ISP Forced Out of Business by DoS 535
flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse.
The kids are getting more and more aggressive as time goes on and
it gets easier and easier to launch a large scale DoS. As any
techie knows, fixing the problem is far easier said then done... but
as a frequent recipient of the sharp end of the DoS stick, I sure
wish it wasn't an issue.
whoops (Score:5, Funny)
Re:whoops (Score:3, Informative)
Re:whoops (Score:4, Insightful)
which side of the law is our community on? (Score:2, Flamebait)
The tough part of this issue is that it begs the question (from the general population's viewpoint): "Which side of the law are we (slashdot community) on?" The unwashed masses out there see both of these as the same thing...
Re:which side of the law is our community on? (Score:5, Insightful)
Re:which side of the law is our community on? (Score:5, Insightful)
To reiterate and expand:
The DoS-ers are causing material and practical harm to the equipment of others.
The LiVid guys etc. are doing something useful and practical with something that they own.
The two situations are _diametrically opposed_.
FP.
(I don't mind being redundant if it helps some people get the point!)
Re:which side of the law is our community on? (Score:4, Insightful)
The unwashed masses out there see both of these as the same thing...
That is the problem. I always try to explain it this way: There are good doctors, and there are bad doctors. There are good lawyers, and there are bad lawyers. There are good cops, and there are bad cops. (etc.) And there are good hackers, and bad hackers.
Re:which side of the law is our community on? (Score:3, Insightful)
the 'slashdot community'is against unfair laws , but in favour of good laws.
destroying something without a good reason is just wrong.
Re:which side of the law is our community on? (Score:5, Insightful)
It's pretty easy to tell good laws from bad ones, using objective standards:
Good laws protect individual freedoms and provide a level playing field for everyone.
Bad laws destroy liberty and favor special interests over the good of the whole.
Re:which side of the law is our community on? (Score:5, Troll)
Writing a DoS tool is not a crime. Using it on someone else is. What's so hard to understand?
Re:which side of the law is our community on? (Score:4, Funny)
Programs don't kill servers, malformed packets kill servers.
Re:which side of the law is our community on? (Score:3, Insightful)
I agree. In support of that viewpoint, I would give the following example counter argument.
Guns are bad. Nuclear weapons are bad. Let's remove them both from the military. Studying how these things are built and used is not a worthwhile endevor. Since we don't believe in attacking someone for no reason, we don't need any weapons. We also don't need to study how offensive weapons might be used against us. Therefore there is no reason for their existance. Let's just pass a WMCA (Weapons Millenium Contraband Act) law and outlaw anyone even thinking about how weapons work or how reinforcements might be vulnerable to weapons.
(Disclaimer: I don't own anything which was designed to be used as a weapon; lest someone pigenhole me into a certian group.)
Re:which side of the law is our community on? (Score:4, Informative)
Doctors study illness not to cause it, but to cure it.
I know that politicians, when dealing with computer technology, like to follow your facetious argument. The problem is that the general public has a hard time realizing programs are more like a leatherman multitool (wide purpose) and less like an EEG machine (one purpose). I've used Word to doodle, or play games (it's quite fun mangling the program using VBScript). Is it a crime for me to do so? After all, the same skills have been used to write virii or munge the security of a LAN.
I understand the twin concepts of responsibility and accountability: those are what keep me from considering any hacking. I've almost always known how to break security on any computer system I used; those two ethical precepts kept me from actually doing it (despite often strong temptation to the contrary). And if they were taught in public schools- and made to stick- script kiddies probably would be managable.
This is not to absolve network admins of their responsibility (to have a good firewall, practice proper security, etc). I just think that maybe we need consider the possibility that where the slashdot community stands isn't pro or con, but a sensible and logical medium.
Re:which side of the law is our community on? (Score:5, Interesting)
Of course there is: to test the robustness of a piece of equipment against such attacks.
There are ways to deal with DDOS attacks, but, unfortunately, they require the cooperation of most parties involved in the aggregation of "hostile" traffic toward a given target. It does no good for the target to simply drop "hostile" packets, because upstream "friendly" traffic might still get congested. The upstream routers need to be told to stop forwarding the "hostile" traffic.
And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?
There are techniques for guessing what traffic is actually hostile, based on packet signatures (often the source address is spoofed, the attack is distributed, or otherwise useless), without dropping too much friendly traffic. It is better, though, to lose some friendly traffic, rather than all of it -- failing gracefully, as it were.
But retrofitting a standard DDOS defense will prove to be difficult, given the diversity of players involved (and this is one area where IP carrier consolidation would be a good rather than a bad thing) -- just look at the difficulty in bootstrapping IPv6 in the network.
Re:which side of the law is our community on? (Score:3, Interesting)
You are on that side, but not everyone is. I've seen stories about companies that Slashdot criticizes fill up with comments along the lines of "I'm DoS'ing them now, and here's the script I'm using." Never heard a word of protest about this from the Slashdot editors before.
Re:which side of the law is our community on? (Score:3)
Please post a link to one of these posts.
Re:which side of the law is our community on? (Score:3, Funny)
This is true, if you know your boundries. You would get an "illegal operation" message if you tried to access more than 640K of memory.
Re:which side of the law is our community on? (Score:3, Insightful)
Likewise, no a cracker probably wouldn't write a cracking tool/DoS tool/whatever unless they were intending for it to be used, but I might. Maybe I want to see what's involved, maybe I want to gain some sort of insight into how they're developed and how they work, the better to secure my own system(s). Hell, maybe I just have some time to kill, and can't think of anything better to do with it.
Knowledge should not be illegal. The use of that knowledge to the detriment of others is an entirely different matter, and should not be confused with the mere possesion of that knowledge.
Cheers,
Tim
Re:which side of the law is our community on? (Score:3, Interesting)
What happens in the business world with the DMCA, they would arrest who-ever pointed out that DDoSing was a possibility. Just the opposite of the solution.
Besides, it's a trivial fix... The only problem is that nobody takes the initative.
Re:which side of the law is our community on? (Score:2, Insightful)
Can't speak for the rest of the slashdotters, but I don't want them to be prosecuted... I want the insecurity to be repaired, which is what we've always wanted.
Taking this to an absurdly inappopriate analogy: If some pranksters fire bombed an old age home killing all inside, is the solution to call for old age homes to be built with fireproof walls and armed guards out front? Where does the responsibility of the criminal end and the responsibility of the victim begin?
Re:which side of the law is our community on? (Score:3, Insightful)
Technically trivial, perhaps. Administratively, it is extremely non-trivial, and that's just as big a factor. Please get off the "If I can do it in my home network of three machines, it must be just as easy to do for the whole internet" horse.
Re:which side of the law is our community on? (Score:2)
The one wrong (ISPs with bad security) doesn't mitigate the other (socially stunted little idiots making other people suffer for kicks).
It seems to me that you are making exactly the same argument used by firearm opponents - who blame Colt, Smith&Wesson, et al. for violent crime, neglecting to blame the criminals for their part.
Re:which side of the law is our community on? (Score:2, Insightful)
Ethics (Score:5, Interesting)
It has nothing to do with hackers, crackers, RIAAs, MPAAs or the color green - it has all to do with freedom of information:
- I support freedom of information, and by extension those that help make information free.
- I'm against restriction of information (any kind of information - bad, good, usefull or useless). Naturaly i am by extension against those that try to constrain that freedom.
- Which side of the law am i on?
Neither side. My ethics are independent of the law.
Going back to this specific case, i'm against however did the DDoS attacks because they went against other people's freedom to give and receive information.
Re:Ethics (Score:3, Insightful)
We're in the grey area. (Score:5, Insightful)
This is not a black and white issue. A DoS attack is both illegal and imoral, as what you are doing hurts a large group of people. Exposing bad security in e-book files will help people in the long run. (Although it will help the copyright holders and not us
As for the general population, it depends entirely on what the media reports. They can report that "hackers" have cracked a protection scheme, or they can report that a digital protection scheme was proven inadequate. Both are technically true, but each favors one group as the good guy. Unfortunately, since news is an entertainment forum, the first is more likely to be reported.
Until the general population is tech savvy enough to understand these issues, the media will have complete control over their opinions.
Cheers,
Phathead
Re:which side of the law is our community on? (Score:4, Insightful)
Compare this to stuff like DeCSS, Felton's work on SDMI and the rest. Showing why something doesn't work or getting additional functionality out of a product just isn't the same as maliciously depriving a business of the resources it requires to survive.
It isn't hard to explain but what is hard is getting the message out when Disney and the like are spouting their propaganda at 11 and with the simple fact that this isn't a bullet issue for the proverbial Joe Average.
DoS and Spam (Score:2, Interesting)
Judge Lynch never sleeps.
Re:DoS and Spam (Score:2)
A skript kiddy is pretty safe, as are spammers. It's hard to prosecute, difficult to gather evidence (a compromised machine is fundamentally 'contamintated' evidence, an uncompromised machine hasn't been hacked and therefore is rarely worth prosecuting). Computer forensics have been around for a while, but the kiddiez are protected by 2 things.
Corporate inertia - the cost of admitting a break in and the damage it does to the share price is often more than any damage an intruder can do.
Sheer numbers. There's an awful lot of idiots with net connections, who think its l33t to DoS, skript etc. Computer literacy isn't always a good thing
Re:DoS and Spam (Score:3, Insightful)
Depends, if a spammer is trying to sell a real product they should be perfectly possible to track down.
I wonder why? (Score:5, Interesting)
Re:I wonder why? (Score:2, Insightful)
Because they can.
Sad, but true - that is the long and short of it. DoS attacks are modern vandilism.
Re:I wonder why? (Score:5, Insightful)
This just seems to be part of human nature; I haven't seen much change in the percentage of people who behave this way since my childhood (1960's) anyway. The problem is that the world today is so interconnected, and also dependent on technologies whose webs of interconnection are more fragile than we like to think, that the 2/1000 with the desire to damage can do a lot more damage to a lot more people than ever before.
I am a bit discouraged myself about whether or not this can be stopped on the Internet, personally.
sPh
Re:I wonder why? (Score:2, Insightful)
Re:I wonder why? (Score:3, Interesting)
There are two main possible solutions. The legislative and the technical. I would really prefer that a techincal solution were created, though I don't know what form it would take. It would need to avoid any centralized control point. And it would need to be low overhead.
Unfortunately, any real answer would probably involve a redesign of the TCP/IP protocols. And even then
All I can come up with is using one port to receive non-session messages, and only echoing back session cookies to valid addresses. On a second port only accpeting messages with a valid session cookie in the header. This would aid in dropping bad messages quickly, but doesn't do much else for a DDOS.
.
Re:I wonder why? (Score:3, Insightful)
But this isn't throwing a rock and spraypainting. That's more like trolling Slashdot. This is setting the building on fire. The difference between what these kids do and an arsonist is the FBI actually cares about arson.
Re:I wonder why? (Score:3, Interesting)
sPh
Re:I wonder why? (Score:5, Interesting)
In real life, you can't just take something from someone else, unless you're much bigger than them. When you're online, you just need to have the ability to access a lot of bandwidth. So, if someone has a channel on IRC that I want, I DoS the server, split it and take the channel. Now, supposedly this doesn't happen as much these days, but it used to happen fairly often back in the day.
There's also online cliques, who for lack of better explaination seem to act as online gangs. Loose groups of friends who associate, talk, and dislike the same people. Thus, much like real life gangs, if one gets ticked off at another, they get their friends to make their life hellish for the opposing party. I wouldn't be suprised if they DoS'd a dialup user just in an attempt to knock him offline and went a little overboard. Or were trying to DoS an IRC bot. Or even a webpage.
Of course, I really have no idea what caused this incident. This is mostly just speculation. But I'm fairly certain at least one script kiddie has had similar motives in mind during his mischief. Kids will be kids, and that involves doing stupid stuff that they don't understand the consequences of. That doesn't mean we should string them up, but it does mean we should make efforts to make it more difficult for them to do damage.
Re:I wonder why? (Score:4, Interesting)
I don't think writing software of any type should be a crime, but I think in cases where there is clear damage (like this company that went under) the usage of the script should be treated as a criminal matter. This could easily involve conspiracy, vandalism etc. charges.
I was originally tempted to start releasing poisoned scripts, scripts that would work as intended when pointed at local machines but would have undesired consequences (hard disk corruption, file deletion etc) if used against external domains. I'd hate to see somebody harmed through legitimate use of the scripts though (auditing a site you have permission to audit from a remote location for instance).
Re:I wonder why? (Score:2, Insightful)
It is an old thing. Always and everywhere some young males have an urgeing desire to destroy something just for destroing it. Today if they have muscles they go and smash windows, destroy park benches or just bully others. If they don't - they rund DoS attacks.
Let us say it straight: there is no difference between a script kiddy and a brainless thug who ie. cuts bus seats with a knife.
Raf
Re:I wonder why? (Score:3, Insightful)
This is a somewhat larger question than I think you realise and one that people have been struggling to understand for as long as there have been people. Why do people do bad things? Why are they selfish, cruel, malicious? Why do even good people not have the self control to always follow their better instincts? Why do some people not even seem to have those better instincts?
I'll be up front and mention that I am a christian (Now THAT is a statement to start a flame war on this board - not my intention but my experience is that there are a lot of people that are quite indignant with me for what I believe. But since it IS what I believe [I'm not making it up to start a flame war] & is relevant to your question I don't feel particularly compelled to keep silent.) Anyway, christians (and therefore, I) believe that every single person is 'fallen' and inclined to be 'bad' (or evil to use the old-fashioned term) and do 'bad things' (or sin to use the old-fashioned term). 'Bad' (or evil) ultimately being defined by christians as being selfish - living for oneself rather than for God & your fellow man. Though we are all the same in this regard it is expressed differently in each of us as individuals. The behaviour of these kids doesn't have any particular appeal to me but I think for them it is a way of selfishly having "power" they don't otherwise have. They are probably incapable of doing something positive that would have as much impact or bring them as much or notoriety. But here they are a few, or maybe even one immature kid that brought an entire company staffed by mature, technically astute adults to bankruptcy. Excersising power, having an impact, feels good, feels like importance - and in their self-absorbed state of mind the plight of the people affected does not enter in.
Re:I wonder why? (Score:3, Interesting)
uh...no? (Score:4, Insightful)
Re:I wonder why? (Score:5, Insightful)
Actually, this is probably closer to the truth than most people realize.
I will agree with this. These kids are doing this to make themselves feel powerful. They want to feel important, significant. If they were made to feel their significance by the people to whom they should be significant - their parents - perhaps they would be less likely to seek a feeling of power in mindless destruction. Though there is no guarantee - even a person without excuse, loved, cared for, etc. can lack the self-control to tame their baser desires.
If you think about it, you realize it is only possible to hurt someone else (or their property) if you feel like you are hurting yourself.
Now I have to disagree - sort of. Their indulgence in malice and cruelty, their seeking after the thrill of power does them harm. But in their self absorbtion they are only aware of how good it feels to wield that power - to feel important. They do not feel hurt, they feel powerful.
The really sad thing is, when we find someone who is hurting, and has demonstrated this to us by hurting someone else, we hurt them more by punishing them. Thats a human approach, but it will only result in larger problems. When someone hurts us we should help them by giving them a hug... or something
Here I have to disagree - for several reasons. First: If someone cannot exersise enough self-control to refrain from hurting others they must be externally controlled by someone else (the state or their parents) - either by actual physical restraint or by the credible threat of punishment. Also, while they still need "a hug" love and acceptance from those from whom it is due - now that is not enough. I don't think their can be healing without honest regret (not just regret for being caught but for being *wrong*) - that is up to the criminal, no one can either force them through punishment or manipulate them through compassion to arrive at that repentance. There also can't be healing without suffering real (depending on the crime even harsh) consequences. Even kids have an inate sense of justice (that I believe is valid) and that even criminals will acknowledge. It does not do the do the victim or society at large - but especially the criminal - any favors by bypassing the requirements of justice. A penitant criminal who has been punished for his crimes can start again. A penitant criminal who has escaped punishment will feel the unfairness of that escape and a continued sense of guilt. He will be crippled in his ability to begin anew. An unrepentant criminal will take either scenario as an excuse to continue in their crime.
Extreme? (Score:2, Redundant)
-- Brian
Re:Extreme? (Score:4, Insightful)
Re:Extreme? (Score:3, Interesting)
Maybe they just thought, it's not worth it. Why work your ass off to build a company if people, maybe even some of your own customers, are just going to pointlessly destroy it? There are easier, saner ways to earn a living.
Copy of article (Score:2, Redundant)
At precisely 10:16am a few minutes ago Emeric Miszti (CEO) and John Parr (Operations Director) of the C9 ISP posted what's likely to be their final announcement on our forums. C9 is now the latest ISP to close, although it's the first we've ever seen to go from a hack attack!:
Cloud Nine regret to announce that at 7:45 this morning the decision was taken to shut down our Internet connections with immediate effect.
We tried overnight to bring our web servers back online but were seeing denial of service attacks against all our key servers, including email and DNS. These were of an extremely widespread nature.
We felt we had a moral duty not to expose our customers to possible attacks as well.
We must thank BT for all the help they provided us with in trying to bring these attacks to an end. We worked with them for the last few weeks to investigate this problems but ultimately we did not believe that we could survive these attacks and that it would be in the best interests of both ourselves and our customers to close our Internet service and seek a transfer of our services to another ISP.
We now wish to initiate a speedy transfer of servers, domain names, etc to interested Surftime ISP's and NT portfolio hosters since this would be the quickest way to get the affected customers online again. Please contact John Parr on 07740 423993 if interested.
We want to thank our customers for all the support over the last few days. Ultimately these attacks denied the service not to us but to many thousands of British businesses and ordinary people - this was an attack against everyone with no consideration for anyone!
The company is solvent but if a sale of assets cannot take place quickly then an administrator will be appointed. We have had to pay our excellent staff to the end of the month and we feel really sorry for them as well and would like to thank them for all their efforts over the years and the commitment shown over the last few difficult days.
All the directors are feeling absolutely gutted since we have all spent nearly 6 years building this company and its reputation to see it destroyed by a brazen act of cyber terrorism - well at this moment we can think of no words to express our true feelings.
Emeric Miszti
CEO
John Parr
Operations Director
We're extremely sorry to see them go, not least because they often provided a very important insight into the internal wrangling that goes on between ISP and operator, it often goes unmentioned.
However the fact that such a long standing ISP was forced out of business by hackers is also of great concern and will no doubt be picked up on by the media. We can only hope they catch the people involved.
WHAT!! (Score:4, Funny)
ha ha ha.. this comming from the kingpen of DOS
Why let them win? (Score:2, Insightful)
This isn't like 31337 warez d00d shutting down his FTP server and crying to his mommy because someone did a DELE on all his pr0n files. Closing down a business due to hacking attempts or DoS seems rather harsh action to take.
Got to be something more to this than is reported (Score:3, Offtopic)
It all seems very strange to me.
Re:Got to be something more to this than is report (Score:3, Interesting)
"...What followed was first a Firewall password brute force attack resulting in successful hash and destruction of the firewall,"
If they leave their firewall accessible to any sort of brute force password attack, its a good bet they don't know what their doing and would have no idea how to stop a DoS attack.
I agree with some of the other posts suggesting that this DoS was just a handy beard, and that they were in some sort of financial difficulty.
must have been the straw... (Score:4, Interesting)
I can't see a healthy, competent ISP being put out of business by dos attacks. Yet.
Sadly, Laws Won't Do It (Score:3, Insightful)
I'm not sure what the real answer is, though. I find myself reading these stories and articles and feeling helpless myself, even though I'm not directly involved. But I am a programmer, and we're supposed to have brilliant solutions to these issues....but I can't come up with one. The underlying structure of the 'net itself is to blame for allowing these attacks, and you know to change that will be like getting all cars to convert to bacon fat gas.
How does one instigate a major industry shift in how we do things? Would it even be worth it, or will we just see these random business fold due to stupid fucking kiddies?
Re:Sadly, Laws Won't Do It (Score:3, Insightful)
While I agree that catching the person behind this, and giving them real punishment, is the best solution, it is not the only one.
There have been a couple stories on /. already about those with insecure networks being sued and forced by the courts to shutdown until they can secure their networks. This (and others) ddos is probably coming from insecure computers. Yet, if you track down some of these computers, all but the smallest ISP's could care less that their network is being used to attack someone.
Perhaps some laws that make it easier and cheaper to shutdown the insecure computers will help put a stop to that. Perhaps something similar to the DMCA with regards to copyright infrigement, where if the ISP pulls the plug, they have legel liability protection, only with strong penalities for making a false report.
Make an example of them (Score:2, Interesting)
And there is a pretty clear difference between 'white hat' and 'black hat' hacking. Did anybody ACTUALLY SUSTAIN *PROVABLE* DAMAGE? (and not like the frame up where they claimed that Kevin stole $100,000 worth of info, or some such BS). These punks do more real damage each day than Mitnick EVER did.
One ISP is punished for another ISP's mistakes... (Score:3, Interesting)
ISP's don't do this, because either they don't understand it's a problem, or they don't know how, or their poor NAS boxes would collapse if they were asked to filter the traffic, instead of just forwarding it.
Anonymity vs. Accountability (Score:3, Interesting)
There isn't much for accountability when it comes to the net and everyone knows this. Lawmakers are doing very little about SPAM and it's a form of DoS but people cry afoul when some kids were pissed off at someone on IRC and DoS multiple large networks.
If people aren't required to be accountable for ALL of their actions then this isn't going to stop anytime soon. Unfortunately it's not hard to get access to connections with a lot of bandwidth so it's easy to pound anyone into oblivion.
I don't know what the solution is but as more companies get DoS'ed while their livelyhood depends on the net, you'll see more being done.
My question is if it costs companies so much to deal with SPAM, why isn't more being done? Isn't this a similar issue?
Re:Anonymity vs. Accountability (Score:3, Interesting)
In her novel, Tea from an Empty Cup, Pat Cadigan predicted a world with 2 Internets. One was 100% accountable. It was the main network used for real bussiness. There was no annonymity. The second network was designed to allow for anonymity. It was an "any thing goes" network where spoofing was the rule not the exception. I would like to see these networks. When I need to get work done I would use the accountable network. When I want to view pr0n I would use the other network. I think having two distinct networks like this would be a good compromise for the privacy advocats, and those tired of DOS attacks.
Ofcourse there are a *few* (as in many) technical difficulties to resolve first.
Register coverage (Score:5, Informative)
Same thing happened to me (Score:3, Interesting)
I have moved on to a better ISP that actually filters attacks leaving and entering the network.
Re:Same thing happened to me (Score:2, Insightful)
Mod me down for this, or forgive me if I'm missing something here, but it seems like you passed the problem on to someone else instead of dealing with the source offenders yourself.
Dos for weeks (Score:3, Interesting)
Now that the Internet has shown to be a useful medium and is rapidly becoming an utility, it's time to make it more secure and robust against DDos attacks. The technology exist already, the telco's need to take the initiative and make it happen. From this document [ietf.org] on ietf.org site:
7. Security consideration
Any public proxy is inherently a source of DOS attack. Rate limiting packet emission as suggested in 3.5 is expected to lower the risks.
Why hasn't this been solved? (Score:5, Interesting)
Why did no one do this? It requires changes to router firmware, I'm not sure about Cisco firmware upgrades, but I thought they were at least possible. Besides, they could use this as a selling point and declare their old routers obsolete.
Admittedly, the model breaks down under MPLS, since it is difficult to track the cloud, but you can at least track entrance and exit points from the cloud.
Two Quick Points (Score:2)
2) This is awful news for other ISPs, since this will give the script kiddies incentive to do it again. Not only did you get an ISP to shut down ("Wow, isn't that cool" must be running through their heads) but they also got featured on
3) (yep, one more just came to me) Can you say serious implications for the future of Corporate Espionage?
The whole story... (Score:2, Insightful)
Calling it "terrorism" (Score:3, Interesting)
From that article:
Speaking to The Register a dejected Mr Miszti said: "This is terrorism - pure and simple. I never want to relive the last seven days again.
You're thinking "terrorism? yeah right".
It's too bad (for them) they're in the UK... in the U.S., under the so-called "Patriot Act" this IS in fact terrorism. Read for yourself here [eff.org].
Obstruction? (Score:4, Interesting)
In the UK, the Computer Misuse act is such a catchall, it would be easy to claim damages (less easy to collect though).
Slashdot is known for having a DOS effect, but at least it is people attempting to view a site for its content. Its tough if you pay your hosting company for bandwidth but, at least it's legitimate and its is coming from a lot of users.
The trouble is, so does a distributed DOS. This has a lot of unwitting users too. It is extremely difficult to trace who is giving the orders and the actual attack 'bots run on any suitably unprotected system that happens to have conveniant broadband access to the web. Even the Whitehouse was hit, liuckily the attack 'bot was dumb and a quick switch to a backup IP address solved the problem.
The only solution that I know is to use a private network (as done by several securities exchanges). You can block out all of an exchange's internet access, but you will not hit the private network. Users without a private network connection can fall back to switched circuit connections (i.e., ISDN) when the Internet is down.
Re:Obstruction? (Score:5, Insightful)
I would make such an annoucement (Score:4, Funny)
(Read the final paragraphs of the announcement. Why do they stress that they are solvent?)
Simple filtering should stop this? (Score:3, Insightful)
I could be a little out of date (maybe even a lot ;) ), but last time I checked you could do a lot of calming of DoSing by implementing proper packet filtering on routers.
IIRC most DoSing relies on the kiddie hiding their source address (so that they can't be traced). So ensure that the router closest to the kiddie knows all the IPs it is allowed to accept, and rejects (and logs) all others.
This puts an onus on ISPs to handle the situation. Any ISP which doesn't react immediately to a DoSer from it or a downstream stands to lose (all of) its uplink(s).
Most port handling equipment can handle quite complex filtering on its own, knowing the IP allocated to a port and filtering all packets without that as its source. Port handlers typically forward to a router anyway, so its easy for an ISP to say "that interface talks to that rack, which can use IP range X to Y, so filter everything else". Immediately your script kiddie is limited to faking addresses of other users in the range.
This screws up a number of DDoS attacks I know of (where the reply to an unwitting host causes shit for the replier), and makes it a lot easier to trace the kiddie at least to within a limited number of possibilities.
If the ISP supplies a link to another ISP it must ensure it toes the line. Bulk links to corporate customers or anyone with a range of IPs (rather than just one) at the other end of the link can usually be handled like dial-ups: port handlers filter out bad source IPs.
Does anyone know of technical and/or political reasons why this can't work? If there are no technical problems then maybe an IETF policy committee needs to make it a standards issue.
Re:Simple filtering should stop this? (Score:2, Insightful)
Sure stopping spoofed packets is nice, but that's not gonna come close to solving it. I have sent e-mails to several listed contacts at the hosts that attacked my systems and never got any response...what am i supposed to do? Sue the company who got their bandwith stolen? what good does that do? Demand to see their logs? If they didn't notice a massive DoS launched from their systems what chance do they have of having unmolested and accurate logs?
Really the only way i see to put a dent in DoS activity is don't let your boxes get cracked. Easier said than done. That's the only way that's really gonna work, don't let these kids take control of your boxes.
As for why was I such a frequent target, was it my fault for attracting the attacks? I refuse to go down that path. That is like saying to a battered wife "well you must have done something to piss off your husband!". There is no justification for DoS attacks.
Slave to our own inadequate design? (Score:4, Interesting)
With all the designs available to us today, as engineers, we should be able to employ traffic shaping devices to limit the amount of load any given site can generate on the net. Cache, throttle and filter. We build routers that can switch ungodly amounts of packets per second (obviously enough to flood the link to Cloud 9's boxes.
So why can't Cloud 9 invest in a few black box traffic shapers (I know they exist) to smooth out the requests?
Just where is the point of failure, anyway?
As long as we continue to design our edge devices to be layover victims, we'll always have these problems. The network delivers, the computer abides. Well, perhaps the computer shouldn't be so quick to respond.
-b-
This can't be the whole story... (Score:2, Insightful)
Unless of course, it was a mom-and-pop shop ISP who didn't know an ethernet jack from a phone jack (hey, I only did that once!), and I've certainly seen plenty of those...
Re:This can't be the whole story... (Score:5, Funny)
Knock on their door (Score:5, Funny)
Kinda funny actually, poorly done, we tracked down who it was, Unknown to the dimwit on his dads T1 (at home his dad was playing hosting provider) The admin at his upstream was a friend of mice accross town, I called paul up and said hey what you trying to pull here, he chuckeled and said I know, I know, I just saw the traffic, you wanna know who it is, you want me to cut him off ?, I said nah, leave him up, I dont want him to know I know, My friend kindly gave me his name and address,
I showed up at around 3:30 since I figured it was they guys kid, and he should be out of school by then, I took a friend(witness along) I didnt want this punk saying I beat him up or anything. I had a cell phone in one hand and rang the bell with th other, he came to the door and I said, right now the Police number is on this phone, I am good friends with a detective there(true) now, you either pull the plug on your end or I press send and well see how long it takes for them to come and pull the plug permanetly, although I dont think you dad would be real happy, I thought this kid was going to wet his pants, Ive only seen somebody so scared a few times, he fell back over a chair in the foyer and took off ? I looked at my friend and it was all we could do to keep a srtaiht face.
He came back 20 seconds later and said its off, and the n stared to enquire about if I was going to tell his dad, I said no but Im sure the bill from your provider will, He was on a transfer pricing plan and this had been going on over 2 weeks while I was on vacation.
I have "Knoked on doors" twive one was a 2 hour drive but I had other business in that area , most certainly the most effective DOS stoppages Ive ever had.
Maybe we should form an allicance of Administrators geographically dispersed to start knocking on their doors, sort of an Administrators Militia , you knock on his in BFI and Ill knock for you when you need it. Police scare the shit out of most of these script kiddies, probably more the fear of knowing being arrested is not something easy to hide from the parents that pay for their computers and bandwidth.
Hold on there... (Score:3, Insightful)
No technical solution, it's an apathy thing... (Score:5, Insightful)
The problem is that sysadmins see the scans from these kiddies and ignore them (those that even have a portsentry or similar application in place). If you saw someone walking around your house and trying the doors and windows, you'd call the police right away, wouldn't you?
So why do the kiddies get off free? Sheer apathy from most of the sysadmins in the world.
When you get scanned, you have the address (if it's not spoofed), you can send a mail to abuse@domain. But most people don't, because It's too much hassle or we can't be bothered or no harm was done.
Script Kiddies will have a far harder time when admins start practising zero tolerance.
Re:No technical solution, it's an apathy thing... (Score:3, Informative)
-Legion
Re:No technical solution, it's an apathy thing... (Score:3, Informative)
We need an automated tool for collecting the scan data, and depositing it in a repository. The respository can perform the correlations to track these to the source nodes. Higher level (towards core) IPSs can take the lower level (towards edge) ISPs off net until the DoS is terminated.
If done properly, but still mostly manual operation, a DoS would last at most an hour. The problem is getting cooperation between companies and organizations that are business competitors. You need a third party independant organization (jointly or government funded) to manage the repository and request the service deactivation.
Of course, then the repository would itself become the target for attack...
Re:No technical solution, it's an apathy thing... (Score:4, Interesting)
You know, for a while I thought this would be a good idea. First, I set up MySQL with a DB and some tables to store information on portscans. Then, I downloaded portsentry, and hacked it slightly to make entries in the database whenever I was scanned. Then, I wrote some PHP to let me look at the results via a webpage.
The result? I have learned that I'm scanned anywhere from 3 to 50 times per day, from all over the world. I tried emailing abuse@... as you suggest, many many times, with no results.
Now, I have learned some interesting things by doing this:
- Most scans are on ports 21 (ftp) or 23 (telnet). It's hard to prosecute someone, or even get them in trouble with their ISP, simply for trying to ftp to you.
- Most scanners are scanning from hacked accounts. ISPs are unwilling to shut down these accounts for lack of proof, and to avoid pissing off a customer.
- All the scanners are quite easily blocked by portsentry.
I no longer try to do jack sh*t about portscanners. My pleas have gone unanswered, and I simply don't care anymore. Once I have a true firewall, I'll care even less. Let them scan me.This will never stop until ... (Score:5, Interesting)
Computer vandalism -- This will not decrease until we (as the technical community -- including management) decide to make some changes. Without changes, it will only get worse.
1) Although technological solutions are useful and necessary, they are not enough. The trusted network model does not work in the real world. There must be rules, accountabilty and penalties (without penalties, nothing stops me from continuing to break the rules).
2) Many network rules exist, some are poorly enforced.
3) Because of packet-spoofing. Some (D)DOS attacks can be nearly impossible to shutdown. We need to make sure only legitimate packets can Internet at large. Without this rule, tracking down the vandal and applying the penalty is not practical. If packet spoofing were eliminated, it would be possible to identify culprits at a modest cost.
4) Accoutability needs to be improved by everybody. If Nimba2002 is released tomorrow, Microsoft should be expected to make it well known, and supply a fix. Network servers should be patched. People running compromised server should be cut-off until they get fixed. These things happen by and large in a haphazard fashion today. The problem needs to be addressed at the source whenever possible.
4) Penalties need to be commensurate with violation. A hand-slap for vandalism does not deter, a death-sentence for jaywalking deters, but it not justice either.
5) Then maybe we should get rid of junk email for an encore.
Egress filtering and ISP responsibility (Score:5, Interesting)
Back in the day, before the Internet went commercial, if you abused your connection your upstream provider (typically a bunch of long-hairs at a land-grant university) would cut you off. If they didn't do it, their upstream provider would cut them off.
Currently, there is no real penalty for large ISPs who do not implement egress filtering (which prevents IP source spoofing) and/or refuse to co-operate in tracking down DOS sources.
The anti-spam vigilantes have been partially effective in cutting off ISP service to the worst spammers; perhaps something similar is needed to influence the ISPs who refuse to implement egress filters.
--Charlie
Anti-DOS into routing protocols? (Score:2)
Would it not be possible to build anti-DOS features into routing protocols? If you detect a DOS attack from a link, wouldn't it be possible to push a block-list towards the router on the other side of the link? It needen't propagate, because you just want to get far enough out to block before the DOS packets reach high "density". Think avoiding them from entering the bottleneck. So if a router detects a problem, it will do a simple push in the direction.
The goal in approaching the problem like this, would be to avoid having the anti-DOS solution become an indirect DOS.
The block should only be temporary, too, and possibly protocol-specific, so we'll need a TTL, along with optional port numbers.
Whaddya think, fellow geeks? Has this been done? Should it be done?
Wouldn't want to be the script kiddie who did this (Score:3, Insightful)
Think about it: you've just brought down a major ISP, sent their sysadmins to the unemployment lines, and now they have plenty of time on their hands, probably have copies of all the logs, and nothing better to do than go through them with a fine tooth comb to find who messed up their lives.
Nosiree, I would not want to be in those script kiddie shoes. Not that I'm saying the sysadmins would stoop to anything illegal, but there's lots they can do legally if they find out who's behind the attack.
Re:Wouldn't want to be the script kiddie who did t (Score:3, Interesting)
>anything illegal, but there's lots they can do
>legally if they find out who's behind the attack.
I wouldn't be so sure. Here in the UK it would seem that the Data Protection Act would stop the hacker's ISP from handing over details. See this recent story [silicon.com] from Silicon where a UK ISP has refused to cooperate over hacking allegations.
Yet another case of UK law helping the miscreant & not the victim.
Matt
Who should we get mad at? (Score:2, Insightful)
This will only serve to fuel DDoS's (Score:2, Insightful)
That's rather worrisome.
Reason for going out of business. (Score:3, Interesting)
There's a new sheriff in town (Score:3, Interesting)
This is not the first time! (Score:5, Funny)
Martial Law. . ? (Score:4, Insightful)
For one section, they had cameras sit in on a bunch of young military techies studying the logistics of combating a huge hack-attack; like nuclear power plants being shut down or hacked into danger zones. Airlines losing planes. That kind of thing.
I've been pondering just how exactly the developed nations could be whammied into a state of martial law. The current world situation doesn't have enough momentum to actually put thousands of Americans in prison camps. And the forces which drove the Nazis just aren't there. ("We are descendants of superior Aryans from space!" -No joke.) People today, while easily manipulated, haven't been sold that kind of propaganda, but it remains quite clear that a form of undeclared fascism (That is, "freedom", so long as you eat shit, breath shit, think shit, absorb shit media, and work too hard, and don't mind being overseen by Shirow-style O.R.C.S. with machine gunes, in order that you be reduced to the position of Zombie-like Serfdom), this it seems to me, will be the natural conclusion given the forces of greed and corporate evil moving in the world today.
Choice means that people might not buy your product. Remove choice, while maintaining the illusion of a free society, and bingo! You have the perfect consumer; driven because s/he still believes in the American Dream, but a serf nonetheless, whose task it is to pour wealth into the coffers of the powerful. And to be miserable for those who eat misery. . .
Anyway, it was interesting; the documentary basically said the following:
One military analyst basically said, with a straight & serious face, that in the event of a huge digital attack, "Declare martial law. Shut everybody down and take control of the situation. That'd be my recommendation."
Hmmm.
I don't know how true the above is, but the fact that it was being sold by a respected authority voice, indicates that they're trying to soften people up for just such a turn of events.
-Fantastic Lad
Does this seem suspicious? (Score:3, Interesting)
Other than saving face, ("Hackers did it" vs. "unchecked spending did it"), is there any practical advantage to claiming that evil hackers destroyed the business. Something just doesn't add up.
Not fixing DDoS problems a tool for big business? (Score:5, Interesting)
My small ISP which had been doing okay had been stranded without an uplink after a 150Mbit attack took out sprint links in our part of
After the attack we were quick to contact the NOC of a few schools with unused 'open' blocks who refused to claim responsibility (of the DDoS packets) or fix the problem. About a month and a half later they had FBI knocking on their door after the ebay/yahoo etc attacks.
The question --
Do you think DDoS could be a tool for the bigger ISP's and players to squeeze smaller guys (ISP/ASP) out of business? I know that one quite is a stretch.
What other reasons have kept ``Tier-1'' networks from implementing fixes?
DoS my arse (Score:3, Interesting)
Let's start with the awful customer service, unreliable connections, awful customer service, immoral and possibly illegal business practices, awful customer service and awful customer service.
Her firm had a problem with the mail relay, it's only a small firm and they'd left the relay open and some spammers had found it. Cloud 9 terminated their connection without notice of any kind, and when finally they found a human being to talk to (they like to do their tech support by fax) they basically tried to blackmail her firm into handing over control of their domain, hosting etc etc to Cloud 9 before they'd reinstate the service. Needless to say, they got dumped very quickly indeed and went to Demon.
Frankly they're a shitty outfit and they've got their just rewards.
A small ISP's viewpoint. (Score:3, Insightful)
Seriously though, I could care less about the proliferation of DoS/DDoS tools. What bothers me is that the ISPs where this crap is coming from have never been blackholed by the rest of the community. It's not THAT hard to implement a widespread policy of filtering source packets, and that cuts down on a LOT of the methods used by the skript kiddiez.
The pathetic part about it all is it was already a problem in '95, and source-filtering was strongly recommended then. Soon after, no ip directed broadcast became also strongly recommended. Sadly, I can still get a 250:1 return on a forged ICMP ping (thankfully, their outgoing bandwidth is only a T1)
The real culprits are the people too lazy or inept to be allowed to run a network.
--Dan
Use Honey pots (Score:3, Interesting)
After collecting evidence, the perpetrator should be fined and prosecuted. It would likely cost nothing to the tax payers since it could fund itself from the fines imposed on the perpetrators. If it's just a kid, then hold the parents responsible.
Re:I'd like to know (Score:5, Informative)
The slashdot effect has been analyzed:
Traffic increase from slashdot effect [tweakers.net]
Increase in hits and bandwith requirements of a Linux related story being featured on Slashdot [dotat.org]
Analysis of several stories making it to the frontpage of Slashdot and other newslogs. [bnl.gov]
Especially the second link shows that the Slashdot effect can look very much like a DDoS attack. The severance depends on the story, probably on the time of day and of course on the link and hardware powering the /.ed site.
If you pay by the gigabyte for your webtraffic (who doesn't), the /. effect can be a financial DoS attack much more than a technical DoS.
Re:a potential way to stop them (Score:3, Interesting)
The majority of DDOS attacks could be tracked if only more ISP's would put outbound packet filtering on. I am not a transit ISP, so there is never a reason for me to send a packet with a source IP address that doesn't belong to one of our assigned address blocks. There is no way for that packet to get back to me. The problem is that it requires a more powerfull router to support the filtering. If more ISP's implemented filtering, at least you could track exactly where DDOS attacks are comming from.
Kill the martians! (Score:4, Informative)
*All* of my servers block all traffic to/from private IPs - except subnets they know - and block outbound traffic not from an externally visible IP that they own; they've done this for years, it's a fairly simple set of ipchains/iptables rules. The 2.4 kernels have a heap more options such as automatic martian (alien packet, ``it can't have come from there'') assassination.
Oh, and they complain in the logs, which are monitored. They also use tools like portsentry to temporarily block all traffic from IPs that sniff them.
And they all stay updated (thanks Mandrake, even if it's not quite as simple as Debian).
These things are all easy under Linux, presumably most BSDs, and probably not that difficult under Solaris, HP-UX, OS/X et al. But Windows? Hmmm...
Shortlist of private IP subnets to drop: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.127.0.0/16; there are a few others you could use as well.
Do a traceroute 192.168.99.99 from your box (try a few other private IPs as well) and see what happens. From here, RadioWAN don't filter, EfTel don't filter, Paradox don't filter, and AlterNet only drop private IPs after a few hops into their LAN (hey, at least they don't route it!), which is all very sad from a bullshit-deterring POV.