random packets will start to be dropped, including ones containing genuine traffic. So you still get a DoS, albeit a lesser one than you would have had without the firewall.

  • That still doesn't explain why you don't completely block UDP access to a Webserver (and whilst under attack you could probably survive without Ping and traceroutes also)?
  • There are two issues you're addressing here.

    Windows crappy sockets implementation prevents it from participation in spoofed packet building attacks, like SYN floods and the like. These attacks are verydifficult to defend against, because they simulate actual valid traffic. And you can't block the source address, because it's invalid.

    Windows crappy security allows trojans to be installed that can make attackes that don't require spoofing to be effective - massive pingfloods and the like. These attacks, as SG shows, can be effectively 'cancelled' to a degree. The attack was still going on, but the number of packets coming in wasn't as big a deal the the fat pipe upstream from the small T1 lines

  • He probably runs multiple servers - it's hard to test Windows trojans on a linux box. And DDoS is blind to your OS. You can DDoS a Linux box as easily as a Windows box as easily as a MacOS box. DDoS is a weakness of TCP/IP, not of a particular OS; therefore, it can affect any system on the internet

  • You're right, I don't know what I was thinking :) Attacks like SYN and such are still creating the bandwidth DOS attack. However, they tend to do it a lot less effectively, since the problem witht he spoofed attacks is that they appear to be valid data, where I can tell that a 64K fragmented ping packed is not valid, and have the ability to filter based solely on the properties of the traffic. You can't filter on those terms for a spoofed DoS attack.

  • Oops, forgot my footnotes :) And whoever modded my main post as a troll is one of the people who can't read that I mention up there in the beginning. They apparently can't read here either.

    1. You wouldn't know it from reading comp.os.linux.help

    2. Aunt Maude who just bought her new Celeron 500 and 15 inch monitor bundle from Walmart

  • by TBone ( 5692 ) on Thursday May 31, 2001 @05:30AM (#187055) Homepage

    It seems there's a confusion in the discussion below, because people are too dumb to read the part of the article where Steve talks about Spoofed attacks. Let me try to explain.

    SG talked about two different attacks. The main one is the brute-force, fill-your-bandwidth, ping attack. This attack is based on known ports and data types that fall outside of what can be considered 'normal' traffic, since in no way should well over a gig of ICMP ping data per minute be considered normal. Because of this, the routers on the upstream side could be configured to disallow the passing of that data. This is what brought the servers back on the net each time.

    The part he just briefly touches on is the spoofed attacks, like SYN attaacks and the like. These attacks require the source to manipulate the TCP stack outside of what would be considered 'normal' use. Like sending SYN packets and not sending the SYN-ACK in reply to an ACK that is required in the 3-way handshake. These attacks simulate normal data - SYN attacking the web server, for example. All connections to a web server start with a SYN. So there is no way to statelessly determine if any given SYN is valid or not. The only way to calcel out these attacks is to disable valid services running in your network.

    The problem isn't necessarily that Windows will now be able to spoof - the number of machine on the 'Net that can spoof has increased dramatically since Linux appeared on the scene. However, people that run linux also tend to know more about the technical aspects of their computers, and understand how to look for the signs of your computer being taken over (1). The typical Windows consumer (2), however, has very little idea what goes on inside the case where all those wires are connected to, and half of the time, couldn't even get the computer set up right if the cables and ports weren't color-coded. These are the people that see a new Email from Aunt Maude that says "Re: Re: Re: Re: Re: Re: Funny! Open now!" and open the little attachment that drops the Sub7 pieces into their registry before dancing around on their computer and making them laugh. And the problem is stupid laws that keep the FBI from pursuing 13-year-old script kiddies because out laws prevent much of anything from happening to them. Kids that sell drugs and rape other kids go to Juvenille Detention until their 18, at which point they get out, do it again, and go away for a long time. The legal system needs to start treating the spoiled brats who have nothing better to do than DoS computers the same way. If they were picketing and physically blocking entrance to a Brick-and-Mortar store, the police would drag them away. This is the cyberspace extension of that very same idea.M

  • The article says that the bots are set up to self upgrade from the IRC channel. So hide the cleanup program in the upgrade, and send it to the channel. Hell, innoculate the machine against sub7 while youre at it. Worst case put a message on the user's desktop "You've been HaX0r3d!".

    --locust.

  • Don't open it..seems very simple...
    Just because someone sent it to you does not mean you have to open it.
  • by AftanGustur ( 7715 ) on Thursday May 31, 2001 @06:16AM (#187058) Homepage

    Anyone who knows networking will tell you that this is exactly what SYNcookies were made for. The attack didn't use up all the network traffic, but rather used up all the filehandle-slots on the server OS.

    Just take a look at that graph [grc.com] and the anver is obvious.

    When using SYNcookies the server doesn't allocate a file-handle for each new connection but puts a 'challenge' in the Syn/Ack package and waits for the last Ack of the 3-way handshake. This effectively forces the attacker to reveal his IP address if he wants to use up the filehandles, and then you just block hin in your router.
    --
    echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D7272 C3AF4F2snlbxq'|dc

  • Then is implementing a flawed standard always a good thing? Or is it better to implement against standard without the flaw? That's the real question. I think you are just reciting pieties.
  • Have we already forgotten that SourceForge and apache.org were just compromised? Were their systems set up like a 13 year old might? Why is it that whenever there's a security compromise, a bunch of yahoos come out and insist that it is the fault of incompetent administration or clueless users, when even some of the most technically sophisticated groups can't protect themselves against intrustion? This is like blaming a rape on the victim's failure to dress properly. Do you have some sort of commitment to a philosophy of social Darwinism that makes it impossible for you to accept that the victims did nothing wrong and that the perps are, in fact, entirely blameworthy?
  • Gee, now *I* want an army of trojan attack zombies installed on a bunch of cabled Windows PCs ready to DDoS on command....

    !r
    EvilBot1.3 ready to attack...
    EvilBot1.3 ready to attack...
    EvilBot1.3 ready to attack...
    .
    .
    .

  • From his DOS attack history [grc.com] page:
    Rather than engaging in another night of cat & mouse "guess the IP" as we had the night before, I decided to remain off the Internet, collect attack logging data, and take the opportunity to defragment our server's hard drives while weathering the storm.
    "defragment our server's hard drives" ? Seems that he's not using Linux for his servers...

    And then he complains about being DoSed? Sheesh...

    --

  • As long as ISP's let their customers forge the source addresses, this problem will continue. It's not really that big of a deal if the hacker pretends to be Bob next door. Any ISP worth it's salt can track down the true source of any traffic inside their network. And, if the network portion of the address is correct, I know which ISP to call to report the problem.

    The reason DDoS attacks are as bad as they are is due almost entirely to lazy ISP's who don't do ingress filtering. The days of routers not being fast enough to do simple filtering is long past. I personally think ISP's should be held liable for allowing their customers to send out spoofed packets. Maybe then the situation would improve.
  • by Rinikusu ( 28164 ) on Thursday May 31, 2001 @04:59PM (#187070)
    I thought the exchange with ^boss^ was funny as hell. You could almost read "Jesus, if this guy can fucking hack my bots, spy on my channel, know how many active bots I have, what targets I've hit in the past week, fuck! fuck fuck fuck! I'd better start staying over my friends' house and I'd probably better format and shred my harddrive! Fuck fuck fuck!"

  • As posted before, I had something similar happen to me. Midway through the attack, I contacted CERT. they were tracking a particularly large botnet on Undernet at the time, and my handling of the small botnet might have been some help.

    The email I wrote to CERT is located here [granzeau.com]. It details some of the stuff that happened as I got rid of the botnet. I deleted around 500 bots when all was said and done.

    --
    Gonzo Granzeau

  • I noticed a bunch of bots connecting to our irc server approx a year and a half ago. After monitoring them for a bit, I found their password, found out they were subseven bots, and got their ports and passwords. I then proceeded to manually remove the bots over the period of the next couple of days. You can remotely remove subseven bots if you have ports and passwords. I removed around 500 bots or so. When they hopped their dynamic IP (when they figured out what I was doing) I followed them, got them Glined there, and followed them to three seperate servers before they gave up and disabled the dynamic ip address. It was a pain in the ass, but it was worth it when the guy finally threw in the towel.

    Glad someone else is invading these bot nets like I did.

    --
    Gonzo Granzeau

  • by BLKMGK ( 34057 )
    The reason he's torqued about spoofing is because IF the attacks had been spoofed he wouldn't have been able to track them back AND the attacks would've been much nastier than the glorified PING! storm he was weathering. Imagine if it had all been fragmented packets aimed at Port 80 instead. How do you defend against that - shut off Port 80? Oh wait....

    If you can't track them back (easily) then how will you stop them? Getting ISPs to NOT forward packets that aren't sourced from their domain's IP range would be a start but not perfect IMO as you could simply make it look like Jimmy Joe Bob next door :-)
  • What would running Linux have helped? The attack was choking his network connection cause it used up all the bandwidth. It wasn't the fault of the OS's in use. Geez.
  • by wiredog ( 43288 ) on Thursday May 31, 2001 @07:13AM (#187081) Journal
    It monitored the flow of IRC channel nicknames and automated the process of determining who was talking to whom, and who were the "bosses" who commanded the most power and respect

    Wow. Traffic analysis. A standard tool used by NSA, GCHQ, et. al. Amazing how much you can learn from communications without actually reading the messages. Think about that when you use encryption. What can your opponent learn just by tracking who you are talking to?


  • @echo off
    ipconfig net0 10.0.1.1
    spoofmanypackets.exe
    ipconfig net0 back.to.normal

    OK, a little crude, but it'll work - or do these script kiddies really not write scripts anymore :-)

  • I don't see why a normal user would want or need it - there are plenty of low level drivers out there to build and send spoofed packets under windows - but what saved him was the fact that these machines were not set up by the attackers, but were stock machines compromised by a "zombie" irc attack bot.
    The non-standardness of the sockets is an issue with porting software from other platforms, but that is a winsock/port issue, not a low level packet construction issue.
    --
  • by Old Wolf ( 56093 ) on Thursday May 31, 2001 @11:28AM (#187086)
    It's pretty hard to infiltrate a botnet and -find bugs in them-, and stop a DDoS attack without understanding security.

    You point out that he communicates well with ignorant users. Now, it's possible that this is because he himself is ignorant, but you must recognize the other possibility: he knows what is going on, and communicates to ignorant users only the aspect they will understand.

    For example, many posters on Slashdot are picking at his claim that Win9x -can't- send spoofed packets etc.
    As far as average users go, this is sufficient information. It's like learning in school that a thrown object will describe a parabola (it won't, since the earth is not flat with uniform gravity, but it's close enough for the level of those students). It's better to raise the average education level, than to provide lots of geekish details that will put people off.
    And of course, to you and me, it is clear what he means: Windows can't send those packets without a lot of messing around -- and I would expect that this is the sort of thing that would be difficult to install in a Trojan

    (recall that the issue here is machines which can be -remotely compromised- -- not a bunch of kids sitting on their own PC with bandwidth, looking for somewhere to aim it).
  • Yes, it's taken from Berkeley Sockets. However, it is an incomplete implementation. The stack itself is feature poor, (i.e., can't spoof IPs, can't ping subnets), and not all the tools that are usually considered part of TCP/IP are included. For example, nslookup is not in Win9x, probably because they couldn't get the Win32 port from NT to work. So much for a common API. Also, but NT/2000 and 9x don't include some of the servers and clients.

  • I said they should note that a SYN - ACK - SYN needs to occur which is TCP based, not UDP so all UDP traff should be blocked since for a website you'd need that 3 way connection, not a UDP based connection. Re-read my post.

    As for your "it is hard through a general purpose router" comment, bs you could easily drop all UDP packets without worry if your not providing any UDP based services, and it won't affect (dropping the UDP packets won't) the router as much as having to route the packets.
  • by joq ( 63625 ) on Thursday May 31, 2001 @05:51AM (#187093) Homepage Journal

    The only way to calcel out these attacks is to disable valid services running in your network.

    Actually your wrong. I wrote "Daemonic [antioffline.com]" when I was writing "Theories in DoS [antioffline.com]", a paper on higher network level based attacks such as BGP, OSPF based attacks. Now what Daemonic does is sends pseudo random garbage (spoofed) to any port you specify.

    Simple lame little DoS attack right? Now even if you don't have the service running for the port your sending the data to, it'll still crap out your Windows2000 box with ease. Now if you send it with a multicast source address which is weirder (haven't benchmarked) things really get odd.

    Either way it'll bang up your network. Now FYI sending data through to a port thats not running still has to get there which means the network can still amass latency, which is where you would want to nip it at the butt with your router or firewall.
  • by joq ( 63625 ) on Thursday May 31, 2001 @05:26AM (#187094) Homepage Journal

    So someone writes and says they're a 13 year old script kiddie who knows that the FBI will traceroute, etc, etc, etc., and this is believable? Highly doubtable. As for the attacks, I would say Mr. Gibson should have his uplink provider hire some clueful router administrators who would've fixed the problem in a heart beat.

    Lack of understanding from those involved often create more harm than they help. UDP packets coming in to a website? And the admins couldn't think firsthand network skills SYN --> ACK --> SYN, 3 way TCP handshaking? They need to go back and study up using some Cisco Press material.

    Anyways for those who haven't seen the page yet or are in charge of networking, and or firewall equipment, check out Stopping DoS [antioffline.com] which is a "do this now" tutorial to stop beating around the bush and cut DoS attacks at both the firewall, and network (router) level. It's not an rfc, not a write up of what a DoS attack is, simply a "fuck it's 3am and I'm getting DoS'ed now how do I stop this shit" paper.
  • Ummm, DNS runs on UDP. Everyone would cry out immediately if they cant get their p0rn spam.
  • While Gibson does tend to get a little melodramatic at time, he does offer some useful services (ShieldsUp, OptOut, etc).

    But, it is clear that his programming talents tend to rely upon higher level interfaces nor is he fully cognizant of other tools that are available for other platforms. He seems to concentrate on the Windows platform and does that pretty well. But, he's been talking about nanoprobes for sometime (at least a year) and nothing useful seems to have grown from it.

    But, then again, who cares what the programming talent of a script kiddie is when its clear they simply use tools developed by more accomplished programmers for malicious intent.

    It doesn't take much to climb into a large truck, turn the key, put it into gear and plow into oncoming traffic just to see how much damage you can do.

    What we need are better, smarter tools to detect attacks and have them develop countermeasures against these attacks (sorta like iptrap but on a grander scale). Perhaps the "smart" tools could interface with ISPs to allow them to adapt and filter out the attacks thus preventing them from reaching customers? How would we do this? No clue.

    And, we need ISPs who are accessible, have qualified individuals on staff, and willing to help in a timely fashion.

    Finally, we need law enforcement with the means and wherewithall to be able to track down these punks and cut their cables permanently. If the attacks are gov't sanctioned, cut the frick'n cable to the country. Or, block all traffic out of known terroristic states. Eventually, the legitimate users will have had enough and demand a change.

  • Well, the packet has to come from somewhere. A spoofed packet will have a source address other than the actual source of the packet -- usually not even remotely similar to the actual source. If the router at the next hop takes the time to verify the incoming traffic on that interface is coming from addresses known to be there, then spoofing becomes a non-issue. Unfortunately, no one is sufficently paranoid (or insane) to configure spoofing filters on every interface. It's too much of a configuration management headache and it proves very costly to the router.

    For example, let us assume an ISP has a customer with a LAN on the far end of a T1 using the class C 192.168.1.0. If the ISPs router were to see packets sourced from 172.16.4.7, then obviously something is not right. It's either spoofed or a mis-configuration -- the customer could be multi-homed, or have two LANs, etc.
  • Read the story more carefully. He contacted the FBI, and after they blew him off he proceeded to work out the information.

    Perhaps if he had gone back to the FBI with this information, they would have paid more attention to him, since they could have used his data to go after people DDoSing the big boys.
  • by wowbagger ( 69688 ) on Thursday May 31, 2001 @06:19AM (#187104) Homepage Journal
    Gibson finds out how the zombies work. He finds the IRC channel they use for control. He gets the command set.

    Rather than turning all this over to the FBI, so that they can start tracking these people down, he makes it known to them that he has it, and publishes it. Now, the people who make these abominations will move their control over to something else.

    Granted, the FBI might not do anything with the data. If so, then make a stink about the FBI not doing their job!

    Personally, vigilante justice is starting to sound better and better....
  • by powelly ( 70306 ) on Thursday May 31, 2001 @06:37AM (#187107) Homepage
    I must thank Gibson for the article, and Slashdot for bringing it to my attention.

    After I had finished reading I thought I'd check my machine (It's multi-boot, I don't use Windows that much). To my horror, I found out that my Windows partition was infected by the SubSeven bot.

    So I kicked up my IRC client and connected to the IRC server that the bot was on. I entered the admin channel and just sat there. A little while later somebody messaged me. I explained that a hidden bot was connected to the server and asked how to remove it.

    I was pointed at: http://www.moosoft.com

    I downloaded the "Cleaner" application which did a fine job of finding the bot and removing it.

    I had a little chat with (I assume) the person controlling these bots. The person seemed to be quite helpful, which supprised me.

    From the IRC stats, there were over 900 infected machines connected.

    After removing the bot, I disconnected from the IRC server. I'm now considering what to do next. The IRC server was hosted by a company offering UNIX shells, and IRC server hosting.

    Do I just leave it at that, put it down to experience and move on. Or should I inform the hosting company, and possibly risk being DoSed myself? (I suspect that the person I talked to on the IRC server logged my IP, which is static)
  • Remember, this is the guy that came up with nano-probes (that we all laughed at and called marketing garbage) and writes ALL of his stuff in ASM because of course, that is soooo much better and more efficient than a compiler. *huh*?!

    http://slashdot.org/article.pl?sid=00/09/29/1549 21 4&mode=thread

    This article is entertaining, but not especially informative. He bitches about Windows 2000/XP including raw sockets capabilities and says he doesn't know why - wouldn't this be so that applications can do packet mangling? (firewalls, NAT, IP Aliasing, etc?)
  • by JordanH ( 75307 ) on Thursday May 31, 2001 @07:48AM (#187113) Homepage Journal
    • First he gets DDoS's by a bunch of script kiddies, then he gets....

      slashdotted.

    You mean, first he gets DDoS'd by a bunch of script kiddies using IRC bots, then he gets...

    DDoS'd by a bunch of script kiddies using web browsers.

  • If you want to use Microsoft's TCP/IP stack and a Winsock interface, building a spoofing DDOS is probably difficult. But that's the wrong way to do it, and a guy who writes assembler and reads RFCs should realize it. A good TCP/IP stack gives you good performance for two-way communications. Many DDOS programs don't need that, unless they're pretty sophisticated. They just need to build credible-looking packets and send them out the Ethernet or PPP driver, which is fundamentally Not That Hard. SYN-flood attack packets don't require you to read the ACK response - that's part of the point. Dumb UDP attacks don't need to either. Fancy attacks which react adaptively to the responses of the target program do need to read the responses, so they're tough to implement except by using the MS stack - things like attacking web servers using TCP/IP. But dumb flooding attacks don't care.

    Disc-lamer: I *am* making much of this up. I haven't tried to turn this into working code. Take it with several grains of salt. But the principles are pretty much correct.

  • One of the crackers that Bill Cheswick and Steve Bellovin caught trying to break into the AT&T Bell Labs firewall was a kid from the Netherlands. Apparently with Netherlandish law at the time, he wasn't doing anything illegal, so they did something more direct and effective to resolve the problem:

    "We called his Mom."
  • by JoeGee ( 85189 ) on Thursday May 31, 2001 @06:09PM (#187123)
    It was brilliant. :)

    A few years back I had a few kiddiez harrassing me on IRC. They were really "37337."

    I did a traceroute to them and noticed a router of some sort sitting right in front of them -- it just looked wierd. I opened a telnet session and found myself at:

    zimmylan>

    A Cisco ISDN router, with no password set. :) I told them "I can wave my hand and make you go away."

    They replied "0h y4H, d0 1t."

    I rebooted their router.

    They thought I was God. :P
  • by JoeGee ( 85189 ) on Thursday May 31, 2001 @12:46PM (#187124)
    I thought Mr. Gibson's article was well-written. That having been said it is amusing to see kiddiez like "wicked" get their comeuppance by someone from the old school who can actually craft their own code.

    My favorite line was:
    So I downloaded a copy of the Internet RFC 1459 for Internet Relay Chat (IRC) Protocol and figured out how IRC works.
    Before you question Gibson's skill, or his "inside information" (as one poster suggested "he must have had the Windows source code") consider that this man downloaded and learned the RFC for IRC [irchelp.org]. That might seem alien to someone who relies on the work of others, or reading script FAQ's, but this fellow knows how to make proper use of the tools before him and relies on his own knowledge to craft solutions.

    He did not have any help from Microsoft. He knows his tools and he knows his craft. By his own words he's not a magician, he's a scientist.

    Be humbled kiddiez, for every dozen of you who "hax0rz" on IRC there's someone like Gibson who actually can hack and run circles around you. Notice that ^boss^ gave this guy respect?

    That's very wise. :)
  • ... that Cable Modem users need to learn about firewalls to stop themselves from being willing *participants* in a DDoS attack rather than being a victim?

    Phillip.
  • Although it is true that the Linux TCP stack will allow you to construct raw TCP packets, you can't do that without root privs. Windows basically has the same TCP implementation as an unprivileged UNIX login.

    That said, I do think it would be helpful if routers checked the return IP address to see if they have arrived over a valid channel as that would essentially eliminate spoofing.

    Remember when much of the internet backbone used to run routed?

  • > Is implementing the standard always A Good
    > Thing?"

    One can always find a situation, however esoteric, where doing it the "wrong" way seems advantageous. Just like there's always a situation where ignorance provides some benefit, but that doesn't mean that one should always choose ignorance as a matter of course.

    Standards are the same way. The one-in-a-million situation where a nonstandard approach provides an accidental benefit (this case for example) isn't really a good case for *always* implementing a non-standard approach.
  • Wouldn't work - the NIC address is only used on the local hop, and discarded (well, replaced) with the next pair.

    That MAC address is how the cards themselves talk to each other, while inside the ethernet packet is -another- set of addresses, which you would consider to be the "real" addresses - the TCP/IP source and destination.

  • The Windows XP beta actually includes a personal firewall, enabled by default, so it will probably be quite difficult to compromise out-of-the-box (which is how 99% of users use their systems).

    Just how long do you think it will be after XP ships before at least one huge hole is found in the default setup? And how much longer before updated bots start taking advantage of it?

    I give it two weeks, max.


    "That old saw about the early bird just goes to show that the worm should have stayed in bed."
  • by Shimbo ( 100005 ) on Thursday May 31, 2001 @07:06AM (#187134)
    All it takes is one compitent programmer in the cracker community or elsewhere to write a modified TCP stack for Windoze which can spoof the source IP and all the zombies can bring it with them.

    Indeed. You don't even need to do the hard work of building a full stack if you are just going to SYN flood or similar. You just need a packet driver and some IP smarts.

  • I wonder if, now that Gibson knows the bot code operation, he could execute a command to have all the machines "clean" themselves of the bot code and possibly harden them vs. future infections.

    with the techniques he employed, it seems quite possible to create an anti-zombie "team" to go out and defuse ddos nets. I'd probably even pay a team to do just that, if I was losing real dollars to a ddos.

  • by Svenne ( 117693 ) on Thursday May 31, 2001 @05:37AM (#187154) Homepage
    Here! [comatosehitmen.com]

    /Svennis


    ---
  • The sad part about Gibson's tale is that he didn't do nearly as much as you did. Granted, he wasn't an IRC admin, and they were using a private server, but he made no attempt to remove these bots, or enable others to. Rather, he went into the hacker's channel and basically bragged about what he'd done, told them everything, and told us nothing about how to remedy it. Reading the chat log, it's clear that "^boss^" wasn't prodding Gibson for any information -- in fact he didn't know Gibson was there until Gibson started volunteering it.

    --
  • This attack was so effective because it involved hundreds of Windows hosts which were easily infected. Eggdrops (though there is a version for Windows) run on *nix servers, like you said, which are slightly harder to infect with a trojan. So eggdrop bots used for DDoS are much less common as it's harder to get the large numbers (and the bandwidth) to pull off a DDoS attack.

    But, eggdrops are very frequently used on IRC for channel services (as mentioned earlier), and even in massive bot nets. However, these exist for redundancy rather than attack. On a netsplit-prone network that has no services (namely EFnet), bots are absolutely essential to maintain any public channel, and the more the better. And of course, eggdrops are preferably hosted on good connections, as they themselves are frequently targets of attacks.

    --
  • Cable Modem users need to learn about firewalls

    Firewalls don't help against valid traffic flood attacks. In a VTF DOS (such as a ping flood, port 80 SYN flood, or Slashdot effect), RFC-conforming packets (not mal-formed packets as in ping of death) disguised as legitimate requests are sent to the target; so many packets are sent that the pipe fills up and the server has trouble fielding requests. Such attacks take advantage of the client-server nature of the commercial Internet as we know it at the turn of the century by using lots and lots of underpowered connections (56K, ISDN, low-end DSL) to take down fat pipes (high-end DSL or cable, T1, even T3).

    Floods MUST be blocked upstream.

  • by R.Caley ( 126968 ) on Thursday May 31, 2001 @04:48AM (#187163)
    I'm suprised he didn't write his entire note in assembly language.
    _O_
  • Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available.

    When would a hacker use a DOS attack in the first place..
  • Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a website run by open source hackers (Note from C.T: crackers) called "News for nerds, stuff that matters" where people post website that are to be DOSed.

    Nicknamed the "slashdot effect", it has already brought down countless of web servers in the past.
  • From reading the article, it looks like the attack did use up all of the downstream bandwidth on his two T1s, so I assume the graph was of upstream bandwidth.
  • Bot net is nothing new. I have had access to and have seen this army of compromised irc bots, it is called Bot Net. It has been around for years, used mainly for disconnecting enemy script kiddies to take over their channels back in the days. It is downright amazing the power of these bots. A good network of them would eliminate your average target in just seconds. One command is all it takes to have thousands of separate network connections from all over the world ping flood the address with huge packets. Therefore, it is also virtually impossible to trace.
  • On my (cable) ISP, when a connection is first made, the cable modem checks the NIC address of the network card. If it's not registered by the ISP, I can't connect, so spoofing that would be pretty difficult (unless I happened to guess somebody else's).

    So in theory, even spoofed packets could be traced back to my machine by my ISP (assuming the NIC address is slapped onto every packet sent by my machine).

    Would it be possible to use some system like this to prevent spoofing (at least from always-on connections) - assuming the ISP's would agree to check ddos packets against NIC addresses ?

  • The home user should be taught basic computer safety and security, IMO. However, vendors don't want to scare their customers, so real security is next to impossible to attain....

    That could change quite dramatically if a few ISPs actually started to make their users aware of security and provide them with help (both helpdesk and software like ZoneAlarm). It happened to cars, for example. Manufacturers knew you were in big trouble when you crashed a car, but no one thought of telling the public, because it might scare them away from their cars. Look what the situation is nowadays: results from crash-tests (such as Euro NCAP [euroncap.com]) are heavily used in commercials for cars. The more security measures a car features, the better the public likes the car. Security sells!

    So why wouldn't this be true for ISPs? Suppose I'm someone who wants to get a cable modem because I want to surf a lot and maybe run some other stuff. Not an advanced user, just John Doe who likes having a permanent and fast connection (and I think that's the larger part of cable modem users all over the world). Now two of my friends have normal providers who keep their mouths shut about whatever might concern security and two others have a decent ISP, that explains about what might happen and how to avoid it. Sure, the first two guys will probably have less "strange messages" to worry about, but I think I'd sleep a lot better if I knew that my connection had at least some sort of protection against the threats my other two friends don't even know exist.

    And I think it would be better for ISPs themselves. After all, if their users have some basic knowledge of security and check their configuration every now and then, the ISP will not get involved in this kind of stories as often. Better for their name and the chance of probable claims from victims.

    Again I want to point to a story from car history: the Ford Pinto [mojones.com]. This car had the petrol tank behind the rear wheels. It proved that this was catastrophic when another car crashed into your back: the tank would burst and the petrol would instantly turn to fire because it was in immediate contact with the hot engine of the car that crashed into it. Ford didn't change it, because at that time security didn't sell. When it turned out that Ford had known that this car was dangerous and hadn't done anything to change it (because it was cheaper to pay a few claims than to change the design of the car), they got the public opinion against them.

    I think the same goes for ISPs: security does sell, it's just that the general public needs to be made aware of it. I'm sure a lot of @Home users aren't too pleased to hear that they've been abused for criminal activities, while their ISP knew that but didn't act. So let's spread the word: using the Internet can be dangerous, just as driving a car can be dangerous. Don't be defenseless, do something about it!

  • For those of you who know of or have read any of Steve Gibson's web site, this is hilarious. Thanks for the hearty belly chuckle!

    -----------------
  • None of which will be pleasing to the MS loyalists

    Why would they care? Guess what - when an OS has 95%+ of the market or whatever the figure is (that sounds high), you have a statistically higher chance of being hit. Besides, I'll bet you that Linux would do just as poorly in the hands of the same people who had their machines zombified - how many people are capable of properly securing their machine? And how many people do you think would have been running and old, out of date copy of the OS anyway?

    In fact, what he's saying is that by making Win2000 more like UNIX that Microsoft is making the entire Internet less secure. And in this case (making spoofing packets easier), I believe him.

  • Unfortunately, the local cable company turns on MS file sharing for "support purposes" on all new installs,

    How I wish you were kidding. As much as I dislike AT&T (roadrunner/mediaone), at least they filter the ms file sharing ports...

    -bluebomber

  • H4H4! th3y hax0r3d th3 G1bs0n!

    --

  • by NevDull ( 170554 ) on Thursday May 31, 2001 @09:52PM (#187192) Homepage Journal
    Nah. Have the bots DDOS the IRC server. :)
  • by Alien54 ( 180860 ) on Thursday May 31, 2001 @04:52AM (#187195) Journal
    I have found that while Steve Gibson has had a taste for a melodramatic writing style, that the technical detail in his writing is fairly solid and is certainly above average. So with that grain of salt the article is worth looking at:

    Fortunately -- the attacking machines were all security-compromised Windows-based PC's. In a fluke of laziness (or good judgement?) that has saved the Internet from untold levels of disaster, Microsoft's engineers never fully implemented the complete "Unix Sockets" specification in any of the previous version of Windows. (Windows 2000 has it.) As a consequence, Windows machines (compared to Unix machines) are blessedly limited in their ability to generate deliberately invalid Internet packets.

    It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods.

    As a result, Internet security experts know that non-spoofing Internet attacks are almost certainly being generated by Windows-based PC's. Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available

    This has horribly changed for the worse with the release of Windows 2000 and the pending release of Windows XP. For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability FOR ANY APPLICATION to generate incredibly malicious Internet traffic, including spoofed source IP's and SYN-flooding full scale Denial of Service (DoS) attacks!

    So we are left with the vision of Loads of potentially insecure Windows boxes - open to the world - being used for more DDOS attacks.

    None of which will be pleasing to the MS loyalists

    thank you microsoft. This last point is kinda important:

    I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity.

    and we wonder about the future of the internet.

    Check out the Vinny the Vampire [eplugz.com] comic strip

  • Hey! I! don't! use! too! many! exclemation! points! I! am! not! Yahoo! you! know!

    ;-)

  • by darkith ( 183433 ) on Thursday May 31, 2001 @06:38AM (#187198)
    He did talk to the FBI, they required proof of >$5000 damage, plus they would prioritize based on damage, and were extremely busy. Hence, not a snowball's chance in hell of prosecuting.
  • Lol
    But knowing steve he probably handcoded his web server in assembly and its only 28k in size..

    --
  • by dfenstrate ( 202098 ) <dfenstrate AT gmail DOT com> on Thursday May 31, 2001 @04:43AM (#187213)
    First he gets DDoS's by a bunch of script kiddies, then he gets....

    slashdotted.

    damned if you do, damned if you don't.

  • by Cerlyn ( 202990 ) on Thursday May 31, 2001 @05:22AM (#187215)

    Quoting today's popular quote:

    "I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."

    While this is true, anyone who goes online should not set their system up like a 13 year old might either.

    In other words: Don't leave your door open if you do not wish to be victimized. Unfortunately, the local cable company turns on MS file sharing for "support purposes" on all new installs, so one can see how easy it was for this person to gain control of so many systems.

  • by wmulvihillDxR ( 212915 ) on Thursday May 31, 2001 @05:32AM (#187222) Homepage Journal
    I think the funniest part of the article for me is that he infects one of his machines with a Zombie, then tries different personal firewalls to see whether they catch it. ZoneAlarm works well, but BlackICE defender doesn't do anything to help. Then he says:

    To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.

    I love that last part, "I suggest prayer."
  • No intervention would be necessary if the users themselves would wake the hell up and manage their computers properly

    Come on now. We both know that this is NOT going to happen. Ever helped your mom or your neighbor or some other clueless individual with a Windows PC? Most of the people I talk to can barely figure out what an icon is much less understand at all how to secure their system. It sucks, but that's the reality. Computers are commodity, like VCRs and CD players. At this point, they're no different. That's the sad truth.

    -S

  • by ChungoNZ ( 224781 ) on Thursday May 31, 2001 @04:50AM (#187229)
    "Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets"

    - Wasn't it the crappy security in windows that allowed the DOS attack to occur in the first place?
  • I could not help noticing that nearly 1/4 of the attacking machines were on @home. I recently set up a Linux gateway connecting to @home from a personal network with a rather extensive ipchains based firewall ruleset (complete with logging).

    Within the first 14 hours I had witnessed 7 attacks-- three people from outside @home had attacked port 20 (ftp), one had attacked port 515 (lpd, known security problem), two were subseven trojan backdoor scans, and one was a netbus backdoor scan. All in all, over 100 packets were logged at that time, though most turned out to be benign (myself forgetting that I had blocked all pop3 access to the server, f. ex. and then trying to use a very restricted account to recieve system email remotely as well as dhcp broadcast traffic-- the rules are being updated to avoid confusion).

    The home user should be taught basic computer safety and security, IMO. However, vendors don't want to scare their customers, so real security is next to impossible to attain....

  • I found myself almost reading his account like reading Cryptinomicon. It was very interestnig for me to read how he built bots for IRC and collected four days of data on the ^BOss^ person and all their activities. I bet they probably crapped their pants when he popped in and started talking to them and said what he'd been doing. I loved how ^Boss^ was very quick to point out that he didn't do it and wouldn't do it in the future. Ducking and covering there. All in all a great read. I highly recommend you spending the time to do so. Almost like reading a fiction novel.
  • by plcurechax ( 247883 ) on Thursday May 31, 2001 @04:57AM (#187237) Homepage
    It is nice to see someone take the time to dissect a DDoS attack.

    In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.

    I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.

    There is a lot of accessible security information at SANS [sans.org], though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.

  • That's not nearly as bad as being forwarded "email virus" warning messages from a user 3 weeks after the virus was discovered and AV apps were updated. It's even worse when you've sent out two warning broadcasts by email about that same virus. And shit like that happens all the time...
  • by ocbwilg ( 259828 ) on Thursday May 31, 2001 @05:57AM (#187243)
    I wondered what had happened. I saw this on The Register this morning and was reading through the article at grc.com and the page never finished loading! I thought...hmmm...could he possibly be getting DDoS'd again for posting the story?

    Then I find out that it's just you guys...
  • by ocbwilg ( 259828 ) on Thursday May 31, 2001 @06:29AM (#187244)
    Windows is the target of choice because there are large numbers of clueless people with good connectivity running Windows.

    However the clue level among random Linux users is not great, and Linux has implemented the full protocol all along. If the same people were all using Red Hat, that would be just as bad as everyone using Windows XP.


    You're right. But unfortunately it's going to be WinXP that becomes the OS of choice for the clueless users, not RedHat (or some other distro). And while we can try like mad to educate the users, it's not going to happen. Clueless users will always outnumber clueful users. Look at how many people still can't program a VCR, and they've been in homes since the early 80's!

    Sometimes you just have to give up on teching kids not to cut their hands off and start handing out safety scissors again. MS has been very keen on trying to control and limit the use of WinXP by endusers for only MS-approved purposes. This should just be one more safety feature that they implement to protect the users from their own ignorance.

    On the other hand, the TCP/IP stack in Win2K is just awesome fast compared to the Win9x flavors...it sure was nice to have if you had to have Windows.
  • by ocbwilg ( 259828 ) on Thursday May 31, 2001 @06:16AM (#187245)
    I have found that while Steve Gibson has had a taste for a melodramatic writing style, that the technical detail in his writing is fairly solid and is certainly above average. So with that grain of salt the article is worth looking at:

    But the thing that I find great about Steve Gibson is that he writes things in a compelling storylike format and in plain english that even the clueless could understand. We techie types already know most of what he had to say in this article to begin with. It's the non-techies who need to read this stuff and learn how to protect themselves, and I think that he does an excellent job at targetting areas of his site to that particular audience.
  • ddos is not a weakness of tcpip, it is an unfortunate consequence of the fact that bandwidth is not infinite. You can ddos an ipx server if you particularly want to.


    A crash reduces
    Your expensive computer
  • by Zeinfeld ( 263942 ) on Thursday May 31, 2001 @08:58AM (#187248) Homepage
    Before going into flame mode folk might like to consider that Windows-XP also includes a firewall/glorified packet filter and that the change probably reflects a transfer of functionality out of the stack and into a separate module.

    The folk who are flailing arround condemining 'incomplete sockets implementation' should consider that the IETF never endorsed BSD sockets as a standard. The ability to forge packets is arguably a fault in the BSD sockets spec and Microsoft was arguably correct in implementing checks on the IP source packets it will generate.

    Slashdotters who posted MSFT flames could do to repeat 100 times 'the UNIX way is not always the right way'.

    In days of yore we VMS folk used to flame UNIX precisely because this sloppy type of programming was pervasive.

    It would be interesting to know what facilities the firewall in Windows-XP provides for filtering and monitoring forged packets. It would also be interesting to know how difficult it is to disable the firewall.

    As one poster has pointed out however the fact that most cable hookups tend to have source address checking probably saves the day. Also the fact that many home users have NAT boxes to share their cable connection arround the house probably provides some protection.

  • First off, mirror here [initialized.org]. It took me a while to get this one, his server is dead slow today.

    My servers can't be easily DoSed off the Internet, as I have a (fairly) secure ISP. They know how to administer their routers and have professionals on the job. Does Steve's ISP have professionals on the job? Apparently not.

    He has something technically wrong, too. He is always bragging about how he can ignore "ICMP packets completely," but unfortunately, that's kind of impossible. For you to ignore those packets of data, they have to reach your machine. Therefore, you've used the incoming bandwidth anyway. It's still just as effective.

    I noticed that he ignored them using the ISP router, which is indeed possible. That way, he's right, he isn't DDoSed. But he's been talking about how he always ignores him at his machine! Blah.

    Cat and mouse "guess the IP?" Was he changing his IP address? He might as well have left it to be DDoSed, as nobody's DNS records would have been refreshing fast enough to be able to easily access the site.

    He's right though, the Internet wasn't designed to scale like this. It is, in fact, getting to the point where almost anyone could disable any site, large or small.

  • Steve may be a bit alarmist in his writing style, but he does make good technical and social points.

    1. He was getting a really easy to filter DDoS attack. Quickly remedied once he got a hold of a technician.
    2. Would have been remedied much faster had the 'big guys' like Earthlink and Verio responded to him in a more timely manner. That's just a customer service problem.

    So really, he's trying to make the point that the little guys of the world will get really screwed if they try to fix problems like this because there are bigger and better customers for the technicians and government officials to deal with.

    So until you've lost hundreds of thousands of dollars, at least, you can expect to basically have to handle it on your own when your small business gets DDoS'd.

  • mail them, definately, do it anonymously if you want via webmail, there are enough free email places around.

    I'd want to know if anyone was using my network for anything DoS related and I'm sure any shellhosting company would act if they knew their systems were involved, if not mail their upstream provider and get them to deal with it.

    All it will probably result in is the server being moved elsewhere but imo if they allow the hosting to continue they are being negligent, and possibly making themselves partially liable for any DoS attacks started from that server. Not sure how this would stand up in court.

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein

Working...