Slashdot Mirror
FBI Releases Updated DDoS Detection Tools
Alex Prestin writes, "In an effort to control the recent distributed Denial of Service attacks which everyone's heard about, the FBI has released Linux and Solaris tools to detect the presence (or absence) of the various DDoS daemons. They're available in binary form only (for now). You can get them here." Quote from the page: "Recipients are asked to report significant or suspected criminal activity to their local FBI office." Update: 02/10 07:37 by H :Here's some more information:The author of the DDoS analyses (at staff.washington.edu/dittrich) has released a network scanner to scan for active agents on your network.
It includes source, and is available here.
PLEASE use it responsibly.
But quite frankly I don't care if a large company's web site goes down. What about the possibility of such things happening on WinNT or 95/98?
Slashdot social engineering at it's finest
And more importantly, since they're binary only, does anyone trust them?
--
Peace,
Lord Omlette
AOL IM: jeanlucpikachu
[o]_O
MCSE Certified
Simson#
has completed the coursework
necessary to be recognized as
a Minesweeper Consultant and
In tetris there are only loosers
This story raises some more questions, then, for why is the FBI out with this tool, so conveniently, so quickly, after the attacks?
just wondering.
Why is that?
Are they waiting for Microsoft to write something, is NT invulnerable to this, or are they implicitly stating that NT servers aren't significant enough Web servers to deal with first, and Linux and Solaris are so important they must be dealt with first?
If Ballmer-tongue were here, he could explain it.
True, but I'll wait for Tordalf to return.
George
So... I have the ultimate revenge. Load DoS software on the computer of the person you don't like. Then rat them out to the Feds.
Mr. FBI Agent: Sure you didn't install that software yourself...
- "Yeah man, I tell ya what, man...That dang ol' Internet, man...You just go one there and point and click...Talk about
- Suggests that they support that MD5 is hard to "spoof,"
- Means that some verification of correctness is possible.
I'd be more impressed if they offered a 1-800 number where you could call in to verify the MD5 checksum.Better still would be to encourage people to call their local FBI office to get that number, which makes it Rather Harder to Spoof...
If you're not part of the solution, you're part of the precipitate.
Comment removed based on user account deletion
I just don't trust running binary only programs from the US government. This program scans your whole directory tree, looking for signs of the offending program. But, since we don't have the source, we don't know what else it's looking for, or who it's contacting. It also must run be run with root permissions. Personally, I find this a much bigger threat than not being able to day-trade for a few hours.
Citizens Against Plate Tectonics
So... I have the ultimate revenge. Load DoS software on the computer of the person you don't like. Then rat them out to the Feds.
<BR>
<BR>Mr. FBI Agent: Sure you didn't install that software yourself...
- "Yeah man, I tell ya what, man...That dang ol' Internet, man...You just go one there and point and click...Talk about
There are already people clamoring over conspricy theories. Now they will suggest that the detection tools might contribute to the problem.
I'm sure as HELL not going to trust any binaries from the government. If they want to release the source of said tools, then I'll look at it. Otherwise, I'm not going to just install something that in itself might be a governmentt "sactioned" trojan. Do they truly think we're that stupid?
"Klaatu, verada, necktie!" -Ash
Okay, Let's say i'm an admin of a free unix shell service. I have about 10,000 users (shellyeah.org has this many). I use their tools to find that about 150 of my users are running these ddosd's. Why should I report it to them? I'd simply terminate their access and the daemons. (And maybe report them to their ISP's, tell their mommies, etc).
Bottom line, why would i want the FBI to take care of it when i can take care of it myself? I could watch the daemons for about a week and try to figure out who else is on the ddos network, and report it to those sysadmins. The 'net isn't FBI ground, no matter what they try to force on the public.
FBI Guy 1: "hey, theres a bunch of virii out there attacking systems..."
FBI Guy 2: "...and those damn script kiddies."
FBI Guy 1: "yup, what a shame.....holy shit, i can't check my Yahoo! mail!!!"
Guy 2: "settle down, hey, swing by amazon and see what they've got..."
Guy 1: "there down too..."
Head of FBI: "GET SOMEBODY ON THIS CASE NOW OR CORPORATIONS ARE GOING TO HAVE OUR ASS....and what if i can't check on my e-trade..."
....and that is how things get done...
Beware the PenguinApparently, the FBI has overestimated crack usage in the U.S.
Hmmm. Since when has the FBI been a software vendor? Honestly, I don't recall too many products in the past (can anyone provide better info?). Which doesn't mean they couldn't or haven't, but I like to check the track record, yanno?
Bad things often happen to good people,
It is up to them to see that they remain good.
With the government a possible cause for these DoS
attacks, and with even more suspicion after managing
to come up with these tools so quickly when details
of what the actual attacks were kept so quiet,
is there ANYONE out there foolish enough to download
and run a _binary_ the FBI provides you without
any accompanying source?
Hello? Anyone home?
-J
Well, I am running the tool, and folks should know that it looks as though it is written to keep allocating memory as long as it can.. my system has 128megs of RAM and 256megs of swap, and the find_ddos program has totally exhausted my swap space.
Whatever it's doing, it's doing a lot of it. Be careful not to run it on production systems unless you can stand a bit of a DoS yourself while it runs.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
The same Government that runs the NSA, Echelon, and the CIA? The same Government that employs Janet Reno? The same Government that been restricting my crypto usage lo these many years? The same Government that... well, you get the idea.
I don't think so.
Give me the source. What are you hiding?
I wonder if they have anything else that you can download and play with.
I dont trust this at all either unless they relase the source. If there is no back door then at least there trying.
23 is odd
Free Unix? Free Windows. http://www.reactos.com
Others have postulated that government is behind DoS attacks as a publicity strategy to drum up sentiment for pervasive internet monitoring. Rather than government, I wonder if it could be the supporters of the Digital Millenium Copyright Act, such as members of the Software Publishers Association and the Motion Picture and Recording industries They're painting the DVD defendants as "hackers" (which they use incorrectly to mean "computer criminal"). Here's something more to stir up hysteria about "hackers".
Sure, it could be a blackmail stunt as some people say. But the perpetrators are bound to be caught if that's the case, because they will have to persist in DoS attacks for the protection racket to work, and the persistence will get them caught.
Thus, I think it might more likely be a ploy to discredit.
Thanks
Bruce
Bruce Perens.
Wouldn't it be nice if ISPs clued in and used some sort of intrusion detection software on their internet links? It's not that hard to install snort on a linux box and have it just watch for nasty things to roam by... and then cut the lusers off when they do something wrong ;)
Is there a Deception Tool Kit script for Trinoo? May as well waste the time of Trinoo monkeys...
This is not the real fake Bruce Perens.
Stop pretending. I am sick of your trolling.
It seems blazingly inept that the FBI would offer a binary of a tool expected to run as root, that does something cloak-and-dagger to the linux community.
They have seriously forgotten how skeptical this audience is.
It really amazes me. Really it does.
[
The tools appear to be undergoing active development, testing and deployment on the Internet.
Don't these statements suggest that it would be easy to work around these problems? In fact, I would expect that the person who carried out those recent attacks was using modified versions of these DDoS daemons in order to avoid detection.
For example, if I were doing it, I would put a large composite number in the daemon. It would only accept a connection after recieving 40 connection attempts, with each group of 10 having a port number representing part of some large prime number, and the product of these two prime numbers equalled the large composite number coded into the program.
--
The shareholder is always right.
The early involvement of the FBI implies a rush to presume both criminal intent and jurisdiction. Which might well be the case in this instance, but I don't like the precedent set. Not at all.
[
Hopefully these tools will help track down these idiots doing the DOS attacks.
Hey Haxors: how l33t will your skillz be when you're rotting in jail for twenty years?
I can't wait.
You know you've been owned when:
1. You start up X, and instead of your normal background image, you see a sign that says "Got Root?"
2. You're index.html file has mysteriously been altered to contain phrases such as "1 0wn j00," "7h1s b0x0r h4z b33n 0wn3d!" and "n474113 p0r7m4n (fill in derogitory remark here)."
3. Packet bombardment has concentrated around port 1337.
4. You're using Red Hat.
Hmnn. Perhaps my lame attempt to be funny has failed...
"You ever have that feeling where you're not sure if you're dreaming or awake?"
"You spoony bard!" -Tellah
Especially if you're one of the people that thinks that it's some type of government that's doing this in the first place. Wouldn't that be wonderful, if a govt organization was responsible for this, and in getting you to install this tool, was actually spreading their control? Wonderful! Paranoid, but good.
investigating my Denial of Grit attacks.
It seems as though the computer at the FBI has been slashdotted. Are these monkeys capable of understanding the diff between an orchestrated DOS attack and simply being slashdotted? Is there a difference, except perhaps in intent? HMMMM
Has anyone run find_ddos on a test box to find out if it tries to open any netowrk connections. The docs don't mention any sort of hidden feedback to FBIHQ, but hey do you trust the FBI? > tcplisten > packetlog & > find_ddos -g files -l LOG -p /tmp / > grep fbi.gov (and the like) packetlog Don't have access to a box right now. Someone should try this right away!
Would I run something like that on my machines.
That's just a little more than I trust the
gubermint.
I only have a dial-up/redial connection and have
survived 8 attacks since October 1999
(that failed BTW) w/o the help of the FBI. I dont have perfect security (who does?) but my firewall has been doing it's job just fine especially when you leave bait out there that really has nothing
behind it, other than to let me know when an
attempt has been made.
Show us the source code!
Oh man that just made my day. I'm supposed to run a binary only security tool written by the FBI?
ROFL!
Actually, this may work, but not in the intended way... all the script kiddies run it themselves to see if it works - the program reports back to the FBI - BAM! got 'em.
heheh, I like it.
Presumably, the FBI has identified the specific DoS programs that were used in the Yahoo and subsequent attacks. But how hard is it to change the signature and/or name of the program?
/. as well as other areas as to how to control this kind of problem. I think that getting responsible sysadmins and ISPs (or convincing irresponsible syasadmins and ISPs to try harder) is really the first step.
Since we don't know what they're looking for, we don't know that they're doing it right. And unless we run as root, we can't look at what piece of code is using what port. AND, since we don't have the source available and don't know exactly what it's doing, we're certainly not running the code as root.
So it kind of seems like a "oh shit -- let's look like we have a solution!" ploy to reassure Wall Street. It doesn't seem like a viable approach to really address the problem.
Some ideas have been advanced here on
Just my humble and ignorant opinions...
Eloi, Eloi, lema sabachtani?
www.fogbound.net
These are the same people who murdered a woman, because she was armed with an "assault baby." And let the murderer go free, because he was an FBI agent.
I am sure some of our overseas friends could take this apart and see ALL of what it does.
Eve Fairbanks says I drive a hybrid!LOL
What's particulary painful is that this is a clear case in which source distribution would be a major plus. If this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105.
Interestingly, this means that the GNU GPL is powerless to protect the work -- something which is public domain cannot be sheltered by copyright -- but it should be eminantly possible to reverse engineer and enhance the program. Modifications themselve should be covered under copyright law, and might be governed by the GPL or another license.
I would be far happier seeing full source to any such tools before installing them on my own systems.
IANAL. This is not legal advice.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
But that's pointless, you see. They got their stuff into gcc quite a while ago.
"I'll just check out the gcc source, or write a script to go through it and bring any suspicious parts to my attention."
Nice idea. But even if you could do it perfectly, what compiler do you use to compile gcc?
Yep.
That's what I thought.
Have fun.
This week's DDoS attacks could very well have been the FBI beta testing their new app.
Just kidding, of course.
I'm not sure why (or how) they are doing this.
First, wouldn't such a daemon have to be proxing a lot of ports to be affective or is it just a packet sniffer?
If there is a DoS attack, would it only log IP (which maybe bogus) addresses after your system has be comprimized or can it actually prevent such attacks?
Wouldn't a properly configured firewall be more effective using things like connection to connection limits and log files/grep/wc?
Besides the security issues of installing closed-source FBI software on mission critical servers, is there any advantage to using such software or is it only to help FBI nab script-kiddies not necessarily in the US?
Also, is it possible that guys like Amazon.com and Yahoo have nothing more than poorly configured firewalls?
Ozwald
Computer hackers bring down FBI website
Computer hackers used a large distributed attack against the FBI website (http://www.fbi.org) yesterday for two hours between 2 PM and 5 PM, Eastern U.S. time.
FBI officials said that most of the compromised computers requested two specific files, suggesting that the hackers might have been attempting to exploit a file-system bug that might have led to additional slowdown.
Many of the computers used in the attack sent messages causing the webpage requests to appear to come from different types of browsers, making them difficult to block.
Top FBI spook Drawoc Suomynona finally figured out how to block the attacker. "Most of the requests sent the 'referring page' as the page for a recent slashdot article. We just blocked all requests with that referrer, and the FBI server quickly became unclogged."
Slashdot (http://www.slashdot.org) is a well-known geek news site. Slashdot editor Rob Malda declined to comment, but was heard mumbling "It's crackers, not hackers, goddamnit."
Suomynona added, "We still have not found the source of these distributed attacks against websites, but we will step up our efforts to find them."
--
The shareholder is always right.
This is the real Bruce Perens' account, not the .-impostor.
Who knows what else, aside from detecting DDoS does it do? Give us the source, then we'll install it and check our machines.
:)
I have a couple of Linux boxes, but wouldn't dream of ever installing software from the FBI on it, unless I can peruse and check the source.
In the meanwhile, and as someone else already said, who the hell cares if big-name sites go down? My site's running ok!
This move is boneheaded not only because it furthers conspiracy theorists musings, but because it actually limits the technical scope of the solution.
Of the 6-8 Linux file/web servers we run, none of them run on Intel boxes. A couple are running on apple hardware (LinuxPPC) and a number are running on mips...
no matter how much I want to, I can't do anything with these.
If someone has spare time on their hands, maybe they could disassmble the bugger. Or, they could run this binaries on a sacrificial box in an isolated 10.0.0.0 network, with sniffers running everywhere to see if this thing tries to phone home...
I suppose the argument for not releasing the source is to make it harder for the bad guys to change signatures to avoid being detected. Like we can't type "strings -a". Some of the strings it's looking for are interesting...
Besides obvious stuff like "Tribal Flood", others are:
blowfish_decipher
blowfish_encipher
des_crypt
and even
security_through_obscurity
With messages like "Encryption string found" it *appears* (no know for sure 'till source is released) that any old encrypted stuff is tagged as suspect!
Maybe the government will take over and give everybody a fixed IP that they can use based on fingerprints, DNA, S.S# or something like that and findout all our Information.
So they only have tools for detecting the multi-source denial of service program for Linux and Solaris? This would suggest to me that the current round of attacks are all based on compromised hosts running those OSs. This is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.
But note how the platform that launches the attack is Solaris AND Linux.
So all the whiners about how the YAhoo! problems were because of them using BSD get more egg on thier faces.
This is not the fake Bruce. It is the real sellout version who is giving away the keys to the open source community. Infidel.
"Yes, Commissioner? I think I've found the source of these malicious DoS attacks... have you ever heard of Rob Malda?"
"Yes, the infamous Commander of Tacos! We know all about him... he and his evil gang, the Slashdotters, have terrorized web-sites throughout the land with their awesome distributed DoS capabilities. A link goes up on the main page -- and boom! The site is impossible to contact within as little as five minutes! Why, with that kind of power, and his evil mutant slave Hemos, he's -"
"Sir?"
"Yes, what is it?"
"Hemos is a human, sir."
"I'll be damned if I'm tricked into believing that again, mister! As I was saying, with that kind of power, (and an evil mutant slave *AHEM*), this Commander of Tacos is unstoppable!"
"Yes, sir, I once thought that myself. But he has a weakness -- his code."
"What?!"
"You heard my correctly sir. That Slash code. It's available freely to all now, right there on Slashdot. You can pass it on to the crack [smoking] analysts at the NSA, and --
"And we'll know just how he does it, and how to stop him! By gar, Drew, you're right! How an I ever pay you back?"
"Just buy CDs from Walnut Creek and support FreeBSD, sir. FreeBSD is the OS of true Americans. Slashdot and its evil ways are the product of the godless socialist Fins and their 'Linux'."
"Damned straight! I'll get right on it! [trailing off] Jensen! Preorder 500 copies of FreeBSD 4.0 from Walnut Creek, stat!"
[drew hangs up] "*Sigh* Yet another mystery solved by the powers of a BSD 4.4 lite OS.
be sure to tune in next week, when Drew has Linus deported for serial buggery!
***
I totaly concour, either that or the feds coded the thing in BASIC and wont admit it
...just read a few of these replies with an open mind. Hell, if they understand that their software *could* be decompiled eventually anyway, what would it hurt to make the source available to the community? They'd get a lot more goodwill, possibly some cooperation, and maybe even some constructive criticism. It could be learning and bridge-building at the same time.
"How many light bulbs does it take to change a person?" --BMcC-->
I WILL NOT download and install any binaries on my system!
I will only install programs I compile from the source.
Think about it, what if the DDoS daemon sniffer has a trojan?
What if the FBI is behind the DDoS attacks?
It would be a perfect reason to distribute a hacker sniffer.
[disclaimer]
I don't think that the FBI is intentionally running a DDoS attack.
And I don't think the FBI has malicious trojans in their software.
[end disclaimer]
But, it's something to think about.
* "Uncle this droid is malfunctioning" -- Luke Skywalker
I found an email address - NIPC@fbi.gov
:)
Email them _nicely_ and explain why you won't use the program without the source. Leave out the conspiracy theories, for obvious reasons...
Suggestion: Use "Please provide find_ddos source code" as the subject - about 100 messages with the same subject, all asking nicely, should get their attention.
Oh yeah - ask nicely.
Did I mention that you should ask _nicely_?
----
You don't serve bacon to a Jewish guest, you don't serve wine to a Muslim Guest, and you don't give binaries to the Open-Source community.
My opinion, use it as you wish.
Sakhmet.
"The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently."
Ban the Nukes! Save the Whales! Screw it. Nuke the Whales!
...is something we learned *NOT* to do back when our country *was* your country.
-=Maggie Leber=-
Where the guy is explaining what a "fundraiser" is.
Wait for the source to be released.
The FBI is providing a program to detect DDoS attacks. It's lame, it's probably not that effective, the source code is unavailable, and they are overlooking the general level of trust that Slashdotters have for the FBI.
So go ahead and accuse the FBI of suspicious timing, and feel free to cast aspersions on their motives, and by all means consider them responsible for any and every possible disaster going back to the Garden of Eden debacle.
And when you're done, let me know what YOU'VE done to deal with this. At least they're trying to do something...
Strike while the irony is hot! -- The Freethinker
Between some of the stories on Slashdot, comments and a discussion at my local UG last night the following conspiracy theory has bubbled up.
/. is bad spelling)
<conspiracy>
Janet and the FBI want a 40% increase in their budget mainly for fighting Cybercrime.
Soon afterwards massive DoS attacks hit the major consumer sites. No government or foriegn (non US) sites are hit. The attacks take place during offtimes for most sites; Etrade before the market opens, Ebay during dinnertime.
The attacks are of the scariest type, not much protection for the victim, shows a vast number of systems connected to the net are easily compromised.
Two days later the FBI has a 'solution' to the help alleviate the problem, available to all.
</conspiracy>
Whether or not you trust the FBI or the Federal Gov., this attack has been very convienent for the FBI and Federal law enforcement. I directly helps their position in Congress and in the public eye.
Most of the time we have seen script kiddies attack government sites and high profile sites in the Internet 'community' as opposed to just hitting big commercial sites. This may be a new strain of the script kiddie 'virus' or it could be your favourite spooks (maybe the FBI is coordinating with the NSA, sorry, more conspiracy) advancing their collective agenda.
Remember: the price of freedom is eternal vigilence.
(the price of getting a quick post on
Just some food for thought (or mental masturbation, your choice)
Arrogance is Confidence which lacks integrity. -- me
"Now, I hope and pray that I will, but, today I am still just a bill"
Now I hope and pray that I will But today I am still, just a bill
Logging output to: LOG
Scanning running processes...
Scanning "/tmp"...
Scanning "/"...
Message from syslogd@localhost at Thu Feb 10 14:22:26 2000
localhost kernel: : rw=1, want=530244, limit=530113
Segmentation fault
we don't know what else it's looking for, or who it's contacting.
Anyone concerned about security should already know how to use tracing tools to see what a program is doing. All the good Unixes come with some kind of native execution tracing tool (called trace or truss or whatever) as well as network tools to monitor connections. Plus you have all of the various third-party tools available as well.
If you think it's looking for specific files other than the DoS programs, trace it on a test machine. If you think it's contacting the FBI and uploading your pr0n collection, put the NIC into promiscuous mode and watch for packets. The program is no different from any of the others.
Personally, I suspect that the programs are okay, if only because the FBI knows that the programs will be under this kind of scrutiny. They're not stupid.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Why would anybody want to execute anything handed out by the FBI?!?!?
"Here everyone, this will make your site less vulnerable to all of those hackers. Why are we doing this? Um uh... we just want to make the world a better place, yeah that's right"
There was an article less than two months ago about a Mac OS9 Flood Attack capability. John Copeland had discovered that macintosh computers could be used, against the owner's knowledge, to create a massively distributed DoS atatck quite easily.
Has anyone analyzed the packets to determine if they match the requisite 1500 byte ICMP Echo-Request packets? The quote below seems to indicate that, if this is indeed what is going on, it cuold be prevented quite easily.
The Internet Service Providers (ISPs) must take action to drop long ICMP packets in the backbone networks (any packet longer than 1499 bytes, at least). -- John Copeland
You should never, never doubt what nobody is sure about.
You quitting proves that the karma kap worked. The most annoying of the whores shut up. --CmdrTaco
This story would be even funnier if it was not so believable!
Eve Fairbanks says I drive a hybrid!LOL
Well, it would seem that the FBI still doesn't know a fucking thing about data security.
"Oh, Sure, Ms. Reno. I'm going to take a program without source code from the agency that bugged Martin Luther King, and run it on my machine just because you said so."
Fuck you. Get a goddamned warrant if you want to know what's on my machine.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Quit bitching about the source being available! If you were half decent programmers, you'd sick a debugger on it and see what in the hell it was doing!
A brief sampling...
blowfish_decipher
k00lip
shameless_self_promotion
show_shit
commence_smurf
des_encrypt
aes_encrypt
security_through_obscurity
1 - Change IP antispoof-level (evade rfc2267 filtering)
9 - TARGA3 flood (IP stack penetration), usage: -i victim%s..
sitf: executing %s instead of %s
sitf: hiding content of file (%s)
sitf: hiding directory (%s)
sitf: hiding file/process (%s)
sitf: hiding promisc flag on interface
sitf: setting uid(%d) to uid(0)
why would anyone run these stupid binaries on their computers? no source? go screw! I bet those programs collect data on your computer and about your family and your dental hygeine habits and everything else possible and fire it down to the local FBI office to be put into a big database! screw you feds! we don't need your help, because frankly, you don't have anything good to offer us anyways.
"Recipients are asked to report significant or suspected criminal activity to their local FBI office...."
So am I now encouraged to keep a watchfull eye on every intelligent kid I know with a computer? So we can protect the interest of "e-commerce"?
Or are we to just create an environment of paranioa? Where the hordes of techno-ignorant follow blindly behind the FBI because of an unjustified fear of hackerz.
Remember security and freedom are opposities. The more we have of one, the less we have of the other. I vote for freedom. But of course.. we realize that a DOS is really a harmless inconvience to the data on my server. But try getting Dan Rather to say that.
Or maybe I'm just the paraniod one... terribly out of touch with reality. I should just go about my 9 to 5 job, and sit in my cubical, and not ask so many questions.
Here, if the Government calls a cat a dog, it legally becomes a dog.
There are plenty of cases where perfectly legal activity is met by the feds with enormous legal bills (search for Bill Cheek).
Anyway, any analysis would be interesting. Also, some threads farther down this post, suggest that just running this FBI crap will eat up all of your memory anyway, thus generating a self inflicted DoS attack.
Eve Fairbanks says I drive a hybrid!LOL
There is no WAY I'm going to install an FBI-supplied object-only daemon that runs as root.
Given that they claim to have just written this thing, there is absolutely no excuse for not releasing it as source.
Such a program could view any file and report anything it finds to an external source of its own chosing. It could install trapdoors. It could expose private crypto keys. It could monitor traffic on internal nets - or even attack external sites. It could monitor email. I could go on.
But stop a distributed DoS attack? Does this thing sink its hooks into the kernel? (Would you install it if it did?) Or does it just scan all the disks and tables for "bad" source or object code or file/program names, in the hope the perpetrator (or his sysadmin) installs it on his own machine.
This might be worth reverse-engineering. But there's no WAY anybody concerned about his system's security will execute this puppy.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
not only is it closed source, for some bizarre reason, but they only compiled it for x86 linux! it does no good on the at least tens of thousands of non x86 linux boxes (and bsd). these feds really have no idea what they're doing.
Well, even though they are binary files, at least there is a checksum file. I'm sure any hackers who break into the FBI computer and replace the files won't think to replace the checksum file too.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
If someone running Solaris 7.0 (aka SunOS 5.7) or greater could run these with truss -f and sotruss, we can see all system calls and shared library calls which would go a long ways to determining if these appear suspicious or not. Post the results and we'll see what's up.
Anyone see any probs with that?
I like lots of people. That doesn't mean I go carting them around the galaxy with me. --Dr. Who
I'm amazed that nobody has commented on how this is coming from the FBI's National Infrastructure Protection Center (NIPC), which has repeatedly proven itself to be utterly clueless when it comes to the Internet it is charged with protecting.
The NIPC's director, Michael Vatis, seems bent on using every single hiccup on the Net to prove how Essential and Important (TM) the NIPC is. When the Melissa virus hit, NIPC was running around screaming about the end of the world. After that the NIPC was warning about the evil "Y2K viruses" that never really existed (oops!). (The NIPC alert I linked to is a scream; it basically says that there are lots of Nasty Viruses out there, and that, if someone could write a Nasty Virus, they could probably write a Y2K virus, so you should panic immediately.) Now, since Melissa and Y2K failed to destroy civilization, the NIPC is beating the drum over the DoS issue, calling a bunch of script kiddies who inconvenience some people "cyber terrorists".
The common thread here is that the Net is a nasty, brutish place, and only the big tough NIPC can protect us.I'm not sure why they keep doing this, unless Vatis is such a publicity hound that he will take any excuse to "alert" people of "threats", even if those alerts do more damage than help by panicking people into distrusting the reliability of the Net. His fearmongering has become so blatant and counterproductive that he's become a favorite target of ridicule for Rob Rosenberger, the crusader for common sense regarding computer viruses.
Sure, it's bad that these big sites are suffering DoS. But it's not "terrorism", and slinging around that word only proves how cushy daily life for most people in America truly is. It's hard to imagine anyone rationally being able to compare congestion at Yahoo! to blowing up a federal building. Maybe if Vatis stopped to think for a moment before lunging to get his agency in front of the cameras of the press, he'd realize this too.
-- Jason A. Lefkowitz
Read my blog.
"Contact your local FBI department."
like, since when does Europe or whatever have an FBI?
Coca-Cola, sometimes War.
Yahoo is a small fry attack. The problem is that this could affect something more critical like an on-line brokerage. What if you need to get on and dump your RJ Reynolds stock because a jury ruling is causing the stock to tank down 75 perecent? What if ameritrade is down because of a DoS attack? You'd be pissed if you lost 80 grand because you couldn't get on to dump your shares.
Will we get the MPAA to help the FBI to destroy the life of the guy in China that is shutting Yahoo down? Seriously, if I have servers in china, s.e. asia, australia, and brasil all running trin00, and the master control is in Zaire...what the hell is the FBI going to do about it? Get angry?
I have a pentium 75 with red hat 6.1 installed.All my Linux box is used for is my hubby's web surfing. It does this nicely. It is attached to a cable modem so it is pretty good target for this DDoS client except the machine is a PoS.
I won't run a binary only patch. For one thing I have not got the hang of installing programs under Linux. Even uncompressing a file is beyond me now. I installed Red Hat with the assistance of a friend. (The install program was easy enough, but i had no idea how to partition the hard drive properly) I don't want to pester my friend any more about it. Can anyone point me to good resources to learn to do simple stuff in Linux? Does anyone have alternative open source software that can be used to uncover these clients? My Linux box does sound like it is very busy somethimes when we are not using it.
I haven't heard of any today...
ipchains is a known tool to log icmp requests or any other kind of request, also tcpdump, you can see everthing thats going on in your network. The tools to scan are already there...only lamers cannot use them.
Last I checked you are alowed to think bad things about the FBI/GVMT. If you think the FBI is Evil then just say it, you don't need a disclaimer. This isnt China...
uuuh.. I DONT LIKE THE FACT THAT THEIR ARE DECRYPT CALLS IN THAT APP... FULL DSM @ http://members.xoom.com/bi0drain/find.asm
Well, I fought off the pangs of paranoia and doubt and su'ed and ran this thing. Scanning running processes... Scanning /tmp... Scanning /... OOPS.. load JUMPS, mem AND swap usage jumps from 15% and 0% to 100% and 100%. X halts: mouse doesn't move, xmms pauses. I try to telnet in from another machine for about 6 minutes, NOTHING. I finally go back, and it's killed X along with rc5des and itself.
Sounds like a denial of service attack itself. geez. Now I feel dirty, excuse me while I go buy a new harddrive. eww.
-- adraken
I've been running PortSentry on my system for a little while now and I've already had 33 people try to scan me. My attitude is that PortSentry will scare of Script Kiddies and the less experienced (cr/h)ackers from my system (since it will be real obvious that something is up when right after a scan they can no longer connect to my server).
Basically it is akin to the use of a car alarm. If you have a car alarm, a thief can still steal your car. But if you have the alarm, they won't bother with the time and risk of trying to mess with it. So they move on to the next car.
I did have one person who was really insistent on trying to hack in one time. Fortunately he was an idiot. I recieved repeated scans from the same block of IP addresses (he was dialing up to his provider). The scan's were trying to look for the same vulnerability each time, so he made a very obvious pattern when scanning. Using ARIN's handy whois database I figured out what provider hosted those IP's and then sent their sysadmins a note. I gave them a log of times he scanned me and sure enough he went away not long after that.
If somebody does a casual scan, I just ignore them. If I get repeated scans from a subnet then I watch a little more closely and if possible get the guy shut down. I've run casual scans on people just to see what was running, and I think that's kosher, but if you continue to do it, or take it beyond that, you get what you deserve.
I got this link today out of my SANS newsletter. Dave, Marcus Ranum, and others developed their own scanners *and* provide C source code. Also, he has several reports on trin00, TFN, and stacheldrahtas well as pertinent links on the subject. http://www.staff.washington.edu/dittrich
What he says is controversial only to those who would bother to reply to such inane, stupid viewpoints to begin with. Please do not give him forum.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Esp. your government. The government is not there to serve you. They are there to continue and expand their jobs.
why so you can see stuff like this?
it seriously looks like it does what it says...
eclose__3elf()
13b58: 9d e3 bf 90 save %sp, -112, %sp
13b5c: d0 06 20 08 ld [%i0 + 8], %o0
13b60: 80 a2 20 00 cmp %o0, 0
13b64: 22 80 00 05 be,a 0x13b78
13b68: d0 06 20 04 ld [%i0 + 4], %o0
13b6c: 40 00 72 0c call elf_end
13b70: 01 00 00 00 nop
13b74: d0 06 20 04 ld [%i0 + 4], %o0
13b78: 80 a2 20 00 cmp %o0, 0
13b7c: 26 80 00 05 bl,a 0x13b90
13b80: 90 10 3f ff mov -1, %o0
13b84: 40 00 72 09 call close
13b88: 01 00 00 00 nop
13b8c: 90 10 3f ff mov -1, %o0
13b90: d0 26 20 04 st %o0, [%i0 + 4]
13b94: c0 26 20 08 st %g0, [%i0 + 8]
13b98: 81 c7 e0 08 ret
13b9c: 81 e8 00 00 restore
Actually make that
144.35.152.212 that I am currently monitoring.
Slashdot social engineering at it's finest
We do have something called the freedom of information act. Unless the information falls into certain specifically designated sensitive categories, it must be released on request. Why not file one with the FBI to obtain the source for these utilities?
I don't know if I am comfortable with blindly installing binaries from the government or anyone else for that matter.
More race stuff in one place,
than any one place on the net.
After it started scanning the /. directories it bombed out with a message that it had allocated too much memory ( I've got 192+swap for 256k). I'm sorta suspect of a simple scanner needing more than this...
One warning - it gobbles memory fast. If you run it, run it during a very idle time.
There's a gorilla from Manilla whose a fella that stinks of vanilla and has salmonella.
...to forward this to Reuters. :)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I tried it out, the first machine with shell ulimits it puked on, now im running it on another machine that has now, i just killed it it just exceeded 206MB of memory usage, what are they trying to crash my god damn machines!? what the fuck! if they cant release the source at least release decent binaries. 30833 root 15 0 206M 176M 208 0 D 15.1 70.5 0:45 find_ddos aphro@aphroland.org
NIPC Alert 00-034 and re-issue of National Infrastructure Protection Center Information System Alert NIPC Alert 99-029 originally issued 12/6/99; Unclassified
Beginning on 7 February 2000, a number of high-profile Denial of Service (DOS) attacks temporarily disabled significant electronic commerce Internet web sites. These cyber attacks targeted companies sites like Yahoo.com, Amazon.com, CNN.com, Buy.com, Ebay.com, Stamps.com, Exodus.com, E-trade.com, and Zdnet.com; reported victims have apparently recovered from the attacks within a few hours. Public reporting cites coordinated, Distributed Denial of Service (DDOS) attacks originating from multiple points on the Internet. The FBI is now investigating a number of these attacks; in view of these events the NIPC is re-issuing its original alert describing the DDOS exploit. Additional information can also be found on the NIPC web page at www.nipc.gov and at the Carnegie Mellon Computer Emergency Response Team Coordination Center (CERT/CC) web page at www.cert.org.
Beginning in the fall of 1999, the FBI/NIPC became aware of several instances where intruders installed DDOS tools on various computer systems to create large host networks capable of launching significant coordinated packet flooding denial of service attacks. Installation was accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. These multiple denial of service tools include Trin00, Tribe Flood Network (or TFN, TFN2k, and Stacheldraht,) and were reported on different civilian, university and U.S. Government systems. The FBI continues investigation of many of these incidents, and was and is highly concerned about the scale and significance of these incidents, for the following reasons:
A.) Many of the targets are universities or other sites with high bandwidth Internet connections, representing a possibly significant threat to Internet traffic.
B.) The known cases involve real and substantial financial loss.
C) The activity ties back to significant numbers and locations of domestic and overseas Internet Protocol (IP) addresses.
D) The technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet.
E) The tools appear to be undergoing active development, testing and deployment on the Internet.
F) The activity often stops once system owners start filtering for Trinoo/TFN and related activity.
Possible motives for this malicious activity range from exploit demonstration, to exploration or reconnaissance, to preparation for widespread denial of service attacks. NIPC was concerned that these tools could have been prepared for employment during the Y2K period, and remains concerned this activity could continue targeting other significant commercial, government or national sites.
NIPC requests that all computer network owners and organizations rapidly examine their systems for evidence of these distributed denial of service tools, in order to be able to quickly implement corrective measures (specific technical instructions are available from CERT/CC, SANS, NIPC, or other sources). These checks should be done to both check and clear systems of Trinoo/TFN, and related threats, and to support law enforcement efforts investigating these exploits. Recipients are asked to report significant or suspected criminal activity to their local FBI office NIPC or ANSIR Coordinator, computer emergency response support and other law enforcement agencies, as appropriate. The NIPC web site is located at www.nipc.gov.
More race stuff in one place,
than any one place on the net.
"someone's taken down the 'net!"
it used to happen all the time
back in the day when it was new
and didn't run on Wall Street's dime
there was no panic way back then
when a packet would get lost
but now each one is good as gold
and every downtime has a cost
suits came and tried taking over
and the hackers said, "hey, we're not fools,
stop what you're doing to our 'net!"
and they broke out their hacking tools
the 'net is quite a complex thing
so there are ways to take it on
to abuse the bugs and the backdoors
which open up when knocked upon
clueless experts on the tube
while at the suits the hackers laugh,
"it was so simple for our group
to cut your backbone right in half!"
some suits think that they're immune
their net's protection is quite strong
but if you think that you'll be safe...
you might find out that you're all wrong!
CluelessLinuxLuser: Sure! Who better to know whats good for me then the FBI!
CluelessLinuxLuser: Hey, can i get the source?
FED:no
CluelessLinuxLuser: Can you tell me a little more about how it works?
FED: no
CluelessLinuxLuser: Umm...I don't know if this is such a good idea then
FED: TRUST US! Its good for you AND the children, you don't hate children...do you?
CluelessLinuxLuser: NO, NO! Don't worry, I will run your spook binary on my networked PC as root.
(FED thinks to him self) ::HAHA, MS has their sheep, now we have ours! ::
It has been slow as fuck since all the DoS stuff has started in case anyone hasn't noticed..
Yeah, all that FBI software sending back the results of its HDD scans and IP logging to FBI HQ is really slowing things down.
Respectful request to mod up please?
Eve Fairbanks says I drive a hybrid!LOL
Since the FreeBSD4.0-RELEASE candidate sources have been recently released, this government binary could be the first program to try out in a jail().
jail is a slick new feature in 4.0, that encapsulates the process "in it's own private hell". look somewhere else for a more technical discussion.
-=tonyt=-
It is eminently clear to me what is happening. The technology 'experts' have finally succeeded in creating far-reaching dependencies on the machines of hell that they have conjured. And now, these "techies" are using computers as their personal drones and foot soldiers to inflate their egos and promote their anarchist agendas. Make no mistake; these are the same spindly pale-faced freaks that you used to shove in lockers. Now, they are hell-bent on revenge because nature has dealt them a painfully small hand. This is a conspiracy; and it is vast. Not only far reaching because of the amount of people involved, but also because of how long it has been happening. Decades ago the seeds were planted with the beginning of what became the Y2K fiasco. They purposefully created fear in order to strip us of our money and our pride. Is there anything that can be done to stop these heathens? Yes, and the points below are a great outline as to how and where to begin overthrowing the nerdopoly we find ourselves serving under and slaves to.
1) Dispose of your personal computer. AOL chat and your personal greeting card software have not contributed anything to your life.
2) If there is a report about "hackers" on the television, turn it off. All of the media is now a collective puppet to these ingrates and atheists that they are reporting on, and have refused to expose the truth about the real danger that these 'people' pose to our society. They exist only to expose our children to pornography, our minds to confusion, and our wallets to theft.
3) Demand that your local library and schools remove computers. These places should be a second home where we are provided with assurances that our American and Christian ideals are protected, not a social petri dish or a home for anarchist and anti-democratic sentiments.
There are certainly other measures that we can take to protect ourselves from these wholly evil creatures of technology and lust, but I think these are important first steps. Thank Our Lord that we have still have the American government and tried-and-true capitalism looking out for us.
Yes, I was kidding.
.sig last updated Jan. 14, 2000
ldd ./find_ddos reveals: not a dynamic executable Hmmmm.... I'm guessing they linked with glibc, which, since they didn't release source code, means they violated the LGPL. For those who are unaware, the LGPL allows anyone to dynamically link for any reason, but forbids static linking (which is what they did).
Engineering and the Ultimate
for kicks, I downloaded the second program listed in the article posting (the one from staff.washington.edu that comes as source) and compiled it on a 2.2.12smp box. I had to comment out the LIBS line to get it to compile, and I don't know enough about Linux libraries to know whether that was a good idea or not. It seems to do what it says when run as root, and it didn't find anything on my machine or one of the others in my area. FWIW.
I use Macs for work, Linux for education, and Windows for cardplaying.
1) Unknown crackers launch DoS against biggest commercial websites. No one takes credit. Matter of fact, no one that I know of has posted a trace on these jokers.
2) NSA has been yelling about this sort of thing for months.
3) The current administration just happens to be trying to fund its current Internet security initiative.
4) The FBI just happens to have something that they "just wrote" in order to deal with precisely this kind of attack, one we haven't seen before on this scale. It's closed source. It wants to run as root.
Yeah, right.
Where are spaf and the boys when you need them? I'd like to see them take the Fibbie's code apart byte by byte and make sure they're not up to something themselves.
Gods help us if they are.
(I know, call me paranoid, fsck my karma to hell, but bigod no steenking revenooer is getting in MY box quite so easily....hmph.)
--
"We are the FBI, we have no sense of humor that we know of." -- Tommy Lee Jones ("K"), "Men In Black"
Citizen, did you know you can also get these great binary-only tools from your friendly neighbourhood Federal Bureau of Investigations?
* FBI Privacy Guard. Ultrafast state-of-the-art Xor 255 or Vigenere stream cipher modes.
* FBI SSH daemon. New! Improved access protocols.
* FBI C-compiler. Advanced optimization techniques.
* FBI sendmail. Extended and enhanced functionality.
* FBI Buffer Overflow Library (libFBIbuf). If you're a programmer, this is a must have.
* FBI Exciting Easter Egg. Our gift to you: wonder what it does? Run it and see for yourself!
And more! Call 1-800-SPOOK.
Naturally, all software has to be run with root permissions in a machine with network access enabled.
It topped out at 291M Bytes of ram used on my system, and took a little over 1 hour to run. It also didn't do any network traffic.
Well, I too am in the category of "does not trust binaries from the FBI." It doesn't matter what the intent is of the FBI programmers. I tend to think that the guys who coded it were probably on the up-and-up.
:)
That said, I still think the leading candidate for the attacks is the NSA....
...which, if you think about it, increases the likelihood that the FBI code is exactly what they represent. While I might believe that the DDoS attacks might have been NSA, I consider it considerably less likely that the NSA and FBI would cooperate.
_Deirdre
Do you have any idea how much stuff sysadmins ignore in a given week or month? It's quite a bit of foolishness that nobody ever knows that we saw. And often the logs are kept sparser than they could because we would really rather not remember what your favorite e-commerce sex shoppe is.
It's enough to get several people reprimanded/fired and a few criminal cases filed in your average year. Uptight, play strictly by the rules admins can make mini 1984's out of any company. Most of us don't want to. Be glad that this behavior seems rooted in the culture of sysadmins. The FBI is a very different story.
DB
Your box gets cracked and they don't touch your stuff (as you predict). They do, however use your box to launch a DDoS against whitehouse.gov or even worse from your perspective crack boxes further on that launch a DDoS. A few days later, the secret service is knocking on your door and taking your hardware away and you end up spending thousands in legal fees.
Do you still think, no harm, no foul?
DB
why do you always mod slashdot-terminal up? he posts inane bullshit, usually none of it makes any sense. YET SOMEONE ALWAYS MODS HIM UP. why?
I think you guys are close but still a little off the mark. Riddle me this batman
Who are the best H"Hacking" minds on the planet?
Who would know how and how much DoS to pull off?
Who could cover their tracks so well? Who just created a new company called @stake?
Posting AC, for obvious reasons, these guys would find me and . . .
--
--
#define private public
...how you really feel
it's all part of the masterplan. soon the mindless consumer drones will bow to us like the little slaves that they are. MUAHAHAHA!
Thank you
More race stuff in one place,
than any one place on the net.
I believe that the desired level of parnoia is in between the fbi-please-trample-my-rights and the twitching-holding-a-gun-in-the-corner level of paranoia.
Trusting too much can obviously cause problems. People take advantage of you, governments gain control, too much control. On the other hand, being paranoid can consume quite a bit of energy and be counter-productive.
That being said, I remember studying the US revolution in school and thinking that the colonists were sometimes excessively paranoid, however I could never fault the result. Anyway, I hope that no one here would blindly trust the fbi, without even considering that they may not be looking out for your best interests.
Remember kids:
rational fear == good
irrational fear == bad
I have not checked the sources, but If the source code is there, can these people who are using these DDoSs just look to see what it is checking for, and modify there program accordingly?
This conversation took place prior to the update pointing to Dave Dittrich's site. It appears the source code is public domain, so perhaps one of the knowledgeable people here can start a source tree on SourceForge for this tool.
Richard Bottoms
Is that the reason why most popular free shell servers are down since the start of these attacks? Including Shellyeah.org, nether.net, nyx and so on?
The DOS attack is destructive with no productive benefit. It's a pointless and criminal way of saying "Hey, lookee here!" about a bunch of compromised hosts running the masters and daemons.
So I guess the grey-hat response to this black-hat action would be to write more interesting things to put on "owned" systems. Just imagine if, instead of taking down yahoo, your local script kiddie could send the seti@home score of his favorite alias through the roof in just hours. That way, he's still providing the service (calling attention to security holes) without the stupid brute-force collateral damage to Yahoo et al.
I'm kidding about seti@home. But seriously: isn't there something more productive you could do with a distributed network of "owned" systems? Something that would appeal to the script kiddie mentality without fucking things up too badly? Taggers can graduate to real grafitti artworks; where's the upward path for the script kiddie?
I suspect that the answer would have something to do with w4rez or MP3's. (Run Napster instead of trin00 on all the compromised hosts). I'm not endorsing copyright violation here, just saying that it would be a lot better than just crashing shit.
Preferential Voting: easy as 1-2-3
...easily defeated with hacked standard services that are activated only if receiving some obscure encrypted message. Say hacked finger who will start up Some other daemon when you "finger A$RWEPE" ? Or smth to this effect? How you remotely detect those? Careful check of the system files maybe the answer but I for one have about 20 LIux boxes in the lab - all of them reconfigured by their users a bit. - I am not going over each one for sure. They were reasonably secured (Everything possible down adtelnet replaced with ssh), but who knowswhat could have happened...
<^>_<(ô ô)>_<^>
how do i install this thing on my linuxppc beowulf cluster ?
(note: the beowulf cluster in this comment is purely fictional )
p.s.: the reason why it segfaults on most machines, is that it needs 666 megabytes of RAM.
you eeeediots!!!
I have run this on one of my boxes. The only complaints I get are related to SSLeay. Can someone explain to me what this means?
/usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 768 >= 512 for section `' /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 1024 >= 512 for section `' /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 768 >= 512 for section `' /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 768 >= 512 for section `' /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 1024 >= 512 for section `' /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 5632 >= 512 for section `'
BFD:
BFD:
BFD:
BFD:
BFD:
BFD:
load "linux",8,1
..means you use Linux! :-)
Reading the comments about the DDoS detector indicates what a paranoid bunch of people us Slashdotters appear to be! Most of us won't touch an FBI binary with a bargepole and those of us that do seem to be testing what it does on some spare machine before we release it on our real systems.
In my current area of Linux interest, the field of DVD, DeCSS and css-auth, it has been suggested that Linux users may be happy with binary only drivers to get round our legal problems - these comments show that appears to be utter cr*p. Unless we have at least thge opportunity to see the source code, we won't let such things anywhere near our systems.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
uNF uNF uNF
I ran the fbi prog and sigQUITted it after less then a minute. It dumped a core file that would put netscape to shame.
; }return(0);}
-rw------- 1 root root 58589184 Feb 10 17:07 core
I'm currently straceing it, and if I find anything interesting, I'll post it here.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
Unlike CERN, the FBI can kick down doors and stop a DDoS by arresting its perpetrators and confiscating their computers. The best way to do this is to catch the perps in the act. The best way to do this is to identify and monitor a DDos the moment it begins. To do this, there must be detection software in place, and that detection software must notify the FBI instantly.
Now, if the source code to the application is readily available, it will document not only the means of discovery but also the means of FBI notification. The perpetrators of the DDoS could use this knowledge to revise their DDoS. In all likelihood they could not get around the means of discovery. However, they could easily subvert the means of notification. All they have to do is launch a simultaneous attack against the FBI's machine--jamming it with bad packets, or overloading its mail server, or simply flooding it with false positives. If the fifty or so real DDoS-origin addresses are buried under a hundred thousand bogus addresses, the perps have created such an effective smoke screen that they will almost certainly get away yet again.
Will a binary-only tool prevent this? No. But by using good obfuscation techniques they could delay decompilation for so long that the tool actually has a chance to work.
Probably the best thing the FBI could do if they wanted to nail these jerks would be to find a couple of high-profile potential targets, give them the source code to a tool under an NDA, and give the site the opportunity to inspect, approve of, compile and install the tool themselves.
--
This is not my sandwich.
Isn't there any detection tools for Windows or MS-DOS?
you can? you think if I broke into your machine and initiated a DoS attack, I wouldn't take the time to remove myself from your logs?
in 1992 my machine at NYU was broken into and used as a stepping stone to break into some machines in Germany. *I* was the one who had to deal with the university coming down and unplugging my stuff and trying to kick me out of housing, and I'm the one with my name in some FBI file somewhere; in my situation, it was quite clear from the logs on my machine that it was being used by someone else to attack systems.
I assure you that you don't want to deal with a situation like this, and if you're young and stupid (or perhaps just stupid) and you don't secure your machines at least enough so that Joe Skriptkiddie can't immediately root you up, you run a very considerable risk of gettign owned and used like I was.
The FBI programme brought down my system and it is currently fscking. At last check it was using over 80M of RAM. In a few minutes I'll see the strace log to see if it tells me anything. I do not recommend any one else runs this programme.
; }return(0);}
End alert.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
The real danger is that these punks (or punk, co ordinated attacks could be one guppy with a pile o passwords and a little time on their hands) are forcing the PTB to take action. With or without government conspiracy the PTB will march forth with constricting and stiltifying regulations that will hinder and shackle the rest of us, and not being able to get online or search Yahoo will make Joe newbie their ally in doing so. Sayyyy... when did that Mitnick feller get sprung ;-)
Our fight is not against flesh and blood, but against the rulers, against the authorities, the spritual forces of evil
I wrote a bit of a note to the NIPC suggesting that find_ddos be open-sourced, and pointing out some of the advantages which would accrue, including portability, expansion, and increased trust. I also asked that the license under which it is distributed be clarified, so that I could know if I can legally mirror it. Here's the answer I got back:
"The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised. We will forward your comments to the appropriate personnel for consideration in this matter. Thank you for contacting us."
How's that for null program?
I believe in paranoia... I think it's a good thing. However, I do not think the FBI is stupid enough to trojan something like this. It would be found, and they know that...
I ran it on my DSL connected firewall box, as root... I also trussed and sotrussed it and monitored for network traffic. It looks to me like it's doing exactly what it claims to do. I don't claim to be an expert, but it's good enough for me.
Come on, people... if you honestly think the Feds are stupid enough to try and trojan this you need to take off the tinfoil hats and get out in the sun a little more. And if you don't think it's worth your time to ensure security of your machine you really should think a little harder. It goes way beyond just a recursive rm or two... if your box is compromised it allows someone to then use your box to stage other attacks, to spam people from your system, etc. etc. etc. And if you think you're secure just because you're obscure you are, quite simply, a fool.
I believe that just about any system can be owned given the time and resources and attention of the right people. The same goes with locks on your front doors. It won't keep the dedicated criminals at bay, but it filters out 99% of the riff raff and lets you focus on detection of the other 1%. I run a firewall on my system not because I think I'm a stud or anything, but to try and keep out the truly lame as well as to try and prevent someone from using my resources to bring down YOUR machine or spam YOUR email account or otherwise be nasty to all my internet neighbors.
I won't tell you to run the FBI binaries because I also believe they should have released source... but I will tell you to CHECK your damned systems to make sure you're not compromised and stay vigilant. If you're running a host on the internet you have a responsibility to all the other people on the internet to try and keep your box clean. If you don't want to keep your box clean, go back to AOL and reformat and reinstall windows every 3 months.
The internet was built on the theory of COOPERATION... remember? It's the same thing you all whine about day after day after day... "oh, but why is the internet going to hell... it's all these AOL lusers" everyone says. But I've got news for you, it's not the AOL lusers, it's the lusers who don't take the initiative and personal responsibility to keep their own systems clean and allow the shitheads out there to run rampant.
-- Gary F.
Here is a situation in which you might wish to report the transgression to the FBI:
I'm a user on a network of 12000 computers. I run this program, and discover that 150 have DDoS programs running. I manage to contact 100 of these users, who remove their computers from the network (I have a lot of free time, don't I.) However, 50 of the rest are unknown to me. I've contacted the network administrator, but they are uninterested in doing anything about the issue. They feel that the increased traffic will not affect our network, which is circuit-switched OC3.
At this point, I'm concerned because I cannot get the last 50 DDoS computers off the network. So, I give in an contact the FBI. I give them the ip's, and the network admin contact number. This is why.
The other reason is if you find something that might point to the originating culprit. That way justice can be served. A final reason is so that the charges against the hooligans can be increased because the FBI now has record of another 150 computers afflicted and 'damaged' and 'tresspassed' upon.
I find the last reason most convincing.
-B
test
test
where?!?
Why would one want to bugger a serial port? Unless your equipment is miniscule, it's going to lack a certain amount of... I/O , if you know what I mean. I mean, if you want to hump your box, that's what fufme.com is for!
My system ground to a standstill. I couldn't even check out the running processes. I have 96MB ram/130MB swap on a K6-400.
/tmp... /...
I ran it on my desktop because I was a little wary of running it on my server without knowing anything about it. My mouse all but stopped. I moved it northeast about a centimeter and the pointer was still moving, a tiny bit at a time, with a huge interval, 5 minutes later. My HD light didn't stop. I gave up waiting and came back later to find the following output:
checking
checking
killed
Strange. Needless to say I deleted the software and didn't bother running it on my server, which is less endowed than my desktop. That binary is way too large to do nothing but simple checks.
Then I remembered, "hey, this is the US Government, they can't do anything right!"
Never attribute to malevolence that which can be achieved through incompetence...
Sheesh.
348
No it's not, and the comment is kinda silly.
"Multiple Source Denial of Service"
(MS-DOS) Has been around for a while, I read about last year, and thought about it before.
The guy who wrote the detector has documented it pretty well much better then I could.
What is kinda scary is that it could realy be Script Kiddies behind it.
The Code is not half as evil as it could be.
"Think of it as evolution in action."
Ten reasons why we track down and arrest crackers:
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Nice work with IDA, only prob is..
Most people won't know crap from others.
Probably better off summarising it all as
pseudo-code.
I was under the impression that trin00 was installed by compromising (mostly) Solaris boxen with buffer overruns. Consequently, almost no one is running it intentionally. Someone here is a bit ignorant, either the moderator or me. Hope it's not me :)
Know how to secure their boxes
Know what services are running and what they do
Thoroughly check out any binaries before they unleash them
And how does running an (evidently) buggy mystery binary from the FBI help here? Imagine that instead of releasing this piece of crap they released a comprehensive guide to Linux security with steps that Admins could take to secure their systems aginast this DDoS and links to useful resources to maintain security (CERT etc.)
Now, as a complete newbie with LinuxPPC running on an orphaned UMAX Mac-Clone, I have done my best to educate myself. I've read "Running Linux" from cover to cover despite some Wintelocentric parts. I've spent countless hours reading Man and Info pages and scouring LDP etc. for such info as I can get. I still switch to Mac OS to go online because I know enough to know that I don't yet know what has been installed on my Linux system or how to configure it for secure operation. I do intend to learn. but I have a gripe: I almost get the feeling that there was a secret "obfuscated documentation" contest, or that there is a movement to preserve a kind of artificial expertise by keeping docs obscure. My personal favorite is the seemingly detailed Man page (or O'Reilly book) that cannot be understood without first resorting to a long chain of other docs (doc dependencies?). This FBI bin, and the thinking behnd it, seems like a step in exactly the wrong direction, but the distros could do a lot more. I would love to read the security manual but my distro didn't come with one.
Well, It kind of turned into a rant, but I'm sure I am not alone in this.
is looking for MP3 files and reporting back to momma
;-)
Few of us seriously consider running software from the FBI without source, unless it's to test it. Similarly, we know not to trust programs from MS, Real, ..., or cookies from DoubleClick. But what about hardware? Do you know what that router is really doing? Or what about your switch?
How can we apply the same standards to hardware as we do for software?
The basic problem is that protocol stacks derived from BSD commit substantial resources on the receipt of a SYN packet. That makes them vulnerable to TCP SYN packets with forged source IP addresses. The proper solution is to allocate only a small control block at the LISTEN -> SYN_RCVD transition, and allocate the full resources for a TCP connection only at the SYN_RCVD -> ESTAB transition. In a SYN flood, the connection never gets beyond SYN_RCVD, so this confines the attack to using up these small control blocks.
The lookup used during SYN_RCVD should be hashed, so it doesn't slow down as the number of connections in that state increases, and the allowed number of connections in SYN_RCVD should be made very large (maybe as big as 100,000) in a large server. This allows for a huge SYN flooding overload without impacting real connections much.
There's a commercial firewall from Israel that does something like this, but it really should be part of the protocol stack.
Don't reply to ICMP packets sent to broadcast addresses. This is an out-and-out bug, known for over a decade, and should have been fixed everywhere by now. Vendors that haven't fixed it yet should be subjected to public embarassment, if not litigation.
This is the tough one - being attacked by a large number of completely valid requests. One answer is to impose fairness by source IP address within the server, so that each source IP address gets equal responsiveness. This fix won't stop the problem, but it will slow it down substantially. It's going to take some new development, but the concept is conceptually similar to fair queuing, which I invented long ago. Most of the same issues apply within a server as apply in a congested router.
Implement all this, and the problem will go from being headline news to a minor nusance. Linux network hackers, get going.
I'm not currently doing protocol implementations, but I'd be glad to talk to anybody working actively on the problem. I did substantial work on TCP/IP in its early days, before going on to other things, so I do know what I'm talking about here.
Certain sites are unhackable and boast to be... such as www.dethstar.net
HACKERS: IF YOU ARE READING THIS, SEND A DOS ATTACK TO LINUXONE!! COME ON, WHY THE FUCK NOT!
Sorry to disappoint you all, conspiracy theorists, but this binary is kosher, despite what you may wish to the contrary. How about next time, instead of just slathering on the FUD to each post, try doing a little investigation, and you might just keep from sounding like another crazed anti-government wacko. That's what I did, and lo and behold, it doesn't phone home, beam the contents of your hard drive to a secret bunker on the moon, or anything else. Of course, I could just be a minion of the Ministry of Truth myself... in fact, I am! And we're after you, Wilson! But don't take my word for it - trace out the system calls and you'll see that you have nothing to worry about. Try it:
./find_ddos -p -y
strace -e trace=network
No system calls for networking are made. I bypassed the full hard drive scan for the sake of time, but I've done that too and you have nothing to fear. So either use the tool or don't - really, I don't care - but please refrain from polluting the message boards up with more anti-government FUD. As if there wasn't enough already.
--
I think there is a world market for maybe five personal web logs.
ld: cannot open -lsocket: No such file or directory
It's been five years since I failed my programming course. I've never been the primary admin for a Un*x box before this job. I can keep the thing running, but my lack of knowledge of what our Linux box is doing at any given time is troublesome when there's a security scare going on. As far as I know, it's a fairly typical Red Hat distro, but our ISP guys set it up. What do I need to do to get it to compile?
I'd much a Windows app that can monitor the network from one location (either our NT server or my portable). In that vain I've downloaded "Nuke Nabber" which has an option for "Syslogd" - which seems to be some sort of communications standard for Un*x boxen. How do I enable it, or more importantly, how do I check to make sure it's running.
Basically, the problem is that the Internet is one big dark alley - most people can't see what's going on around them in the "virtual world". If someone can help me setup some tools to turn the street lights on in my local neighbourhood, I'd be most grateful.
(Actually, it'd be cool if anti-virus packages were expanded to cover ports and assorted network attacks...)
Yeah, like I'd download and install a binary-only "network scanner" from the _FBI_.
I want to delete my account but Slashdot doesn't allow it.
Easy dude, just put 127.0.0.1 ad.doubeclick.net and others in your hosts file. Insta-spam filter.
I want to delete my account but Slashdot doesn't allow it.
Think about it. By the time John Q. Investor gets the news about MO / MSFT / whatever, the real players on Wall Street have already heard the news five minutes ago, and dumped a bazillion shares already: selling their long positions, selling short, buying put options.
The "efficient market" works pretty fast and brutal in such circumstances. The poor e*trade customers will get the "after the news" price by the time they get to a trading screen.
Of course, psychologically, they get nervous if they can't trade. But economically, they don't have a chance of winning the "dump on bad news" game to begin with.
Even if they appear to be doing good.
Better we should put a web site and share the info with each other. We don't need a LEA in this until it is time to get subpoenas, and this can be done at a local level.
Where is the Constitutional grant of power to the Feds which allows the FBI to exist?
lew
"The Constitution, the WHOLE Constitution, and nothing but the CONSTITUTION."
All the real daytraders use direct modem connections to specialized daytrader brokerage houses anyways.
To take such a flippant attitude about securing your own system, and then to claim that "hey I didnt know" would work as a defense against those Reno and Company (or big corporate lawyers), well, your post shows that you are now, beyond doubt, a brainless fuckwit. Ever heard of a legal term called "depraved indifference"? With your attitude, you better get to know that one, and "culpable negligence" as well. They will be slamming into you in civil and criminal court someday.
And I will cheer them on - because I work for one of the affected companies, and that hit cost us revenues - which could affect my raise, my salary, my stock, my options, and the stability of my job. So Joe Citizen (in spite of your inability to see past the end of your little high-school ego) was affected, and thats why joe citizen should care: from me whose salary could be affected, to the stores where I shop and spend that salary, to the taxes I pay to help those less fortunate, etc. No man is an island kid, learn it.
HAND or FOAD, your choice.
Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo! http://goo.gl/J9bkO
Theres a lot of cool advantages to using source code that get premoted.. Easyer to hunt down trojens and other back doors... easyer to improve.. easyer to fix..
Easyer to port.....
Lets think about this for a moment... The Internet is a patchwork of operating systems.. Some SGI, some Linux, some Solarus.. NT here OS/2 there... ohh theres a 3B2 tucked in the corner...
You could release half a million binarys and still miss a few..
Porting to some isn't nessisarly going to be an easy task.. Getting it to work under NT for example may be a bit of an effort... under Dos may be futile... But say SCO Unix or SunOS may need only a recompile....
The best bet to getting this running on as many systems as posable is to releace code....
So why make binary only?
We may know better than to trust security by obscurity but the FBI still believes in it.
It'll be like pulling teath to convence then to open source it.
I think the best selling point is this... Sysadm will not put up with secrets being keep from them.
The crackers will eventually figure out how it works and if it can be thwarted they will do it. Leaving us with a useless binary we can not change.
So you'll release an upgrade? Not on my box...
Once cracked twice shy.. You won't get a second chance.. if they can not fix the code on the fly then WHEN it gets bypassed your code will be tossed out the window never to be seen again...
You have some time... release the code so we can adapt before the crackers...
I don't actually exist.
Maybe the author didn't take /proc or /dev into account, or /proc was different on the kernel he was using relative to 2.2.14 (which I assume most people are using.) I haven't run the program on my system, and I don't plan to. :)
If there are command line options to control what dirs are scanned, then maybe someone should try limitting it to that. Maybe the program reads whole files into memory before checking them, so big files take massive amounts of RAM.
For some people who have IDE disk drives but haven't used hdparm to tweak them, they will almost certainly find that the system is _much_ more responsive while doing massive I/O if they set multi-count (-m) as high as possible, and use -c 1 -u 1 -d 1. On my P200MMX w/ Quantum Fireball CR, quake remains playable while updatedb is running
If someone is running it now, use strace -o logfile -p pid to take a peek at what it's doing. See if it reads in the whole file or what.
#define X(x,y) x##y
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@cordes ,
this all rather entertaining. These people should be given a medal for exemplifying problems that needed solving. The first part of the problem is a bunch of Windows users on their spiffy new cable modems without following directions and leaving file sharing on and not installing a firewall of some sort. To aid the script kiddies' attacks most people with really high bandwidth connections don't take the proper precautions security wise and leave themselves very open to trojans that the kiddies can use for DoS attacks. The second problem is the fact that these supposedly high power high profile websites don't have adquate security and/or fault tolderant systems so a backup could be brought online if an attack was taking place.
I'm a loner Dottie, a Rebel.
I hope you arent all clammoring to install software distibuted by the government to help you track and protect yourself from net intrusions. Thats like handing your local police the keys to your house and car.
.... why not? Think People.
Scheesch, get a clue! We already have this huge machine to feed with our tax dollars, "law enforcement". What better new machine to start to feed "Net Security". Just think before you jump on some bandwagon you cant get off till it's rollin about 70mph. I have a real problem with the source of these 'attacks', Noone has claimed responsibility, this is odd. Maybe Im not informed well enought, but noone is claiming it
rm -rf ms/*
Fine. No one trusts the US' FBI. So where can I find some decent ICE (intrusion countermeasure electronics) that's as easy to deploy as an anti-virus package? I don't mind turning my company's network into a data fortress as long as someone provides some reliable, trustworthy, off-the-shelf tools.
*dunk (sound of knuckle rapping lightly on forehead)*
Wake up Dude - We did nothing of the sort.
If the FBI hands out source code to Ice Pick, I'll think about a download. Other than that, they must think people are stupid to try and get them to bite for a binaries only install of software to monitor the suckers that believe them. If the software was of any value, they sure as hell wouldnt give it to a bunch of reverse engineering advocates, represented by defendants named in courts on both coasts.
I'd say be glad that there is at least some official bureau who is actually doing something and isn't to arrogant to ask us for help. Dunno but IMHO they got it quite right with the choice of platforms too. A Linux binary? Cool. I know of goverments who would release such tools for DOS and who would also wonder why no-one is using it & laughing their heads of instead.
As for the so-called backdoor; if those people complaining were really concerned they should be aware that a nice firewall & some 1st level of clueness can fix these problems. I haven't tried the program myself (yet) but I never saw any complaints about the program needing to be suid or something in here. I would not be surprised if most of the people complaining didn't even bother to check out what program they are talking about which is, IMVHO, like showing bits off cluelessness.
Time to Service Pack the living daylights out of your WinBoxes.
Do I really have to? It is my home machine. I only use it for accounting. It is also behind a Linux firewall that I do keep up to date. I do NOT use it for email, so I do feel safe. Although I do use it to browse the web a litte, but I use Netscape 4.7.
I'd email you but you don't have your address posted.
I assume you're not running an unpatched '97 build of Linux.
Actually, I do. My laptop, which I only connect to my LAN when I download files from it, is an old Slackware distro that I installed with diskettes. The last update on it was to get my kernel to 2.0.35. But it follows the same as the Windows box: behind a firewall, don't browse the web or read email from it, yada yada yada.
Steven Rostedt
Steven Rostedt
-- Nevermind
Give me a break! Available only in binary form. If I can't see the source and compile it myself I sure as hell am not going to run it. Like I trust the government/FBI. Yea, thanks anyway... Hehehe Mr. oBSD
(free reg. req'd) Evidence Suggests Web Attacks Were Work of More Than One Group By MATT RICHTEL WITH JOEL BRINKLEY FROM FRIDAY'S TIMES As attacks against prominent Web sites appeared to be tapering off, law enforcement and computer security experts said evidence now suggested that the digital assaults had been the work of more than one person or group.
RELATED ARTICLE: Web Attacks Have Government Revisiting Laws and Security
I don't know if any of you have experimented with this, this is what happened to me.
I ran find_ddos on RedHat 6.1. It began to run, gave me an "agreement" to sign, and the proceeded to innocently "scan" my system for ddos signatures.
After about two minutes, my telnet session was dropped, so I opened another terminal and logged in, only to find the process for "find_ddos" was no longer running. What was running "in.identd" about 100 times.
I didn't think much of this because it was a test box and we have many users running different experiments all the time, so I left it.
I came back today and it was still acting in an unusual fasion, so I decided to restart the system. After issuing a "shutdown -r now", the shutdown process began and I logged out and started a ping from my workstation to let me know when the system was back online, only it never went offline.
In fact, I can't seem to shut the system down at all remotely, I actually had to power cycle the system to stop it. Now I'm worried that this thing put it's claws into an init file or something and is running in stealth mode for some devious gov purpose.
Again, any feedback on you experience with this code would be appriciated.
second society
I don't know what experiences other people have had with this thing, but in very short order it was using 100 megs of memory on a Linux machine with only 96 megs of physical RAM and it didn't seem to be anywhere close to finished. I had to kill it before it killed the machine.
My already limited confidence in the competence of the NIPC has been struck another blow. Maybe they haven't released the source because they don't want anyone to confirm what an utter piece of shit this thing is, or do a much better job than they can do for free instead of millions of dollars of taxpayer money.
You can do other things while that's running...
If the FBI wants to be taken seriously, why not release the source code and let us compile it with eyes wide open?
Between Intel's IDing of the PIII and MicroSoft's Win98 crap about disclosing info, I'll be damned if I'll give the FBI a potential backdoor into my system.
Not paranoid, just remembering my history.
http://www.antionline.com/cgi-bin/News?type=antion line&date=02-07-2000&story=DOS.news Check this out... sounds like 1. Antionline has gone Bitch on Us and plays for Team Fed. 2. There appears to be animosity between the two sites as far as who is the "Definative" news source about hackers...
...of being honest, I don't think I'll just
assume that the FBI is being friendly, and
really cares if my computer if on or not.
Devilled Eggs - A disturbing little creation of mine.