More DoS Attacks: CNN, Amazon, eBay, Buy.com...

gatech writes "After hitting Yahoo yesterday those crackers set their sights on several more sites including CNN.com, Amazon.com, and eBay.com. Here is the story at ABCNews.com."

Comment: 02/08 23:26 by michael : So far, the best explanation I've seen for the massive network problems is here. Is it paranoid to note that we're being hit with unprecedented attacks, with no known motive, at the same time as the government is pushing for yet another expansion of their surveillance powers? People are focusing on how it's being done. Nobody seems to be asking who.

Maybe I lack clue...

[sallgeud]

To take down a site that serves as much as yahoo.com does, you'd have to have a VERY heafty attack... I'm thinking that it will be fairly obvious from where the attacks were originating. access logs anyone?

Last time I checked, most everyone who knows enough to do a distributed attack had a static IP and just the right amout lacking in knowledge to get caught...

It's hard enough for one man to keep a secret, so how do you suppose dozens could?

cause it's a DISTRIBUTED DOS attack

[Smack]

basically, the hackers scan large groups of IP addresses looking for known vulnerabilities. The goal here is to get root on a few hundred systems, or more. It doesn't matter if they have nothing of value on them. On each of these systems, they install a copy of their client. They can then wait as long as they want before moving onto the actual DOS attack. When they're ready, they use a "master" program to initiate the attack from all the hundreds of clients. Big attack, very hard to stop.

Dozens of PEOPLE don't need to keep the secret. Dozens of COMPUTERS do. And 1 person.

DOS Solution?

[GenChalupa]

I have to say that as an engineer at a large firm, I've logged quite a number of hours researching ways to sucessfully defend our technology against such attacks. It seems that as technology proliferates, and the Internet becomes a global interchange, things like this will increase exponentially. This is not good for eBusiness, as it leads to increased government regulation.

Last month I got with an old college roommate of mine (Hi Jimbo!) who now works at a major hardware powerhouse, and we threw ideas around that may help combat the problem of crackers and l33ts nailing systems to the wall. I suppose this is as good a place as any to publicly gather feedback.

Our first idea was for a "safety net" of sorts, gathering IPS and validating DNS, packet info, etc before return transmitting data. The system, the Gathering, Researching, Intelligent Transport System (GRITS) could theoretically decrease the DoS attack exponentially.

One problem we found with GRITS was its effect on servers running Apache. We dubbed the problem the Nailing Apache Transport Access Line Interface Expansion, or NATALIE. It seems that GRITS petrified the NATALIE port, man.

Our next theory was pretty clever, if I do say so myself. Transit of packets is a genuine problem on servers hit by DoS, and rerouting these packets to low-level systems is imperative. So to counter DoS, we developed the Transit Rerouting Of Low-Level Systems, or TROLLS. TROLLS worked well, as not only did it prevent GRITS from petrifying the NATALIE port, man, but it eliminated cracker attacks.

I hope this helps. I am always glad to assist fellow engineers here on good old /.

General Chalupa

Re:DOS Solution?

[Skip666Kent]

Transit of packets is a genuine problem on servers hit by DoS, and rerouting these packets to low-level systems is imperative.

Exactly. The solution lies in what I like to call the Primary Array Network Transaction Service, a wrapper of sorts for the GRITS subsystem. When you put the GRITS into the PANTS, you'll find that most of your DoS woes disappear, to be replaced by a sensation of warm satisfaction.

Misinfo: Distributed DoSs are not new

[adraken]

I was watching ZDTV just a few seconds ago and realized something: even the technically "savvy" news people seem to be confused. They said "denial of service attacks have been around for years, but the tools to do distributed denial of service attacks have only come around in the last 6 months or so." This just nags at me. I seem to remember this (first?) distributed denial of service attack: smurf.

This probably is a little different from what people are theorizing, but it works essentially the same way (or even better). Basically the perpetrator sends out a few spoofed ICMP packets with the victim's IP as the source address. These packets have subnets as their destination, so theoretically thousands of machines reply to these false ICMP packets towards an unwitting victim while the perpetrator only sent maybe a few packets.

Revolution?

[swordgeek]

Damn!!!

I've spoken out against the brainless JDs currently known as "Script Kiddies" (known a generation ago as "vandals") on numerous occasions. I've also spoken out repeately against the bloodthirsty commercialisation of the web (and by extension, the whole 'net).

Now the vandals are attacking the bloodthirsty marketers, and using the most non-damaging method they can. More than that, they're doing it in an organised and persistent manner, from the looks of it. This is the equivalent of a blockade--a formal, organised protest. Not throwing rocks through windows so much as linking arms in front of a police line.

For the past year, I've been saying that a massive revolution was in the works (echoing my beliefs of 15 years ago, when as a high school student, I belived I'd see the next social revolution in my time).

I find myself prepared to grudgingly admire a group I've detested for a few years now. The brats and miscreants may have gotten their shit together and started to fight for something worthwhile, rather than simply for the hell of it.

I kid you not, folks. There is a slight (ever so slight) chance that last night, with the crippling of Yahoo, we witnessed the very beginning of history's next social revolution.

Of course, this could all blow over in three days, when the MPAA announces that they own Sony, as well Microsoft, Netscape/AOL, and Time-Warner. I could be entirely full of shit here.

But, the fact still stands. We _will_ see a real revolution in our day, and it will probably start right here, online.

Hold onto your hats kiddies. It's going to be a bumpy ride.

Re:Revolution?

[MrEd]

Sorry to be sarcastic, but honestly. History's next social revolution? All we have here is a bunch of computer users (whether they be NSA agents, script kiddies as you claim, or international Men of Mystery) exploiting the vulnerabilities of TCP/IP to overload prominent websites. It's not a revolution. And it's not "the equivalent of a ... formal organized protest", it's a Denial of Service. The virtual people going to sell their souls to the capitalist god on Yahoo aren't seeing any virtual protesters, they're simply getting a blank screen and an annoyed look on their faces. It's not a protest unless the participants state their opinions and goals and the public has a chance to understand why the shutdown of XYZ matters to the protesters.

I won't try and tackle your label of "Bloodthirsty marketers" in full. You're going to have to accept that we live in a capitalist society, and given the technology to organize businesses on a large scale, large companies are going to form for the exclusive purpose of making money. That's the way it is. Nothing will eliminate the Big Evil Corporations save for complete social reform, which doesn't look too likely (communism's not looking too hot as a replacement). And reform will certainly not stem from the Internet, we're just all too rich! Look at yourself! Do you own the computer you're reading this with? Do you have a job? Your own house? Congratulations, you're safely ensconced in capitalism. You can whine and kick and scream, but knocking down web sites is not going to touch off any revolution. All it'll do is give the Powers That Be excuses to implement more security to protect the livelyhood of the folks at yahoo, eBay, Amazon, and CNN. This effort is counter-productive. You know of better ways to educate people about the problems of North American society than this! Please don't support the script kiddies (if that is who did this, the NSA's not ruled out for sure).

Moderators, realize that not every message with "Moderate me down if you must" deserves to be moderated up! Ignore that trash!

Re:Revolution?

[swordgeek]

"Sorry to be sarcastic, but honestly. History's next social revolution? All we have here is a bunch of computer users..."

and

"It's not a protest unless the participants state their opinions and goals and the public has a chance to understand why the shutdown of XYZ matters to the protesters."

Yeah, but as Red Green (OK, and a thousand others before him) said, 'first you have to get their attention.'

I said that this could be the beginning of a revolution. This isn't the revolution by itself, and in fact may be nothing.

As for the bloodthirsty marketeers, I won't deny capitalism, or even that it's a (fairly) good thing. However, we're starting to see the results of the gross abuses of capitalism, as it runs smack into the power of the Information Age(tm).

I'll be the first to admit it--I'm living well. I rent an apartment and drive a 20-year old beater, but I own my computer, have a good (and fun!) job as a sysadmin, and was drinking outrageously good wine last weekend (Yalumba Octavia, 1990 was the highlight for anyone who cares). Capitalism Is Not Inherently A Bad Thing(tm).

But that said, I'm starting to fear for my privacy more and more; and so are others. Look at the (serious) WTO protests. Listen to the cynicism growing in people. Look at the number of Americans who are starting to venerate Richard Fucking Nixon, because they don't believe that they've seen anyone less corrupt since then!!! The middle class is gradually dissappearing. I honestly and truly believe that revolution is in the air, and will start on the internet. (specifically, on the web, since that's most of the internet these days). Maybe not today, but in my life. However, I don't think it'll be a revolt against capitalism, as much as a revolt against abuse.

As for the moderators, don't worry. They've moderated me down almost exactly as much as they've moderated me up on this post. :-)

Re:Revolution?

[Spasemunki]

Sure this is a revolution. One on par with Woodstock '99, when a bunch of semi-drunken and/or stoned kids burned a bunch of trailers and tore the stage apart, occasionally mouthing something about being anti-materialist while robbing a gift shop. What we've seen today is nothing more than vandalism. Sure, there may be some sort of political ideology behind the choice of targets, and maybe there is some sort of organised group involved. But you neeed more than that to constitute a revolution. A real revolution is about taking apart old ideas that don't work and replacing them with new ones that do. These actions make no attempt to do that; they're just someone trying to cause people problems. If this is a protest, it is a very shallow and cowardly protest, and maybe even one that works against its stated goals. It reminds me of the masked "anarchists" in Seattle, proving their coolness to the world by commiting acts of "revolutionary terrorism" against unoccupied Starbucks coffe shops. If these people want to effect changes (and frankly, there has been no indication that they do; they may just get off on taking sites down), than they've picked a very superficial way to try and go about it.

Would be even know?

[Jon_Katz]

Slashdot is down so much and when it is up it is dog slow. It DoSes it's self.

Tort legislation, not criminal legislation

[/]

We don't need criminal laws saying ISPs must do the appropriate filtering. What we need is tort remedies for the people walloped by the people DoSed against the people who were negligent in securing the systems that were cracked. If I were to have a cache of weapons left lying around my backyard and someone were to hop my low fence, steal one, and kill someone with it, you can be sure that there'd be a civil action (properly) initiated against me. Leaving your network available to others to exploit and cause mayhem isn't readily distinguished.

Either get a legislature to enact new tort legislation or get some enterprising judges to extend the common law. Either way, you won't need an overseeing regulatory agency. Ronald Dworkin would approve, I suspect.

If I were to conduct a large-scale DoS ....

[Ex+Machina]

If I were to conduct a large-scale DoS, I'd remember the ancient chinese wisdom I received from my Sensei while reflecting on the virtues of confusician network Kung-Fu in my Rice Paper(tm) meditation shack:

"Wise man may write Trin00 but any idiot with backhoe on Fiber Optic lines cause much packet loss."

*Sigh*

[jacobm]

Okay, I'll get crucified for this, but I'll bite: the Internet as a social phenomenon didn't exist before Yahoo. Yahoo is the reason that "Internet" is synonymous with "World-Wide Web" these days. I'll go one step bolder: Yahoo invented the modern Internet. They made it possible for normal people to find the web sites they wanted to go to, which was the big spark that made the Internet useful to ordinary people. (Obviously if Yahoo hadn't been the first big popular web index, it would've been one of the others, but that's not the point. It was Yahoo.) And Amazon and eBay were also pioneers in their respective fields, Amazon in particular. It seems that you don't like their fields- well, that's good for you, you can ignore them. But as for what the Internet is defined by how people use it- they're as important as it gets. Ever bought anything online? Thank Amazon and eBay. Ever found a website without looking through one of those archaic internet yellow pages? Thank Yahoo. Get your internet access at home through roadrunner for cheap? Thank all three of them, and CNN.com, and usatoday.com, and every site that ever made the internet a place where normal people wanted to be.

Don't like the fact that the Web is a "corpoplayground"? That's just a curmudgeony "these are my toys, and I'm not sharing" argument, sorry. The whole wide Internet world got massively bigger in the last ten years, as you've probably noticed. I'd say it's reasonably certain (though I can't prove it) that there is an order of magnitude more free interesting non-corporate content on the Internet now than there was ten years ago. And, surprise, where people went commerce went too. But if you think of barnesandnoble.com as the Internet, do you also think of the real world as just a big Barnes & Noble bookstore? Just like in the real world, there's lots of room on the Internet for big corporations to spread out and make themselves look big and important. (Think of all those TV ads and billboards with URLs as one big cyber-Champs Elysees.) Also just like in the real world, if you spend all your time hanging out there, you'll end up unsatisfied. And also like the real world, there's a place for commerce and a place for community.

Unfortunately, also like the real world, there are people who absolutely refuse to play nice. But on the Internet it's worse, because it's so easy to ruin systems and there's no repurcussion for doing so. There are no social or legal rules, so people do what they please, and some people like to break things. (Hi there trolls! Have fun storming the castle!) It has been that way for the history of public networking, it's not something that just got invented with Slashdot trolls and the DoS attacks this week- CommuniTree (aka Slash version .0000000000001) had the same problems back in the romantic days of networking.

And the anarchic solution is the romantic notion that people always seem to argue in these circumstances, and as you are arguing now. Guess what? It doesn't work on the Internet. There's more net.abuse than there has ever been, and vigilante groups haven't ever really been effective in combatting them. Assuming you're right about the DoSers' motives, and they don't turn around and DoS your favorite site tomorrow, do you think that it will make all the bad people go away? I doubt it.

This is the part that the freedom lover in everyone hates: the only solution that mankind has ever come up with that works is to make rules and enforce them. That's what governments are for. That's why they were invented. The wild west is a fun, romantic place, but we can't live there forever, because given enough time the outlaws will always outnumber the sheriffs and Billy the Kid is only fun to hang out with for so long.

Far from your argument that the DoS attacks represent that the Internet community is somehow rejecting a bad part of itself, I'd say that the DoS attacks signal the end of the free Internet era. It was fun, yep, I was there for a little bit of it too and I know. But oh well. We have to grow up someday. =(

Re:*Sigh*

[Cid+Highwind]

Yahoo is the reason that "Internet" is synonymous with "World-Wide Web" these days.
And we're supposed to be thankful for this??

they made it possible for normal people to find the web sites they wanted to go to
Because they invented the search engine? Oh...wait, they didn't. Veronica and WebCrawler were cataloging categorizing, and searching the web before Yahoo was around.

And Amazon and eBay were also pioneers in their respective fields
Stupid patent lawsuits and black market kidney sales, respectively?

Don't like the fact that the Web is a corpoplayground"? That's just a curmudgeony "these are my toys, and I'm not sharing" argument
No, it's a sad commentary on the direction the internet is taking. Radio used to be an exciting new technology, promising instant communication, like the net.hype promises today. Then it was dominated by large corporations, and today it is nothing but top-40 crap and insipid talk shows. Anything creative or thought-provoking has been squeezed out in favor of safe, easy to digest, bland, boring, profitable pablum.

the only solution that mankind has ever come up with that works is to make rules and enforce them
I don't see what you're driving at here, there are already laws against this.

There are no social or legal rules
Tell that to Kevin Mitnick, or the DeCSS defendants.

Re:Yeah and you know what would fix it

[Bishop]

For a good distributed DoS you don't need spoofed packets. It is much more devestating to use real addresses. Using real addrs you can establish connections and request files to download. You can chew up far more bandwidth, processor time, and RAM this way then simply flooding the link with bogus traffic. If you want to be particularly nasty you start screwing around with the packets you (should) send back to the server. That is left as an execise for the reader as well the guestimate for how many attackers you need. (hint: not that many)

Although I do agree that it would be nice if ISPs would start dropping spoofed source packets. It is trivial to do. It is a standard feature for most routers and can be done on the cheap with OpneBSD or Linux boxes. I don't however think a law is need. I hate legislateing common sense.

Not even DoS attacks!!!

[mrgoat]

I guess my earlier post in last forum was ignored...here we go:

First off, you have to consider that most servers are NOT going to have the capability of participating in this kind of attack.

1. Bandwidth - um...50 servers, over t-1 or less links? Nope. They HAVE to be located at a Tier 1 provider (running on the Tier 1 provider's LAN, or on colo sites that are generally capped at 10 - 100 megs). That Tier 1 provider HAS to have private peering established over large pipes - this kind of attack would have melted down PAIX.

2. The colo customers would have to be completely blind to the fact that their sites are running up bandwidth charges (charged per meg/s), but getting NO hits for services offered. Also, their security would have to have been completely compromised - ie, bypassing load-balancing proxies in advance, compromising firewalls, bypassing access-lists.

3. ALL of the above would have had to have happened in a coordinated fashion, such that traffic would have to be sent to a DoS client on the servers in question, enable the attack, which said attack would bypass then aforementioned barriers and smack down Yahoo! for more than 1Gig of damage.

Now, how many machines do you have to compromise AND install clients on AND run without being caught, taking up sizable chunks of bandwidth which generally WILL be noticed, and still make the attack possible to occur without making yourself a huge effing target?

Possible, but not very credible - though my hat is off to anyone who could compromise much more than 50 sites and hide the massive amount of work that would have to be done to set this up and make this work. Of course, I don't think that it is likely, since we would have seen multiple reports at CERT and Bugtraq from pissed off sysadmins about some boosheet DoS client hidden on their systems.

Consider the alternatives instead. Consider that some of these outages -especially the eBay outage- were not caused by DoS attacks, but by faulty equipment/software from proprietary vendors - a certain network equipment manufacturer comes to mind on that one. Consider that none of these businesses have to suck up the cash damage if these were "unforseen" occurrences.

1. The Yahoo "DoS" attack may not have been the kind of attack they admitted to. There is always the possibility that equipment upstream was b0rked, causing packets to be sent promiscuously all over the network. I've seen it happen before, just not to Yahoo.

2. Consider that the eBay problem MAY have been a DoS attack, but not the kind you think. I know of at least one showstopper bug that has come up with no less than TWO different major router vendors that could cause the crash they had.

3. I've been able to reproduce similar problems in a lab environment with one vendor's equipment that I was demo'ing. Many of these "DoS attacks" can usually be chalked up to a configuration that the vendor never bothered to test or consider.

I am not calling ANY of the companies mentioned liars, or defaming their stories. I am just pointing out that they may be mistaken, or that their public relations people may be using "evil hackers" to point people away from problems that may have been alleviated but still exist. Please consider that these events could have been caused more by ignorance and greed than by a heretofor unknown elite cadre of super 'net ninjas.

One way to track down the "masterminds"...

[SuperKendall]

One suggestion I haven't seen here is that when one finds one of these DoS clients, to replace it with a version of the client that will report to you who is controlling it - I'm not at all familiar with how these are really written so they might have a hierarchy that you'd have to go back up through but at least you might get a lead on them...

Of course, no-one will ever see this post buried hundreds of messages down but with any luck they'll at least find a few of them.

No need for root.

[XNormal]

The goal here is to get root on a few hundred systems, or more

One of the most frightening things about these kinds of attacks is that there is no need to get root. In most cases any user account will do. Think about the big hosting providers: they have machines with excellent connectivity with thousands of users connecting with telnet, ftp and pop3 exposing their passwords to snooping. It doesn't help if the system has excellent local security against gaining root access and and the administrators use only ssh. The attacks look exactly like regular web traffic - connections from unprivileged ports to port 80 - any user can initiate such connections.


----

Re:This is really strange....

[Ralph+Bearpark]

they still don't know who did it.

Yeah, I'm sure it's just a coincidence that these DoS attacks start up just after Kevin is let out of jail.

:-)

Regards, Ralph.

Only one side:

[Rabbins]

The problem is, is that you are only speaking from your own perspective.

There are countless others out there (way more than you and anyone else you speak of), that are going to be starting a revolution of their own kind. And I am speaking a subtle revolution...

A lot of people are scared to death about this, about Columbine, about Seattle, about guns, about pornography and about the internet in general. They are "concerned" about their children. They read the news and believe it. They want more control. They demand less freedom. They need more protection.

I am going to go out on a limb and make a guess that you are twenty-something. Well, we are quite the minority right now, and are not taken seriously. How much respect does the "Slacker Generation" get? :) Personally, I do not think the Seattle protests accomplished a damn thing... same thing as this (if it is indeed an organized protest). Sure, it grabbed headlines, but all of it is going to be lumped together with the "protests" at Woodstock '99. It all looks so immature from the outside.

I too believe we are starting to lose a lot of our freedoms, I really do. It genuinely frightens me when I see this shift away from people taking responsibility for their own actions. But that is what the majority of people want right now.

The problem with the movement that you advocate (and so do I), is the way it comes across to these people. We want to watch porn, do drugs, crash systems, listen to songs and play games endorcing benevolent violence, build plastic explosives, vandalize and corrupt children... but it's all in the name of freedom. I think this is what a lot of people see. What we are fighting is a lot more difficult to see and understand than, say, the civil right's movement. There is an instance where a young generation actually made a difference... but they were not fighting for porn and violence!!!

The trouble is going (and always has been) to be trying to get people to see around that.

And someone will say, "And your point was?"

I have absolutely no idea.