Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Distributed Denial of Service Attacks 95

hetairoi was one of the many people who wrote to us about ZDNet's coverage of "distributed coordinated attacks", a new style of denial of service attack. Rather then using just one machine, efforts are coordinated through multiple servers, making server-defense more difficult. Huh - does the Slashdot effect count? *grin*
This discussion has been archived. No new comments can be posted.

Distributed Denial of Service Attacks

Comments Filter:
  • by Anonymous Coward
    first thing I'm going to do after I write this is change my threshold to +3 so losers like you don't make it in the articles, then I'm going to find a cooler website

    No wonder you don't like reading this stuff.
  • by Anonymous Coward
    One could write a melissa variant that would do a world wide coordinated attack. This would increase the number of pipes that the attack would come through. The limiting factor would be the size of the victims pipe.

    I am not recommending doing this!This is only for challege of figuring it out!

    Injured software engineer wins against Mattel! [sorehands.com]

  • by Anonymous Coward
    You'd think some company's lawyers would have patented this kind of revolutionary use of denial of service attacks. I mean it's not every person who can think of pinging from more than one ip address. In fact I think I'll file a patent on it right now before anyone else gets it. ::For the record... I assumed long, long ago that anyone launching a serious DoS attack would want to do it from multiple locations anyway. (I just didn't see a good attack resulting from my 56k modem, now 1000 56k modems randomly switching IPs, that would show 'em.)
  • I did something similar to this by accident once. At the time I worked for a company that had a full T1 but our upstream provider wasn't very good at monitoring their routers. These routers liked to go down often and it was up us to tell them about it.

    I wrote a script that sat on our linux webserver and our linux mail server that every 2 minutes sent a ping to an outside server. I picked my ISP's DNS server because I knew it was reliable enough to test our connection. I wrote the script on a Windoze box and FTP'ed it to the linux boxes. What I had forgotten is that using Windoze ping the ping dies after 4 attempts. On linux it needs an explicit kill. Every 2 minutes from then on each server would start a new ping process without killing the preceding one. OOPS. It launched a multi-server denial of service against my ISP's DNS server. Let's just say my account doesn't work there anymore :-)
  • by Hall ( 962 )
    That was an article by John Dvorak after he got his new cable modem or DSL line installed. And yes, he got ripped apart for using the wrong terminology then too !
  • "Script Kiddy" is just an acronym, encrypted using top-secret Z-Net Anagram Technology (tm). :)

    S from "eSpionage"
    C from "Criminals"
    R from "cRiminals"
    I from "crIminals"
    P from "esPionage"
    T from "Terrorism"
    K from "crimINals" - rotate the "n" 45'.
    I from "terrorIsm"
    D from "Bent" - reflect the "b"
    D from "esPionage" - rotate the "p" 90'.
    Y from "terroRIsm" - rotate the "ri" 90'.

  • Even if this wasn't new, there really is no way to stop it. Smurf and Fraggle were good examples of this with the added bonus of a very good ratio of required attacker bandwidth to the ammount of bandwidth used in the actual attack. The attack described in this article could be as simple as sending out thousands of forged icmp packets to single IPs (Unlike to broadcast addresses like Smurf and Fraggle). I would be very surprised if people were actually rooting "thousands" of boxes to be used as attack points in an assault such as this, it's too non-trivial for your average script-kiddie DoS monger.
  • Isin't Pete gay?
  • Stephen Cobb [...] stressed that network attackers, be they hackers or criminals bent on espionage or terrorism, have only temporarily thwarted the security software.

    "Criminals bent on espionage or terrorism"?!? That's an odd way to spell "script kiddy". rOD.
    --

  • I have received reports from different unrelated sources about various people and organizations who approach breaking into systems very seriously and very differently from the regular crackers. Most of the time they don't bother to invent their own expoits. They take the existing ones and convert them from a simple command-like utility to another weapon on a sophisticates automated cracking engine. By automating the process they can gain access to tens of thousands of machines or more. These tools can break in, cover their tracks and install a hidden back door in seconds.

    I'll leave the possibilities of having tens of thousands of machines on well-connected high-bandwidth networks as an excercise to the reader.

    ----
  • The site has certainly had its share of technical failures - but it was developed with high load in mind, and so it manages to take it.

    One major advantage of Slashdot is that until new hardware was bought a few months ago, almost all the pages were static. Before customizable Slashboxes were introduced, the main page was static. The article pages were static until fairly recently - instead of being updated on the fly, a cron job updated them about once a minute. As a result, programs were not run every time someone called up a page - they were run once a minute instead of once a hit, which could be many times a second. (This appears to have changed post-Andover, with some things specific to the user appearing even on article pages. However, this is since the Andover purchase allowed nearly unlimited hardware upgrades).

    Many of the Slashdot effect victims have been sites that have bought the Microsoft vision of .ASP and such - sites where every page was generated by a program of some sort. This development methodology is very expensive in terms of hardware when compared to Slashdot's static model.

    The Microsoft hype is that pages should be heavily personalized for each individual user. Slashdot does that now, and very cleverly - but I think they had their priorities straight: Create a system that works first, then add neat stuff. Microsoft's approach is to build neat stuff into the system from the ground up, without considering the consequences for system load and reliability.

    D

    ----
  • There seem to be a few problems with this.

    First, I haven't seen Slashdot feature many stories that were not from a site at least pretending to be journalistic. The heart of Slashdot is zdnet, cnn, wired, salon and a handful of other places. When an outside editorial is requested, such as Jon Katz or a book reviewer, it's generally hosted on the Slashdot site itself.

    Your suggestion requires that a "foreign" site be nominated, and that nomination be accepted by a member of the Slashdot staff. It seems to me that this would be extraordinarily difficult.

    Your best bet might be to crack one of the major sites and wait until Slashdot featured an article on it. Then replace the article with the redirect and you're good to go. Still, that would have legal ramifications and might not be good for a simple prank.

    D

    ----

  • I've seen such attacks as early as 4 years ago, if not sooner. The first was a non-spoofing udp (non-root requiring) client/server flooding program for *nix, though i can't recall its name (FABI? or something like that). To install a massive number of these things, it'd be all too trivial for someone to setup a perl script which'd parse sniffing logs, then install and launch the program. Futhermore, it could also theoretically also be remotely commanded via spoofed packets from the hax0r's dialup linux box (making it difficult to positively trace the hackers and the other machines from the others)

    I've also seen perl scripts which jump on a list of backdoors (bind shells, netbus/bo, etc) and simply executing a trivial command like "ping" on a whole list of them. These have been around for a couple years as well.

    Its extremely difficult to stop such attacks, on either end: the flooding victim, or the flooder victims. Spoofed or unspoofed. There is a little that can be done. Though DOS counterattacks can work too. Let us imagine that I've rigged up a script to cause a thousand different windoze machines to connect() (via TCP) repeatedly to a service such as httpd(this can cause a great deal of damage to even the best servers). These are obviously not spoofed, and could be effectively DOSed by sending a single nestea style packet to each offending machine. Better to have those few ignorant users machines offline for a few minutes (preferably with an accompanying email) than deny access to a popular site to millions. Windows can't yet spoof, so this would atleast require the hacker to use *nix machines to execute the attack. Unix machines do tend to have more competent administrators, and its easier to reach them as they're fewer. The hackers could of course spoof, but that would atleast require somewhat more skill on the part of the coder (not that script kiddies know the first thing about that anyways).

    In the long run, there is simply no solution to stopping this stuff though. There a thousands of ways that a reasonably creative person can come up with, without a great deal of skill, to effectively cripple the internet. This is true today, and it will remain true in the future as long as we have: companies who put security on a low priority, ISPs who're essentially incompetent, and strong priorities on freedom and privacy.
  • Hi, it seems a lot of you have misconstrued this article into some kind of "new hole", when it is in fact the contrary. This article describes an attack that is all too trivial to undertake. All that is required is a few fast root shells, and a daemon to handle the requests. The result is a denial of service orgy, holding down the victim's connection until the attack ceases. The only way I can see to prevent this is firewalling your own network to prevent a wiley script kiddy from using your network to carry out his or her revenge on the internet. If every network was firewalled in such a way, where would the script kiddies "packet" from? Network admins, this is your job, time to earn that check of yours!
  • Agreed. This is not a new phenomenon by any stretch of the imagination.

    You mentioned IRC Botnets - another example (and to my knowledge, one of the most common) of DOS attacks is a simple "smurf" attack. It's an easy enough attack: put together a ping request with a forged FROM header, and send it to a network's broadcast address. If the admin has been lazy (and you're on a full class C), you'll wind up with up to 255 computers all pinging the same device.

    I've seen this used to blow out a University's web server at the same time as it stresses two Universities' Internet connections. It's not pretty. Or new: Wired News ran an article [wired.com] about escalating numbers of smurf attacks way back in January of 1998.

  • When will the terror stop?

    When they give in to our demands!!


    ---
  • ...of IP addresses whose hosts had recognizable security holes, and limited the total amount of traffic that they would accept from all IP addresses on the list?

    I don't know much about routing technology, so I don't know how practical this is.

    Of course, the only way they could compile the greylist would be to run through IP addresses and test them for security holes, the same way that the script kiddies do. Would that be ethical?

  • by _Roadkill ( 16040 ) on Wednesday October 20, 1999 @12:33PM (#1598641)
    When I first glanced at the headline, I started thinking 'Why does distributed.net wanna be attacking anyone?'. Did anyone else think that too?

    You can tell what kind of day I'm having...

    It's sad to live in a world where knowing how to
  • Is information. Anyone who thinks otherwise is a fool. The average net user needs to be informed about lax security and how to correct it. Sure, we are the informed, but we also aren't average. Have you done your part to inform others? Untill there are tens of thousands of people demanding better security, the software makers won't listen because they think it isn't worth while.

    Consider this: In a Senators office, they figure one printed letter is roughly representitive of 500 people. Much more if it's hand written.

  • The /. effect could never be used maliciously because we, as a group are not malicious hackers. Even supposing CmdrTaco or Hemos went insane and posted a URL saying "Everyone go here, we want to bring this site down" the vast majority wouldn't do it. We aren't a bunch of evil crackers... we're nerds and hackers looking for interesting stories.

    If there isn't an interesting story at the other end of a link, I'm not going to go there. (and if Hemos says there is, and I discover that he lied just to bring down a site, I might go somewhere else for my Nerd News, and /. loses ad revenue.)

    Now everyone go /. my website [publish.uwo.ca]

  • If someone is going use unsecured PCs on cable modems to spawn these attacks, the cable providers are going to react quickly if the DOS victims put pressure on them. I've been a mediaone subscriber for three years. LANs set up using old versions of WinGate were not secure, out of the box. (Newer releases are supposed to be better in this regard.) Apparently a PC could be used by spammers to send floods of email that appeared to come from the mediaone customers. This resulted in draconian measures, such as all mediaone addresses being K-lined by the victims. Mediaone, which unofficially tolerated modem sharing, sent notice that service would be discontinued to customers who don't have security set up properly.

    I would think that in a distributed DOS attack, as described in this article, it would be easy to identify the large cable modem providers (for example), and it should then be fairly easy to get the provider to get its customers in line.

  • The distributed attacks are certainly not a new phenomenon. ICMP smurfing is probably the best example of a distributed attack that is entirely automated and usually not detected by the third parties that are unvoluntarily involved in the attack.

    However, the distributed attacks are becoming increasingly easy to perform, mostly because it is easier for script kiddies to get access to hundreds of poorly protected home computers from which they can launch their attacks. This happens because more and more computers are "always connected" (thanks to cable modems) and because most software vendors do not educate their users with some basic security hints. They do not want their customers to be scared away when they discover that the security issues on a computer are more complex than they thought. So it is usually in the vendor's best interest to ignore the risks of connecting a computer to the Internet.

    Anyway, the article should not present this as something new. Something that becomes more frequent or harder to detect, maybe. But new, certainly not.

    Of course, one could also wonder why these articles about cyberterrorism and various kinds of attacks involving the Internet are becoming more frequent in the mainstream press. As one of the talkback comments mentioned, maybe some people or some government agencies would like to use these reports to justify the need for stronger control over what is exchanged on the Internet.

  • Welcome to the club.

    I hereby vow that I will allway draw conclusions before actually reading the sentence. I will never read more than 12.5% of a sentence....
  • Greylist: netscan.org [netscan.org]

    Here's a list of the most offending broadcast IP's on the net, and any one who can parse HTML can get a nice smurf broadcast list from here.

    Of course, it also can be used as a good place for a netadmin to set up 'ignore broadcasts from x ip'.
  • Implement this:

    A distributed.net/seti@home type client called SpamSlam. When you get spam, you paste the originating address into the client and it sends it to the master blacklist server. The blacklist server allocates work units to that address whenever the number of votes for it exceedes a certain threshold, then based on the percentage of votes sent in for that offender.

    Then, all your spare cycles are dedicated to retrieving server IPs from the blacklist main server and ping-flooding the offenders. Potential for abuse is high, but it would certainly get the point across to spammers if the selection of targets could be well regulated. The spammers couldn't sue you for unwelcome use of their network without undermining their own position and business model.

    hee hee hee.


  • Filtering all ICMP breaks useful things like MTU Discovery. Unfortunately, large numbers of clueless admins don't realise this *sigh*.
  • Wonder how they figure that this is 'new'. Not like anyone hasn't gone down to the open lab one morning and set up a DOS on each machine before. I had to put a new rule on the wall in on of my labs covering just this thing six months ago.
  • Wow, do I feel redundant all of the sudden;-,
  • Interesting, thats how MSN.CO.UK sort of does it. A lot of the information, for example news articles are held in a big SQL feed, and every 15 minutes a job kicks off which generates the ASP which just copes with the personalisation.

    As for implementing ASP on every page for personalisation, depends how you do it I suppose, I have a exhibition site running at the moment, still quite small only say about 10000 hits per hour, but it personalises using ASP and doesn't die. The only problems I do get has been with DNS updates which didn't reflect round the net and some people were hitting the old static site and getting confused.

    It all comes down to implementation, for static sites use HTML, for small interactivity use ASP, Perl or your favourite scripting language, for large interactivity compile your code.

    I don't think you can specifically blame MS for wanting every page to be interactive, I put the blame squarely at the feet of marketing people, and programmers that don't tell them when they're wrong.

    Barry

  • I dunno if these attacks are really that coordinated. A random SYN flood looks like hundreds if not thousands of servers are hammering you all day long. And what's worse is that there's no real way to defend against it.

    And as for smurf attacks (ICMP echo-requests desined for the broadcast address), any engineer or network admin worth his salt should be setting 'no ip directed-broadcast' on _all_ of his interfaces. That'll put a stop to that silly shit right now.

  • by |DaBuzz| ( 33869 ) on Wednesday October 20, 1999 @10:17AM (#1598656)
    The "target" list is updated hourly with tens of thousands of co-conspirators ready and willing to do their part for the good of the overall attack.

    Many many servers have been brought to their knees by this rouge band of pseudo news followers who claim the "source" is when them.

    When will the terror stop?

    heh
  • For some reason, this story reminds me of a story from back in August about the the Internet Auditing Project [slashdot.org]. It seems to me that what they're doing (i.e. measuring the overall security of the net by probing individual boxes) is the only solution for this kind of DoS attack. Of course, if you wanted to take it one step further, you'd probe your neighbor's box, crack the insecure ones, then patch it for your neighbor. =)
  • I was just informed last night by my ISP that the main server on my network here (mentasm.com) had received a DoS attack. My ISP reported that the attack came from hundreds of IPs. Because of that they were unable to block the attacker but instead had to block incoming connections to that particular IP on my network.

    Mentasm has seen these types of attacks in the past and I've never been able to track them down due to the fact that I have a full time job 35 minutes away from home. Mentasm lives on a 500k cable modem and only provides a handfull of shell accounts and web hosting accounts, most of which are given out free.

    After the IP was switched off, the attacker never bothered choosing another IP on our network which makes me believe this is probably random and not specifically aimed at Mentasm. I can't understand why anyone would want to randonly attack servers for no apparent reason.

  • Has this kind of stuff being going on with broadcast ICMP and other annoying things? (mis-configured routers enable this?) I saw something like this happen at on employer's network over a year ago. We unplugged the T1 uplink and it did not stop. To our best guess it was a program running on several machines (solaris) which only stopped after a "mass-scale" reboot. I wondering if this is becoming popular or if this has been going on for a while. Anyone have any interesting stories about this?

    --Evan
  • The heart of Slashdot is zdnet, cnn, wired, salon and a handful of other places. When an outside editorial is requested, such as Jon Katz or a book reviewer, it's generally hosted on the Slashdot site itself.
    Yes, but there have been exceptions. I think the "webserver on a PIC" story was on a site without even name service, wasn't it? And there have been a number of stories from .edu sites - best bet might be to crack a box in an open workstation lab (all you need is a Linux boot floppy) and pretend that it's Professor X's web server. (Of course, why not just grab a few of these open boxes and SYN flood the fsck out of your target? Maybe that would lack style, though.)

    Or crack somebody's account on the CS department's server - the Doom as a sysadmin tool [slashdot.org] story was posted at a URL of the form "http://www.cs.xyz.edu/~somebody/a/b/c.html". All you need is a subdirectory with write privs.

  • This is just idle speculation to stretch the brain, I don't think it's very practical. But...

    Let's say there existed a web server that was not of particular interest to geeks, but which an 3V1L H4X0R wanted to Slashdot. (You know, I just realized that it's awkward to end a sentance with /. - do you end it "/.."?)

    3V1L H4X0R sets up a web page of interest to geeks (most likely with false information - say, make up something about Linux running on an Atari 2600) and puts it up on a server somewhere. And maybe the server is some clueless newbie's PC that happens to have a cable or DSL connection. 3V1L H4X0R submits the page, anonymously, to Slashdot.

    When accesses to the page start to come in and get heavy, 3V1L H4X0R replaces his page with one that has a redirection URL to the target page.

    In fact, I think if he was sneaky enough, he could make his orginal page load the target in a non-visible frame - or several targets in several non-visible frames - and not even bother with the switch! If 3V1L H4X0R picks small target URLs (say, some small images on the target site), the brower user won't notice the network activity; but of course that would be less load on the target server per browser.

    It's a social engineering bait-and-switch.

  • by Virtual_Raider ( 52165 ) on Wednesday October 20, 1999 @10:04AM (#1598663) Homepage
    From the Article: "In fact, prevention may rely more on protecting computers
    from being used by malicious programmers, rather than protecting the target, he
    said.
    ".


    Ack. That is suerly the best way to deal with security issues. Let's just put
    infocops all over the web at the back of every computer to ensure that
    it's user is not misbehaving.


    I believe the problem lies elsewhere. It's more about people in the systems
    administration not having a clue about security, and people in management
    positions not willing to spend on enoug personnel to actually run things the
    way they should. I've seen too many sites where the 3 systems guys double as DBA/Sysadmin/help desk/tech support and whatnot. And I'm not talking about small business.


    In fewer bytes, it's about culture.

  • by ramparte ( 53311 ) on Wednesday October 20, 1999 @11:26AM (#1598664)
    I don't know...I wouldn't underestimate these guys. The meme package may be badly adapted right now, but it may always mutate (Hubbard went to extremes to try to make the thing un-mutatable, but it's really not possible to build a meme system that solid. The transcription mechanism (i.e. humans) is just too flaky).

    If it does mutate, and it manages to create a variant that is better adapted to the current environs, well, we all know what happens then.

    I'll give you an example...suppose they come up with a meme that says "at certain points during his life, Hubbard was possesed by enemy aliens, and wrote deliberately wrong things". Now they have justifications to change operations to suit the new situation (plus great tools for a holy war).

    The best way to kill these guys is to dilute and damage the meme pool, by injecting memes like the one above that disrupt the organization.

  • by Tackhead ( 54550 ) on Wednesday October 20, 1999 @02:38PM (#1598665)
    http://wpxx02.toxi.uni-wuerzburg.de/~krasel/CoS/bi ased/biased.2.10.html#2

    Damn, re-reading that brought back a lot of laughs. Of particular note - look for the lawyer falling for the "FTP site at 127.0.0.1" troll, as well as the "ARSCC" troll.

    The ARSCC troll is particularly amusing. Those of you who read news.admin.net-abuse.email and and have heard about the Lumber Cartel [come.to] (TINLC) - imagine being questioned about "who runs the Lumber Cartel" in a deposition. The ARSCC started out the same way - another ficticious organization cooked up by netizens to troll a group so deeply in denial that they already believed that "since so many people on the 'net disagree with us, they must all be part of the same large conspiracy against us", fell for it hook, line, and sinker.

    In both n.a.n-a.e and a.r.s., the conspiracy meme was already fully expressed amongst the lams and the spammers, respectively. All the 'netizens had to do was give the Conspiracy a name, and watch its opponents go nuts trying to find out who, in meatspace, was part of it. When properly executed, such a troll leads the opponent into executing a meatspace distributed denial-of-service attack against himself by seeing conspirators wherever he goes.

    I'm not at all surprised that many spammers fell for the Lumber Cartel (spammers are, if dogshit will forgive me, dumber 'n dogshit), but the clams fell for the mythical ARSCC even more easily!

    The cult's falling for the ARSCC troll indicates another bit of defective memetic programming; by sekrit skripture, they're trained to ask "who are you working for?" whenever anyone questions them, because the notion of "activist" (in the sense of "someone who acts independently and takes personal risk to challenge big organizations when they're misbehaving") simply didn't exist in the 1950s-and-60s memetic environment out of which the cult formed. To the cult, there can be no independent objectors to its practices; anyone who criticizes it is a priori assumed to be part of an organized conspiracy against the cult.

    (Any coercive organization generally needs an "enemy" on which it can fixate its members' emotions. Another 50s-and-60s memetic bug either introduced by this, or reinforced by it, in the CO$, is the fact that the cult exists in a universe composed of large organizations battling on roughly equal footings, like superpowers in the WWII and the Cold War. An army defeated because it was "nibbled to death by ducks" was simply inconceivable until after Vietnam, by which time Cult doctrine had been frozen. Oops.)

    It's only recently that trolling has become a weapon of memetic warfare per se - fabricating organizations and watching conspiracy-minded loons run around in circles looking for them is, of course, a grand 'net tradition, going as far back as the original USENET Cabal. TINC. The Cabal told me so.

    I saw a man upon a stair, a little man who wasn't there
    I saw the man again today. Gee I wish he'd go away.

  • by Tackhead ( 54550 ) on Wednesday October 20, 1999 @10:43AM (#1598666)
    > their lawyers tried in depositions to disvover the real identity
    > of the mysterious person called 'Major Domo' who'd been running
    > all those anti-scientology mailing lists ....

    What cracked me up was when they tried to break some PGP-encrypted data on some drives they'd managed to seize from a Netizen. For a bunch of UFO cultists who claim total domination over Matter, Energy, Space, and Time (for only $300,000!) through sheer force of mental will, you'd think they'd be able to break PGP trivally by simply using their powers to apply clairvoyance backwards in time and just watch their enemies entering the PGP keys.

    Better yet, since cult sekrit skripture includes a "blame-the-victim" meme, effectively "If anything we claim doesn't work for you, you're by definition not doing it right and in need of either further cult proce$$ing, or you're subconsciously working for the enemies of the cult and in need of punishment", I'll bet a lot of would-be PGP breakers in the cult spent a lot of time eating rice and beans.

    The image of an entire room of high-ranking cultists staring at a hard drive, thinking "DECRYPT! DECRYPT! DECRYPT!" at it for hours on end, and then blaming themselves (or being punished) for their failure to break PGP, kept me giggling for months.

    Back on topic - in addition to learning about new denial-of-service attacks and other cult nastiness, I learned more about memetic warfare and information warfare from lurking on a.r.s. for three years than anywhere else. I consider a.r.s. to be the infowar boot camp for the world, both for private citizens and intelligence agencies alike.

    Why? a.r.s. is the canonical "what happens when the print era of journalism meets the /. age of reader-feedback" battle. The cult is an ideal control group because it can't change its tactics. It lives in a set of memetic straitjackets of its own construction; most significantly, it has a meme that ensures that can't adapt to any new reality of media because "Everything Hubbard Wrote Was True And Will Remain True Forever", including the parts about dealing with bad PR (essentially, "use superior financial resources to defame your opponent in the major media first, because more people read the news articles than the 1 or 2 rebuttals that might appear on the editorial page") in the 1960s. As we all know, "dat don't work no more".

    A better analogy would be the immovable object and the irresistable force. What the cult never imagined was that someday there'd be an irresistable force that didn't have to move the object, but could just flow around it.

    Poor little clams! Snap! Snap! Snap!

  • IRC's "fludnetz" which are a bunch of bots run on a few machines(including several on each machine) that like to flood people with CTCP requests and the like. Just as lame, just as annoying, just a different medium.

    Bleh, SkR|p+ /|dD|3z suck

    Dan "What's Karma?" Turk
  • by Enoch Root ( 57473 ) on Wednesday October 20, 1999 @11:33AM (#1598668)
    Reading this, I'm surprised no one has ever tried to sue Slashdot for, I don't know, "irresponsible use of URL" or something as silly. Yes, the Slashdot Effect is, for all intents and purposes, a distributed DOS attack.

    However, it's interesting to note that the Slashdot Effect has never been used with ill intent. I've seen a few people in forums suggesting we turn to a particular site and bomb their server out of existence, but no one has ever rallied under such a cause.

    And that's the really interesting part: the Slashdot Effect is very real, yet it doesn't seem it can be wielded. No one complains of the Slashdot Effect, because it brings thousands of interested readers to a particular site. It's like choking on too many chocolate bars; it's too much of a good thing, but it's a good thing nonetheless.

    The closest I've seen to a Slashdot Effect used as a form of attack was the Hotmail crack, that didn't take long to appear in the Slashdot forums. If one cracker getting through didn't make Microsoft react, a thousand of them certainly make them pale in panic. And I still maintain Slashdot is the site that tipped off CNN!

    My question is: how could the Slashdot Effect be wielded, either as a tool, or as a weapon? Does anything think it's feasible to put it to good or ill use? How?

    I personally think it cannot be wielded, and certainly not as a weapon. But I'd like to hear others on the subject.

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • Not too easy to do. The point was to use a bunch of unsecured boxes to send out requests that appear perfectly legit. I don't think there is a good way to make sure all the computer neophyte's boxes are secure. Especially when at least one major operating system can not be made secure :)

    Consider if you have a 500-byte HHTP request, and 2000 unsecured computers to do it with. Send 5 a second -- which would look like a perfectly valid image load -- and you've nailed the server with 4.8MB/s, and 10,000 requests/s. If it's a 30K image, it's trying to pump back 293MB/s.

    I don't know what kind of connection/hardware you've got, but that's quite a bit of bandwidth -- especially if it's kept up for a minute or two. What kind of cable gives you 2.3 gigabits? Or for that matter, webserver?

    Factor in the people who think that M$ makes reasonable webservers, and decide to run IIS (or whatever it's called today) on NT and you've got a formula for crashing a good part of the internet.

    And all in all, it looked like a person surfing the web to the cable modem company. They may not even notice the 4.8MB/s. And when they do, it'd be quite a mess to stop it.

  • This is old news, most of the comments under the story on zdnet complain about this, actually, when I submitted the story to /. i said the most interesting part was the comments.

    everytime someone asks you for something, ask if they want fries with that.
  • This kind of stuff has been around for years now, at least. It's just becoming more mainstream, as it used to only be limited to irc (ie, pick people you don't like on irc and packet their machine to death).

    What about smurf, fraggle, papasmurf, etc.. where you use misconfigured broadcast addresses all over the internet, and have the backing of multiple megabits of bandwidth.. ?

    This doesn't even take into account open proxy servers which are everywhere, which could be used to make some sort of distributed attack, or even irc "flood nets."

    Script kiddie tools never cease to become more damaging and more widely available. blah.

  • by levendis ( 67993 ) on Wednesday October 20, 1999 @09:56AM (#1598672) Homepage
    This reminds me of a diabolic Exchange macro virus I was thinking of, something along the lines of Melissa but it also sends emails to random usernames at some target domain (eg. blahblah@microsoft.com). The effect on a single infected site would be moderate, but the target site would get hammered by practically the entire Net (at least the part of te Net running Exchange servers).

    Of course, I would never recommend that anyone actualy write such a virus, its probably illegal and would do lots of damage, but it sure is fun to thing about how easy it would be.
  • I know that and you know that - but the clueless $cientology lawyers tried to get his real identity out of one of the people they were deposing .... the transcript makes great reading .... it goes in essence something like "deposee started to laugh ..... deposee continued with uncontrolled laughter .... about 10 minutes later deposee reclaimed his composure enough to answer the question" :-)

  • > A better analogy would be the immovable object and the irresistable force.
    > What the cult never imagined was that someday there'd be an irresistable
    > force that didn't have to move the object, but could just flow around it.

    yeah - I kinda think of Scientology as this sort of '50s cold-war cult - stuck in a James-Bond spy mentality (with world wide conspiricies continually after them - in their case apparently it's an international conspriricy of psychiatrists - probably run by Freud from beyond the grave).

    They have run their organisation for years with huge secrecy, covert operations (a number of leaders were sent to jail a while back for breaking into federal govt. files and stealling/altering records) - and have gone out of their way to shut up any critics by isolating them and trying to sue them out of existance.

    This sort of organisation has the most to lose from an open, global, information revolution. Suddenly all those isolated ex-scientologists found each other and started sharing their horror stories - this is a wonderfull example of a community brought together by the net that would never have been possible otherwise .... and when Co$ tried to shut down their forum (by rmgrouping alt.religion.scientology) hundreds of free-speech people like me got involved.

    As the saying goes "the internet sees censorship as an fault and routes around it"

  • I can't find the entire thing at the moment - but the good bits were included in a 'Biased Journalism' issue:

    http://wpxx02.toxi.uni-wuerzburg.de/~krasel/CoS/bi ased/biased.2.10.html#2

  • > Praise Bob! You have no idea how happy I am to learn that other /. readers are
    > also engaged in the a.r.s. struggle. It's nice to know that there are other /.
    > readers who care about something besides the Linux v. Microsoft v. FreeBSD debate.

    Oh you bet - by the way just to give /. readers some context - the Scientologists came and harassed my kids as they arrived home from school earlier this year - because I spoke out - I wasn't the only one - one local netzien was harrassed daily for over a month at home because she spoke out

    Even having been through all this crap I still beleive - the only way to counter speech you don't like is NOT to censor it - but to speak out - free speech rules! let the Scientologists harass net-people as much as they like there will always be people here to speak out in favor of the truth

    Same with the KKK who want to march in NY at the moment - the ACLU is right, the answer is not to ban their hoods - it's to go there and speak out and let the world know you oppose them and all they stand for

  • > what is a.r.s

    alt.religion.scientology - the newsgroup where all this madness has gone down

  • by taniwha ( 70410 ) on Wednesday October 20, 1999 @09:56AM (#1598678) Homepage Journal
    $cientology's been hammering the newgroup(s) where people have been gathering to criticize them for several years now - this was a big deal ago when they tried to rmgroup alt.religion.scientology a few years back the followed up with US Marshalls to take away a couple of critic's computers - there was a lot of righteous net-indignation that blossomed into a free-speech (by Co$ critics) movement

    What's followed has been a cat and mouse games through the courts and on the net including a couple of wonderfull moments when their lawyers tried in depositions to disvover the real identity of the mysterious person called 'Major Domo' who'd been running all those anti-scientology mailing lists .... and to find out who ran that FTP site at 127.0.0.1 which seemed to have a lot of their files on it ....

    What's not so well know is their most recent tactic which has become known as 'sporge' in which a roving band of spammers inject random garbage using real people's forged identies into alt.religion.scientology and related groups - moving from ISP to ISP burning accounts as they go they some days inject 2-3 thousand messages into the news group every day trying to drown out and meaningfull conversation.

    If this doesn;t count as a distributed denial of service attack I don't know what does

    (besides I'm pissed at people forging stuff in my name)

    Currently we're actually seeing a mysterious respite from the sporge - probably they forgot to pay their bills - but I'm sure it will be back .... after all we wouldn't want the real world to know about Scientology's space alien fixation without paying $300k like the rest of the suckers.

    For more info on Scientology vs. the Net check out www.xenu.net

  • This isn't a wholly new idea, (though maybe linking it with /. is) I recall it appearing a year or two ago under the name "Abundance of Service Attack". If you found a site which was big on graphics, you could link a series of big images to your page with size zero. Of course, this requires you have a pretty popular page, (though you could certainly run up peoples data volume limits/charges) and getting the site on slashdot is most of the work done.

  • > Of course, the only way they could compile the
    > greylist would be to run through IP addresses
    > and test them for security holes, the same way
    > that the script kiddies do. Would that be
    > ethical?

    Y3$. 1T W0ULD $4V3 M3 L0T$ 0F T1M3 1F I C0ULD
    JU$T U$3 UR ``greylist'' 2 P1CK T4RG3T$ FR0M.

    Y3$, PL33ZE D0 R3C0N W0RK F0R M3.
    :WQ
    :wq
    ------ ------ ------
    ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
    ------ ------ ------
    ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
  • I've been wondering lately. Why, exactly, is Slashdot itself seemingly immune to the Slashdot effect. Sometimes, it does get slow, but not for hours on end as the victims do.

    The easy answer is "Because it's Linux". But, I find that unsatisfying.

    Someone asked this recently in an "Ask Slashdot". What do you do to prevent the Slashdot effect? The concensus opinion was that the #1 thing to avoid being Slashdotted was bandwidth.

    Seems funny though. Sometimes it seems like even major media gets Slashdotted although I can't think of any good examples at the moment. Some media never seems to suffer, like the New York Times site [nyt.com].

    Is the Slashdot effect oftentimes blamed when it's really something big going on and a lot of people, even a lot of people who've never heard of Slashdot, are hitting the site?

    Just yesterday people were saying that Britannica [britannica.com] was Slashdotted, but someone reported that it was inaccessible even before the story appeared here. This seems like they simply underestimated the demand for their service. I just tried to connect there and it's still reaaal slow.

    I was quite impressed awhile back when the world's smallest webserver [slashdot.org] was featured here and I could still connect to it. It was slow, and sometimes timed out, but generally I could connect. It's at a University, so they probably have a huge fat pipe, which backs up the theory that the best way to avoid the Slashdot effect is with bandwidth. Of course, the world's smallest webserver may actually be pretty fast. No scheduling overhead, very little file system overhead. Wouldn't it be ironic if this tiny terror was actually faster at serving this simple set of pages than just about anything available? If that's the case, this makes a good argument for Webserving appliances for a lot of applications. (Duh - slaps forehead - that's probably exactly what they were trying to demonstrate. It wasn't just a Guiness Book entry. Nobody goes for the world's biggest Web Server, after all...)

    It seems to me that the Slashdot effect is actually a complex thing.

  • This is essentially the same idea as Melissa, except more targeted. It seems like it would be the most useful in making crackers just that much more anonymous.

    For example:
    I want to crack a machine, but if someone tries to catch me, I want it to look like it was someone else. So, I want to assume that other person's identity (IP) for the attack. I need to DoS that person and then spoof his IP while attacking my target. Oops, but now the person I'm doing a DoS attack on knows who is attacking him! Oh, no problem, I'll just write a macro virus that installs a time-scheduled program (via Windows Task Scheduler or whatever) that hits my DoS target's HTTP port at a certain time (UTC). Now I distribute the virus, wait until the specified time, verify that the DoS target is getting pounded, and then spoof him and try to crack my original target. Hopefully I'm non-blind spoofing so I can see what is going on!

    Is anyone aware of a way in which the DoS target would a) know it was me, or b) be able to defend against the attack?
  • um,

    isn't this a variant on the FloodNet java app which is drifting about?

    From: http://www.thing.net/~rdom/ecd/floodnet.html

    "See The Zapatista Tactical FloodNet [thing.net] for a discussion of FloodNet's functionality, interactivity, philosophy, and as a form of conceptual art."


    Basically, if you run the java app on your system it regularly sends enough stuff to the remote site to overload it if sufficient people get involved, but not enough to hose your link.

    There were some rumours the DoD were crashing it as some sort of counter-electronic-terrorism thing.

    Dwayne
  • I would argue that the most destructive (aka smurf, fraggle ... amplified) distributed attacks are getting harder and harder as isps default to no directed broadcast on their networks. The "always on" connections ... well, I haven't personally seen an attack that could take down a well-connected web site without amplification, and 3-4 machine cable or dsl networks aren't going to be a heavy source of amps. If there were some reference to "in the wild" attacks, rather than cert blabbing about 4 or 5 undescribed "incidents", I would be more inclined to take it seriously. Exploits, anyone??
  • I can't seem to find any mention of a "trinoo" anywhere on net ... do you still have the tool?? I am interested in source code, especially, as I would like to know both which ports it uses to communicate with other servers and which methods it uses to DoS.

    Thanks.

  • by netpuppy ( 77874 ) on Wednesday October 20, 1999 @10:02AM (#1598686) Homepage
    can you say Oh! Oh! Oh! new smurfs!!!

    Seriously, ICMP smurfing was a distributed attack. As referenced in the original post, the slashdot effect was a distributed attack. The real question is whether or not the attack exploits a bug in the operating system or ip stack of the victim server (in which case it's the vendor's problem to fix), or the equivalent of opening up http requests from 10,000 different hosts at the same time (which is a function of the IP/TCP/HTTP combo and should happen).

    In the case that it is a vendor software bug (ping o death, etc) then it should be patched and blocked. If someone is able to flood your web server with legitimate connections, a.k.a. 3-way tcp handshakes, there's not a whole lot you can do without killing your web server.
    I don't see how this is some brand new attack, nor do I see how it is a real problem. Anyone been icmp echo'd to death from 100,000 hosts lately? Jeez ...
  • Older than smurf is pingfloods from a few different networks. This is the oldest common distributed DoS attack that I know of, no doubt its obviousness and the use of a standard system utility contributed strongly to that.

    But the article is not quite about distributed pingfloods, or smurf attacks. It's about widely distributed attacks (from 100s-1000s of hosts), that appear to be legitimate connections. The scary thing about an attack like this is that you *can not stop* a determined and intelligent attacker if you're running a public service. The comforting thing is that if the attacker is that determined, he'll probably just rm one of your machines, which in most cases is much less costly if you have good backups.

    This is only interesting because it is finally commonplace. It's always been obvious. Anyone who thinks for a minute about how to protect against remote resource starvation attacks will come to an attack like this as the extreme example of what you can't defend against. The people coming up with new DoS attacks realize the same thing.

  • I seem to remember attacks like this being a big thing about 2 or 3 years ago. Well, not a big thing, but big enough that it existed and was a threat. In fact, I think Milworm (Don't quote me on this) used an attack similar to this to gain access to Packistans (or some country over there) government computers, including some sensative information about Nuclear weapons. They made the attack go through the US Governments Dential plan servers ((This is all from memory, this happened well over a year ago)).. The the point is that this has happened many times, and the whole idea of "Distributed" hacking is not a new one. Why all of a sudden it is a big deal, and a major threat to the world as we know it I don't know. Mayby if instead of complainging about the problem they would just go in and figure out how to stop it, and move on to the next thing.. don't tell me that their is a problem that needs to be fixed, tell me that you have the solution to the problem and where I can go to get this problem taken care of.
  • This type of attack has been going on for YEARS. IRC Botnets are a good example of a coordinated method of attack. And the attack isn't necessarily limited to the IRC environment.

    I suppose I'm not surprised that it took this long for the government to start recognizing distributed attacks...

    Best regards,

    SEAL
  • Many many servers have been brought to their knees by this rouge band I see myself as more of a blue than a rouge. Rouge just seems so, oh I don't know, red...
  • Check out Internationally coordinated hack attack detected [cnn.com] from a cnn.com article in September of 1998.

    The US Navy Sea Systems Command has been hosting a research project called CIDER (Cooperative Intrusion Detection Evaluation and Response) for several years now. You can find more info about the CIDER Project [navy.mil] -there.

  • Hasn't the possibility for such a thing been around for quite a while? If I am wrong though please excuse me because I am largely an ignorant peasant when it comes to networking.
  • Letting the clan march is a good thing because it brings them out in the open and lets the whole world see just how f*cking stupid these guys really are. Those guys are the biggest losers.
  • by dills ( 102733 ) on Wednesday October 20, 1999 @02:07PM (#1598694) Homepage
    An ISP my company recently acqired has a shell server. One day, we get a frantic note from a user who is saying that their account had been hacked, that there were some additional lines in their .history that they didn't type.

    So, an hour later, I had cleaned out the trojaned ls, ps, inetd, login, etc, and I found some interesting stuff that they left behind.

    It's called 'trinoo'. It's a remotely-accessable DOS attack tool...it runs on certain ports (31335 for instance) and co-ordinates the attacks with other servers. For instance, if you establish a network of these, you would telnet to one, tell it to start the attack on whichever IP you choose, and it would get all the other trinoo daemons it's aware of to also attack that IP.

    We got some calls from some DOD and other .mil and .gov agencies about this, so I would assume it's fairly well spread.

    It's not long before this gets out of hand...
  • Please. Please please please, do you have a link to this transcript? I looked through Xenu, but had no way of guessing where to start looking for that specific legal transcript.. :/

    This sounds better than "stupid tech-support calls."
  • I'll visit anything anyone tells me to... I'm at work.
  • Forgive my off-topic post in response to the above off-topic post but...
    This appears to be more gov't brainwashing B.S.
    The gov't seems hell-bent on attempting to control people. And since the internet has got people "way out of hand" they attempt to scare those that actually know how to have a computer and have half a brain (regardless of the gov't attempts to churn ignorant graduates out of public schools). "Script Kiddy" spells trouble for the gov't because they might actually grow up with their own opinions. I have news for the Government. If they don't start training children to have half a brain at least, we will loose in information wars to those governments that are teaching their youth how to use their minds. Attacks like this could be easily thwarted and quickly by those who know how to use their imagination for something other than figuring out how they are going to pay off their "income tax debt" [flash.net].

    As much as I am annoyed by the occasional "think-he-knows-how-to-hack" script kiddy that comes by. It thrills my soul to see that someone will be fighting the government for years to come.
    SL33ZE, MCSD
    em: joedipshit@hotmail.com
  • A.R.S. may be in respite, but nanau (news.admin.net-abuse.usenet) and nanae (nana.email) have been under off & on attack for a good while ~~ 2 years - what's new:))

    There are several bots running - the most prevalent is HipCrime's NewsAgent.

    A while back there was a co-ordinated attack by several l00zers running NewsAgent at the same time. A real mess. Even more so since NewsAgent can sporge or cancel or supersede. And then there is Dave the Resurrector bot which resurrects all the Cancels, sporges and Supersedes...

    Ya gotta have a good news server and killfiles to play tere.
  • trinoo was simply a "Project" for me, it was not meant to go farther than my own box. Second, I don't think I even have a copy of it. Only people with it, are kiddies who had it leaked to them. As far as it getting out of hand, uh.. It was created around December, 1998. So if it took this long for anyone to know about it, I don't think its out of hand. The one that all the "kiddies" have has a major bug it in anyway, and it was very bad coding on my part for this one. I was simply creating it to learn. The source code is for the one whom which got leaked, is nothing more than buggy code. I suggest it be deleted anyway. If this has caused your website, shell provider, etc etc any trouble due to someone wanting the irc channel your box is running a bot on, sorry. Even though I do not think I am to blame for the actions of every kiddy. If you do not wish for the trinoo daemon to be run on your box: the master server (controls all daemons) binds to port 31335 each daemon server(clients) bind to port 27444 If a master server so happens to be run on your box, decrypt the data inside the file '...' using the blowfish encryption key 'dqh22' and then you can email the ISP's of them and such. -- phifli

Of course there's no reason for it, it's just our policy.

Working...