FBI Releases Updated DDoS Detection Tools

Alex Prestin writes, "In an effort to control the recent distributed Denial of Service attacks which everyone's heard about, the FBI has released Linux and Solaris tools to detect the presence (or absence) of the various DDoS daemons. They're available in binary form only (for now). You can get them here." Quote from the page: "Recipients are asked to report significant or suspected criminal activity to their local FBI office." Update: 02/10 07:37 by H :Here's some more information:The author of the DDoS analyses (at staff.washington.edu/dittrich) has released a network scanner to scan for active agents on your network. It includes source, and is available here. PLEASE use it responsibly.

anyone tried these?

[Lord+Omlette]

And more importantly, since they're binary only, does anyone trust them?
--
Peace,
Lord Omlette
AOL IM: jeanlucpikachu

Re:anyone tried these?

[noom]

I was asking myself the same thing... Do I really want to run a binary distributed by the FBI? I'm not much of a conspiracy theorist, but it's still a little strange to consider the FBI a "trusted source."

Re:anyone tried these?

[Saint+Mitchell]

I can't say I blame you. I wish they would release the source. I'd like to know more about the DoS that it looks for.

Re:anyone tried these?

[Anomalous+Canard]

I'd like to know more about the DoS that it looks for.

There was an extensive analysis of trinoo DoS networks on Bugtraq last month. You'll learn a lot more from Security Focus" that you will from the binary or its source.

Here are some and Trinoo links.

But, dosn't anyone realize that having the source makes it easier for the trinoo coders to see how they are being detected and then modify the clients?
Anomalous: inconsistent with or deviating from what is usual, normal, or expected

Re:anyone tried these?

[Phil+Karn]

Not only does the FBI not release the source, but the binary must be run as root!

I sent them email suggesting that they open the source, and saying that I will avoid it and recommend that others do the same until they do open it.

Phil

Re:anyone tried these?

[gorilla]

I don't think it makes it much easier than having a binary which does the detection. Run binary, run program. See if program triggers binary. Recode program and try again.

Re:anyone tried these?

[LRJ]

I wouldn't touch a binary only application provided by the FBI with a 10 foot cattle prod.

My gut feeling is to agree with the comment posted in the head of this /. thread - the timing and anonomity of all this just seems too fishy to me.

Re:anyone tried these?

[smart2000]

But, dosn't anyone realize that having the source makes it easier for the trinoo coders to see how they are being detected and then modify the clients?

It's painfully obvious to see what they are looking for. Just analyze the executable. They took no efforts to hide the "fingerprints". This attack isn't being done by skilled best-of-breed hackers. It's being done by script-kiddies. Having source wouldn't help them.

Re:anyone tried these?

[Kaa]

I had the initial thought that the Feds might plant a trojan horse in the detector, but then I realized that would actually do them more harm than good.

You are assuming an unusual amount of intelligence for a government agency.

Your points are somewhat valid except for the first one (anybody around here trusts the FBI? Anyone? Anybody?), but again you assume that the Feds have no more important hidden goals that you know nothing about.

I would still not run it and would not recommend to people to run it. Besides, it is not that hard to check, e.g., standard trin00 ports with other tools.

Kaa

Re:anyone tried these?

[slashdot-terminal]

You are assuming an unusual amount of intelligence for a government agency.

You know that not everyone who works for the government is an idiot.

Your points are somewhat valid except for the first one (anybody around here trusts the FBI? Anyone? Anybody?), but again you assume that the Feds have no more important hidden goals that you know nothing about.

I trust them more than I trust the god damned bastards who run the local PD where I live. Believe the level of shall we say improper conduct is a lot greater at the local level.

I would still not run it and would not recommend to people to run it. Besides, it is not that hard to check, e.g., standard trin00 ports with other tools.

Well I state similar things and get flamed I guess you are luckier.

Re:anyone tried these?

[Saint+Mitchell]

Thanks for the links...
What blows my mind now is how many systems would have had to have been compromised to pull this off. I'm supprised that Linux boxes on the @ home network weren't a big target. They have more bandwidth available to launch an attack and there are a lot of them.

Re:anyone tried these?

[billybob+jr]

"I trust them more than I trust the god damned bastards who run the local PD where I live. Believe the level of shall we say improper conduct is a lot greater at the local level."

It makes perfect sense, the more power you have, the less corrupt you are.

Re:anyone tried these?

[slashdot-terminal]

It makes perfect sense, the more power you have, the less corrupt you are.

Let's just say I haven't seen examples of the FBI beating up people, buddying up with people, taking bribes, working for their own personal agenda, violating civil rights, etc.

Re:anyone tried these?

[Wah]

Did you see that Ruby Ridge/Waco double feature last week?

Re:anyone tried these?

[slashdot-terminal]

Yeah but how many average people decide to stockpile guns and spout anti-government propaganda. Of course in any area when you tell people they such they are not going to be on your good side from the get go.

Re:anyone tried these?

[Wah]

Read your first sentence again, then read the first two amendments from here. BTW, how old are you? You've been very vocal today, and after reading quite a bit, I'm guessing 14.

Re:anyone tried these?

[QuoteMstr]

14? That's too conservative --- I've seen stoned high school sophomores write better than that.

Tracing DOS atacks

[Simson#]

This only shows that the IP protcoll is to vounerble to abuse. In the short term such tools can bee of help but in the long run new secure protocols are needed that can prevent such abuse seen recently

MCSE Certified
Simson#
has completed the coursework
necessary to be recognized as
a Minesweeper Consultant and

Re:Tracing DOS atacks

[sampowers]

Yes, but then again, what protocols are a) free, and not propriatary, such as ipx or appletalk, and b) secure in the long run?
Imo, ip is the best we have and will have for a long time. It's secure enough to keep people from easily doing this kind of thing (With the distributed DoS's) but open enough to allow things like this to happen.

It's kinda cool that this can be done. However, like some others have said, who the hell cares if yahoo goes down for an hour?
Massive bandwidth was spent to down yahoo. And after that, it was basically spent. I suppose i'm rambling now. But any protocol that's too closed to not allow people to do really neat things is just working in the wrong direction... [/ramble]

Re:Tracing DOS atacks

[Wah]

However, like some others have said, who the hell cares if yahoo goes down for an hour?

No shit, I realize that terrorism is a bad thing. But i don't run in terror when I can't load /. (i just curse and get back to work). As much as I depend on the Internet to keep me informed and entertained, it's a nice break sometimes to turn the whole thing off and only see the world that my five senses, um, sense.

I don't see a reason to panic or even get all fluffed up. These attacks can't stay hidden forever, nor can they do it forever without getting caught.

Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.

Re:Tracing DOS atacks

[Coward,+Anonymous]

Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.

Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?

Are any of these defenses legitimate? If you were on a jury and the defendant claimed that he killed someone to demonstrate that people can be killed, would you find him innocent?

What have the DoS'ers proved? That crime can be comitted? Great, but I knew that already. I can shut down a mall with nothing more than a fork (repeatedly jam the fork into someone's face until they are dead, the mall will be closed for the day) and I can probably shut down an individual store by doing no more than pulling my pants down and taking a dump in the middle of the store; even if all the customers don't leave, the employees won't be able to help the customers because they'll spend all their time arguing over who cleans it up.

If you fill up a company's pipe with data, legitimate traffic can't get through. We knew this already, we don't need it demonstrated anymore than we need it demonstrated that streets are vulnerable to dynamite.

Re:Tracing DOS atacks

[Wah]

Yea, I guess you're right *everyone* already knew this stuff.

No, wait a second, actually most people don't know a damn thing about any of this. Maybe that's why it's on the news, and it's big news. You'd think something so obvious wouldn't be such big news, but that's because you take for granted that it is so obvious.

I'm not defending their actions, I'm saying that the cost (so far) is outweighed by the benefit.

Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?

That's funny. I type in Yahoo dot com and a page comes up. Yet, my window is still broken, my chest is still bleeding, my car is still dented, and murder victims are still dead. This was a Denial of Service attack. Roughly akin to getting a busy signal when you try and call a business, wait, not roughly, exactly.

Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet. What I don't like is people associating these type of acts with violent crime, that's when you get enough FUD involved to convice people to give up thier online rights, freedom, and privacy, in exchange for the illusion of protection that the government will promise.

Re:Tracing DOS atacks

[Coward,+Anonymous]

That's funny. I type in Yahoo dot com and a page comes up. Yet, my window is still broken

It wasn't a crime against you, it was a crime against yahoo. If I break your window, it doesn't affect anyone else. Your window is broken and it will cost you money. The attack against Yahoo cost Yahoo money, primarily in lost revenue. If I broke a window at Yahoo's office, it would never affect you, but it is still illegal and there is no legitimate argument for it.

Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet

Would you be so generous if you were the victim? Would you happily say goodbye to your car if it could educate people to the threat of car theft? I mean, you're going to buy a car to replace the one that was lost, so it's not like you're actually out a car, you're just out a bunch of money.

You weren't the victim, Yahoo was.

Re:Tracing DOS atacks

[RickHunter]

I agree with this, but I think most of these crackers don't even think about this. From what I know, they're doing this to prove how good they are with computers.

-RickHunter
--"We are gray. We stand between the candle and the star."
--Gray council, Babylon 5.

Re:Tracing DOS atacks

[Wah]

Would you happily say goodbye to your car if it could educate people to the threat of car theft? I mean, you're going to buy a car to replace the one that was lost, so it's not like you're actually out a car, you're just out a bunch of money.

Yes, *if* the vast majority of people on the planet didn't know a car could be stolen. Actually that's a funny example since I don't own a car (by choice, my feet and my bike work great).

Yahoo can take the hit, mainly because they have this ridiculous valuation based on the potential on the Internet. Well, guess what, the Net also raised the potential power of every person on it, who understands how it works. For these companies, in a brand new industry in a brand new medium doing something that has never been done before, to get hit with a few hours of downtime does a great deal to show people that this is not your father's cyberspace. People (I'm talking about "regular" folks now) haven't realized how much different things are, by forcing them to take a harder look, it helps *everyone* realize that computer security is not a joke, and should be taken every bit as seriously as the need to lock your car. If you don't want to get it stolen, that is. Or used in a DoS attack against your local highway.

Re:Tracing DOS atacks

[dlb]

Yahoo can take the hit, mainly because they have this ridiculous valuation based on the potential on the Internet

So does that mean I can dynamite the highway? Gee, the state or DOT are loaded, they can take the hit.

It doesnt matter if Yahoo lost $1 or $1 billion, due to DoS, they still lost revenue. Victimizing another organization, no matter how big it is, for 'education' of the masses is a poor excuse to be malicous.

~dlb

Re:Tracing DOS atacks

[swb]

Yea, I guess you're right *everyone* already knew this stuff.

No, wait a second, actually most people don't know a damn thing about any of this. Maybe that's why it's on the news, and it's big news. You'd think something so obvious wouldn't be such big news, but that's because you take for granted that it is so obvious.

I suspect that most everyone knows exactly what it's like when stuff doesn't work, especially computers. Somehow I don't think they need this demonstrated to them.

I'm not defending their actions, I'm saying that the cost (so far) is outweighed by the benefit.

The cost to you. The cost to other people might be much greater.

Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet.

The type of high-test geek networking knowledge about the Internet that these DoS attacks teaches is pretty much lost on Jane Q. Public. She knows all she wants to know about the Internet -- she can shop, send email and check the weather. All she's learning about the Internet is that the same group of social malcontents she ignored in high school are spending way too much time on it.

What I don't like is people associating these type of acts with violent crime, that's when you get enough FUD involved to convice people to give up thier online rights, freedom, and privacy, in exchange for the illusion of protection that the government will promise.

It's true, these aren't violent crimes any more than calling in a bomb threat to empty a shopping mall is a violent crime. It probably ranks up there with prank phone calls in terms of severity. But it does get pretty tiresome hearing the same sanctimonious line of BS about freedom, privacy and online rights everytime a pack of delinquents pulls some stunt. The DoS kiddies are NOT freedom fighters protecting some oppressed class from a Nazi jackboot, and punishing their vandalism does not signal the end of human rights as we know them.

Re:Tracing DOS atacks

[Wah]

The type of high-test geek networking knowledge about the Internet that these DoS attacks teaches is pretty much lost on Jane Q. Public.

True, but it pressures every admin out there to make sure their network is secure, which is a good thing. It also raises a general awareness and encourages all users to get their updates, and helps to cut down on the number of machines available to the vandals.

But it does get pretty tiresome hearing the same sanctimonious line of BS about freedom, privacy and online rights everytime a pack of delinquents pulls some stunt.

That comes from an overreaction from a misinformed public. The more awareness is raised and the more information that is spread about the problem helps to minimize the Fear, Uncertainty, and Doubt that might lead people to support overly-restrictive legislation. Just another oppurtunity to educate.

Re:Tracing DOS atacks

[Glothar]

How about I see how secure you are against this kind of attack.

I am tired of people who think that they are the elite of the internet, and therefore know what is best.

Wake Up.

The average user should never have to understand the working of the internet. If they would, why would we have admins?

Truly intelligent people design systems that don't require all of its users to understand how it is done.

If you really want to help with the vulnerability of IP, then find a way of fixing it, not simply showing the vulnerability. There is already someone (obviously) smarter than you who knows about the vulnerability.

Conspiracy Theory,,,

[DeepDarkSky]

In one of the comments about the DoS attack on Yahoo, et al., someone raised the possibility of a government conspiracy of staging such an attack to further its case for greater power to keep such attacks in check.

This story raises some more questions, then, for why is the FBI out with this tool, so conveniently, so quickly, after the attacks?

just wondering.

Re:Conspiracy Theory,,,

[DeepDarkSky]

hmmm...still, it doesn't mean that they hadn't been planning this for a while.

Nothing for Windows Servers!

[georgeha]

Why is that?

Are they waiting for Microsoft to write something, is NT invulnerable to this, or are they implicitly stating that NT servers aren't significant enough Web servers to deal with first, and Linux and Solaris are so important they must be dealt with first?

If Ballmer-tongue were here, he could explain it.

True, but I'll wait for Tordalf to return.

George

Re:Nothing for Windows Servers!

[ucblockhead]

What scares the crap out of me is the thought that there is a hugely growing number of Windows boxes being run by people who know little or nothing about even the basics of security that are permanently attached to the net. I can easily imagine some sort of worm program that exploited some piece of poor security in Win95/98 to install itself on tens of thousands of machines. If done correctly, using some sort of chaining scheme, the actual creator would not have to actually touch the vast majority of these systems, making him almost impossible to find. Just send some trigger sequence to one machine, which signals the two it infected, which signals the four it infected, etc, etc.

Re:Nothing for Windows Servers!

[aridhol]

A piece of poor security? In Windows?

Are you implying that there is good security there somewhere?

Re:Nothing for Windows Servers!

[Sloppy]

Presumably, the specific attack that's been in the headlines for the last few days, just runs on Linux and Solaris. Or just some shared implementation of RPC that is common on those two platforms? (And may be used on other platforms too?)

More information needs to come out.

Anyway, I usually think "NFS" when people mention RPC, and since most Dozers use SMB to share files instead of NFS, I suspect that the specific attack that has been in the news, hasn't been ported to Windows yet.

Heh, kinda funny talking about "porting" shit like this to other OSes. It reminds me of a virus that my office caught that would sometimes crash the computers, due to a bug. The joke going around the office was that we needed our virus upgraded or patched to remove the bug.

---

Re:Nothing for Windows Servers!

[coulbc]

After all the M$ bashing that's been going on for about the last, oh 5 years or so, I find it incredibly hard to believe that NT boxes are not the cause of this INCIDENT. At home I use NT,98,Linux,BSD. I use NT at work . Why? because that's what they pay me to run. I don't give a RATS ASS what OS my customer uses, As long as I have a job. My point is all systems are vulnerable to something. I have a feeling that if M$ products were creating the havoc, Everyone would be screaming twice as loud. My plan is to continue patching, reading the appropriate Security info and talking to my peers. Do I worry about NT,9x being attacked? Every day! Do I worry about the other OS's? Not as much. But I will continue to be vigilant anyway. M$ has it's problems, however I make good money thanks to BILL. My phone is not ringing off the hook to support Linux yet.

Re:Nothing for Windows Servers!

[Fishstick]

I thought what I read was that there was a common MO of exploiting a well-known RPC vulnerability to gain access to a system (and then plant trin00 ot TFN), but that the DDOS client itself does not rely on this RPC issue to function.

But it is puzzling why there is no NT version (that scans the host). Maybe they haven't found any instances of NT being used in these recent attacks, and so they don't know what to look for?

The source for the network scanner looks like it just emulates trin00 and TFN masters and reports any client responses. Presumably, this would work regardless on the platform the client runs on as long as it sends a "PONG" or whatever, you know your network has been compromised somewhere and then you're supposed to just call in the Fed's and they'll show up in black GMC's outside your door and unplug all your machines and take them back to the office to examine them. Thanks.

Re:Nothing for Windows Servers!

[Velox]

haha

dork

I'm always worried when the FBI asks for help...

[raibeart]

So... I have the ultimate revenge. Load DoS software on the computer of the person you don't like. Then rat them out to the Feds.

Mr. FBI Agent: Sure you didn't install that software yourself...

There's good, there's bad...

[Christopher+B.+Brown]

It may be coming in proprietary form, but at least they're releasing it with MD5 checksums, which:

• Suggests that they support that MD5 is hard to "spoof,"
• Means that some verification of correctness is possible.

I'd be more impressed if they offered a 1-800 number where you could call in to verify the MD5 checksum.

Better still would be to encourage people to call their local FBI office to get that number, which makes it Rather Harder to Spoof...

Worrisome

[drig]

I just don't trust running binary only programs from the US government. This program scans your whole directory tree, looking for signs of the offending program. But, since we don't have the source, we don't know what else it's looking for, or who it's contacting. It also must run be run with root permissions. Personally, I find this a much bigger threat than not being able to day-trade for a few hours.

Re:Worrisome

[retep]

It doesn't have to run with root permissions, it will run just fine without although it will give a error message asking if you really want to run it with no permissions.

strace shows that it is doing what it says it does, scanning everything. As for what it's really looking for... Who knows?

Re:Worrisome

[Nathaniel]

Requiring root permissions makes sense because it includes the option of scanning running processes, and saving core dumps of them.

Expecting people to download a binary and run it as root, on the other hand, doesn't show much understanding of the culture.

Re:Worrisome

[pyric]

Does anyone have a private network they could use to test this thing?
If everyone is so paranoid, just run this on one box and TCPDump on another box. Then go put TFN on a machine and see if their little program tries to send anything funny.

Re:Worrisome

[XenoWolf]

well, I'm checking what this thing does on a VMWare virtual machine. Curiously, it seems to just sit there. I'm stracing it, and it's hanging on a read. Course, i'm not running it as root on the VM, either. Wonder if it's trying to bind itself to a port or something. Nevertheless, I see no odd network traffic, nor do I see any other activity, other than large consumption of memory, kinda like a certain office application suite on a certain platform.

Re:Worrisome

[MarkKomus]

"Expecting people to download a binary and run it as root, on the other hand, doesn't show much understanding of the culture."

Hacker culture no, but corporate culture it does. If you are maintaining a large group of computers and your boss comes down and tells you to run this program, you better run it if you want to keep your job. Don't forget its mainly corporations that have the large bandwidth needed for a DoS attack of this size.

Re:Worrisome

[Tower]

>its mainly corporations that have the large bandwidth needed for a DoS attack of this size.

or 1 linux box on each cable modem segment around the country. That'll bring it down pretty quickly... or ISDN connected boxes. Distributed Compcracking at it's finest...

The same way - if I shoot you with a snurf gun, you shake it off - if a thousand people repeat fire their snurf guns at you, you'd be alot less effective at whatever you were trying to do...

I'm always worried when the FBI asks for help...

[raibeart]

So... I have the ultimate revenge. Load DoS software on the computer of the person you don't like. Then rat them out to the Feds.
<BR>
<BR>Mr. FBI Agent: Sure you didn't install that software yourself...

Binary only is a boneheaded mistake

[Nathaniel]

Releasing only a binary version of the detection tools is a boneheaded move. The tools will not be installed on nearly as many machines as simply because the source is not available.

There are already people clamoring over conspricy theories. Now they will suggest that the detection tools might contribute to the problem.

Re:Binary only is a boneheaded mistake

[discore]

I would have to agree completely. There isn't a chance in hell I'd run that bin on _any_ of my servers.

Maybe the FBI thinks we trust them or something.

Re:Binary only is a boneheaded mistake

[mochaone]

There's no source code ?!? There's no way in hell I'm using a binary from the FBI. Do they think we're fools? They're probably the ones who are shutting these sites down in the first place. Nice try, Louis and Janet.

Re:Binary only is a boneheaded mistake

[Booker]

No way I'll run it. I was going to email them, explaining why, but there's no email address to be found.

Are there other tools available to detect these programs?
----

Re:Binary only is a boneheaded mistake

[hadron]

If you don't trust the police, there is something very wrong with your country.

Re:Binary only is a boneheaded mistake

[Syberghost]

Email them at NIPC@fbi.gov.

Re:Binary only is a boneheaded mistake

[Life+Blood]

Ok, if the NSA was behing the massive denial of service attacks a few days ago, they would not tell anyone. Why? Because the NSA can keep a secret but the CIA and FBI can't. The NSA and the rest of the intelligence community knows the CIA and the FBI can't. Thats why the DIA never talks to the CIA if they can help it. The NSA would not trust the FBI like this.

Why only binaries? Because the government is the ultimate proprietary organization and because they don't want to tip their hand on what they know.

Re:Binary only is a boneheaded mistake

[dillon_rinker]

I judge by your URL that you're from the UK. I'll skip the usual anti-monarchist comments :) and jump right to agreeing with you. Your statement is a true statement. The premise is true. The conclusion is true. Any questions?

Re:Binary only is a boneheaded mistake

[Jeffrey+Baker]

225 years ago, your country tought my country not to trust the police.

-jwb

Re:Binary only is a boneheaded mistake

[LRJ]

Then the NSA can still be responsible since it's still a secret who is behind it.

Re:Binary only is a boneheaded mistake

[Fishstick]

OUCH! :-)

Kind of the whole point of checks-and-balances then, isn't it?

"Apart from a few good friends, we don't take anything on Faith."

Hey, that would make a really good .sig if I could remember where I heard it. (Geddy Lee?)

Re:Binary only is a boneheaded mistake

[Life+Blood]

No, the idea is that if the DoS attacks were a government conspiracy, then why is the FBI seriously trying to stop them? If the NSA did do it, the FBI would never have gotten involved because their director would have gotten a note saying "Butt out. -NSA"

I find it much more likely that some cyberterrorists had been planning those attacks for months for some reason unknown outside of themselves.

Re:Binary only is a boneheaded mistake

[Fishstick]

I'm not sure I follow. The relative screwed-up-ness of my govt. vs someone else's wasn't really the issue in my post. I was thinking more about how any form of government (democratically elected or colonial oversight) will abuse its power if given the chance. The Brittish demonstrated that to Colonial Americans in spades. A resonable amount of distrust is healthy. If a Brit says he implicity trusts his law enforcement agency to provide binary-only executables for him to run on his network, something is screwed up as well.

Re:Binary only is a boneheaded mistake

[hadron]

It is OK to reserve the right not to trust the police. However, the moment you do start to distrust the police, you should make efforts to ensure that they aren't the police.

People who are believed to be corrupt should not be allowed to continue in their position : either they should be cleared or removed.

No thanks

[Khan]

I'm sure as HELL not going to trust any binaries from the government. If they want to release the source of said tools, then I'll look at it. Otherwise, I'm not going to just install something that in itself might be a governmentt "sactioned" trojan. Do they truly think we're that stupid?

This bugs me..

[sampowers]

Okay, Let's say i'm an admin of a free unix shell service. I have about 10,000 users (shellyeah.org has this many). I use their tools to find that about 150 of my users are running these ddosd's. Why should I report it to them? I'd simply terminate their access and the daemons. (And maybe report them to their ISP's, tell their mommies, etc).

Bottom line, why would i want the FBI to take care of it when i can take care of it myself? I could watch the daemons for about a week and try to figure out who else is on the ddos network, and report it to those sysadmins. The 'net isn't FBI ground, no matter what they try to force on the public.

Re:This bugs me..

[GoofyBoy]

>why would i want the FBI to take care of it when i can take care of it myself?

I suppose you don't have to report them, unless you are really into the strict law and justice thingy.

But why wouldn't you? The FBI will smack these guys down hard which in the long run makes life easier for you as a sysadmin. Its away of getting goverment (read: your tax dollars) to help you.

Re:This bugs me..

Perhaps the FBI realizes that internet security is bigger business than catching bank robbers who only bag $5,000 a pop. Imagine the FBI sacking a script kiddie and making a million dollar case out of it. Cases like that are perfect for showcasing on CNN headline news and generating more public fear and bigger budgets. Its a win situation for the FBI, while some random doofus cracker gets slapped on the wrist while being a circus animal for 15 minutes.

Wanna do something about DOS crackers? Terminate their account. Tell mom and dad what damage they cause, or if they are employed, have friends . . . you get the idea. The FBI is just a big budget slow moving bureaucracy that costs everyone time and money, not to mention the extra trouble.

Re:This bugs me..

[v00d00dave]

Congratualtions ! Seams, if you just slashdotted shellyeah.org !? Cant tellnet in anymore ... and ultrashell.net is also down! (Or are the HACKED right now by those DAMN flooders ;-)

Re:This bugs me..

[nevets]

Actually I wouldn't think that those who are running the DOS apps know that they are. More likely, someone broke into their machines and installed it for them. The FBI would want the log files of those machines to help find the culprits that actually broke in. Of course if the cracker was good, he/she would have removed all traces of their mischief.

Steven Rostedt

Re:This bugs me..

[slashdot-me]

Maybe the fbi (or you) can setup a sniffer and try to find the source of the COMMAND packets. You know, the ones that tell the daemon to dos www.blah.com. Of course the source address would be spoofed, but then you can write a detector for the command packets. And then a detector for the command-command packets, etc.

Ryan Salsbury

Re:This bugs me..

[edibleplastic]

Thank you. This needed to be posted.

Re:This bugs me..

[RAruler]

If the cracker is smart enough to remove the traces of the intrusions, they probably aren't gonna be running your run-of-the-mill backorifice clone, rather a script/program of their own. As it wouldn't have much in common with the known ones, these tools would be useless. A good sysadmin knows whats going on with his box.

Re:This bugs me..

[fprefect]

Let's make a loose analogy...

Someone breaks into your house, maybe even destroys some of your possessions. You manage to scare them off (you got a big dog or a handy baseball bat), but wouldn't you also report them to the police?

Sure, you don't have to report them. You could just better locks or a big gun, but don't blame someone else for turning to the authorities.

even yet still more government sell-out

[gnarphlager]

Hmmm. Since when has the FBI been a software vendor? Honestly, I don't recall too many products in the past (can anyone provide better info?). Which doesn't mean they couldn't or haven't, but I like to check the track record, yanno?

Re:Well I for one won't comply with this.

[sgml4kids]

But aren't you interested to see if someone
else has hacked into your computer?

I was shagrined to find two new root accounts
added to my computer this weekend. Luckily,
they didn't run pwconv so they weren't able
to use them.

Poorly written code

[jonabbey]

Well, I am running the tool, and folks should know that it looks as though it is written to keep allocating memory as long as it can.. my system has 128megs of RAM and 256megs of swap, and the find_ddos program has totally exhausted my swap space.

Whatever it's doing, it's doing a lot of it. Be careful not to run it on production systems unless you can stand a bit of a DoS yourself while it runs.

Re:Poorly written code

[jonabbey]

Yup, very poorly written, as a matter of fact. The program eventually terminated with a memory allocation failure, despite having occasionally reduced its memory loading while running.

The README indicates that they had to take special precautions to avoid having the thing scan itself or its output while operating.. I wonder if they messed that up somehow so it caught in an infinite loop trying to scan its own image in /proc, or something. The logging it performed while running was very minimal.

A for effort, now let's see something that works.

Re:Poorly written code

[Bryan+Andersen]

It's gotten up to 265MBytes of memory and is swapping like crazy. I still have over 330M swap free. I wonder if it is properly freeing memory. Most systems I know of would have run out of memory long ago.

Re:Poorly written code

[readams]

I noticed the same problem, except I have 256 Megs of RAM and 256 Megs of swap. I went about 32 megs into swap before the program finally terminated. It makes me so sad. My poor little box hasn't swapped anything in a long time.

Re:Poorly written code

[Rakarra]

Well, I am running the tool, and folks should know that it looks as though it is written to keep allocating memory as long as it can.. my system has 128megs of RAM and 256megs of swap, and the find_ddos program has totally exhausted my swap space.

How very odd. I had almost the exact opposite experience. It ran for awhile, reported all was well, and didn't use more than several megabytes of memory.

Other Toys From the Feds

[isolation]

I wonder if they have anything else that you can download and play with.

I dont trust this at all either unless they relase the source. If there is no back door then at least there trying.

23 is odd

Could DMCA supporters be behind DoS Attacks?

[Bruce+Perens]

OK, this is paranoid but I need to get it off of my chest.

Others have postulated that government is behind DoS attacks as a publicity strategy to drum up sentiment for pervasive internet monitoring. Rather than government, I wonder if it could be the supporters of the Digital Millenium Copyright Act, such as members of the Software Publishers Association and the Motion Picture and Recording industries They're painting the DVD defendants as "hackers" (which they use incorrectly to mean "computer criminal"). Here's something more to stir up hysteria about "hackers".

Sure, it could be a blackmail stunt as some people say. But the perpetrators are bound to be caught if that's the case, because they will have to persist in DoS attacks for the protection racket to work, and the persistence will get them caught.

Thus, I think it might more likely be a ploy to discredit.

Thanks

Bruce

Re:Could DMCA supporters be behind DoS Attacks?

[Wah]

I still am leaning toward the government. When Reno comes on and says "We are doing everything is our power to find out who is doing this and working to get the funds to better police the Internet" it seems to me they have the most to benefit from this, i.e. getting exactly what they've been asking Congress for. No one else stands to gain as much from massive FUD about the Internet.

Re:Could DMCA supporters be behind DoS Attacks?

[Anomalous+Canard]

Bruce, I respect you, but this level of paranoia is discomforting. (I even looked to see if there was a . after your name.)

There have been some analyses of Tribe and Trinoo DoS networks posted on Bugtraq in November and December of last year. The people who have been setting this up have been working on it for over a year.

The difficulty with determining where the attack comes from is because of the several levels of indirection going on. In a trinoo network there is a master (a compromised machine hosting a daemon) which controls a number of slaves (also compromised machines). By sending a specially built ICMP reply message (i.e. a ping reply -- most firewalls don't filter these) to the master, it begins the DoS attack. The master sends a special ICMP packet to the slaves who then all forge packets sent to innocent systems with the victim's IP address.

From the victim's point of view, you see packets coming at you from all over. You have to find the slaves that sent the forged packets. Then you have to find the masters that sent the ICMP command to the slaves. Then you have to find the machine that sent the packet that started the attack. Now that machine is probably compromised as well, so you have to find who broke into that one. . .

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

Re:Could DMCA supporters be behind DoS Attacks?

[rangek]

Bruce, I respect you, but this level of paranoia is discomforting. (I even looked to see if there was a . after your name.)

That cracks me up. I swear to God I also checked for the dot after his name after I read that. When there was no dot, I said, "Hmm... that's interesting..." Then I read this post and almost died laughing.

Re:Could DMCA supporters be behind DoS Attacks?

[pyric]

Personally, I seriously doubt this one.
Remember, these are the same people who thought CSS would protect DVDs. I don't think they are technically competent enough to perform a DDoS. (Yes, I don't think they could do it even with the script-kiddie programs)

Re:Could DMCA supporters be behind DoS Attacks?

[Bruce+Perens]

OK, they've been working for a year but we still don't know who they are. Dirty tricks do happen. I'm one of those folks who thinks that some viruses are written by the virus-scanner manufacturers, too.

So, do I have it right that we need to have every router on the net disable source routing so that this packet forgery doesn't occurr?

Bruce

Re:Could DMCA supporters be behind DoS Attacks?

[Indomitus]

There's been a ton of discussion on the NANOG mailing list about these attacks and it seems to be the general consensus that these attacks didn't use source spoofing. It was just a huge amount of traffic from many different places around the net. The way most of these attacks work is the perp(s) crack a system to use as the home base of the attack and run scripts on that machine to find other machines to crack and park the dDoS daemons on. This way they just have tons of machines throwing traffic at the victim and since it all looks like real traffic (ie: it's not spoofed), it all gets through until they start blocking specific addresses at the edge of the network.

This is not to say that disabling source spoofing on every router in the world wouldn't be a great great thing but it wouldn't have helped in these cases.

Re:Could DMCA supporters be behind DoS Attacks?

[eggnet]

Maybe I'm confused, but I thought disableing source routing was standard practice in ISPs and on the backbones. We certainly do it at the ISP I work for.

I think one of the major DoS problems is that some or many routers on the net do not filter their outbound traffic (traffic destined for the net at large). In my opinion, a responsible ISP should not allow outgoing packets with source IP addresses other than the set it is assigned/using. Exceptions can be made on a case by case basis.

Re:Well I for one won't comply with this.

[slashdot-terminal]

But aren't you interested to see if someone
else has hacked into your computer?

Well since I don't have any access to one of those nifty permanent internet connections that usually go to slobs and rich businessmen I don't think I have much of a problem to wory about that. I would love for someone to actually hack my box and such. I enabled md5 to the password system and now have passwords up to 128 characters in lenght.

I was shagrined to find two new root accounts
added to my computer this weekend. Luckily,
they didn't run pwconv so they weren't able
to use them.

Until I get a nice T-1 I doubt that I will have any wory about this kind of thing.

ISPs should monitor for attacks...not the fbi

[crl]

Wouldn't it be nice if ISPs clued in and used some sort of intrusion detection software on their internet links? It's not that hard to install snort on a linux box and have it just watch for nasty things to roam by... and then cut the lusers off when they do something wrong ;)

Sometimes the USGOV really fails to surprise

[thedave]

It seems blazingly inept that the FBI would offer a binary of a tool expected to run as root, that does something cloak-and-dagger to the linux community.

They have seriously forgotten how skeptical this audience is.

It really amazes me. Really it does.

Modified clients

[jesser]

The technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet.

The tools appear to be undergoing active development, testing and deployment on the Internet.

Don't these statements suggest that it would be easy to work around these problems? In fact, I would expect that the person who carried out those recent attacks was using modified versions of these DDoS daemons in order to avoid detection.

For example, if I were doing it, I would put a large composite number in the daemon. It would only accept a connection after recieving 40 connection attempts, with each group of 10 having a port number representing part of some large prime number, and the product of these two prime numbers equalled the large composite number coded into the program.

--

Re:Well I for one won't comply with this.

[slashdot-terminal]

You'd be surprised at the sheer randomness of attacks. One time someone discovered my Linux box (running Slackware 2.2 at the time) on a university dialup line, and since it was running the relay-rapable Sendmail of the time, they
used it as an open relay. My bandwidth slowed to a crawl and a LOT of people got mad at me for spamming them.

Exactly how pray tell do people actually figure that a machine is newly connected to the net and how long had your machine been there.

When did the FBI take CERT's place?

[cananian]

I'm disturbed. CERT has always taken the lead in these sorts of investigation. When did the FBI take its place?

The early involvement of the FBI implies a rush to presume both criminal intent and jurisdiction. Which might well be the case in this instance, but I don't like the precedent set. Not at all.

Re:When did the FBI take CERT's place?

[phutureboy]

I wish I had moderator status right now so I could moderate your post up.

<OPINION type="humble">

The last thing we need is a bunch of US government agencies trying to 'manage' the Internet.

This is where it starts, people. You let one three-letter acronym in the door *for whatever reason* and pretty soon they'll be crawling all over the place, making your life hell and charging you a tax to boot. Government agencies will do anything to try to justify their own existence.

FBI go home. Let CERT issue the advisories, and let the free market form its own solution to this.

</OPINION>

Re:When did the FBI take CERT's place?

[348]

Yeah! I agree!

Mostly because "CERTs have retsin" and this whole thing is pretty stinky.

Re:When did the FBI take CERT's place?

[fprefect]

CERT provides advisories. Their "investigation" is usually technical in nature: dissecting worms or virii, documenting vulnerabilities, educating admins on security.

FBI is an enforcement agency. Their "investigation" focuses on possible crimes. Just because they investigate doesn't mean they can or will bring charges -- of course, this is a pretty blatant case.

Let's make a comparison: someone intentionally blocks a major thoroughfare in your town, maybe to the commercial (or redlight) districts. The radio stations tell you where the problem areas are and how to avoid them, but the police arrest those responsible and enforce the laws.

Steps for Detection

[Maul]

The FBI has also compiled a list of signs to tell if your box has been compromised by script kiddies. Using their advanced technical knowledge, they've come up with some of the following things.

You know you've been owned when:

1. You start up X, and instead of your normal background image, you see a sign that says "Got Root?"

2. You're index.html file has mysteriously been altered to contain phrases such as "1 0wn j00," "7h1s b0x0r h4z b33n 0wn3d!" and "n474113 p0r7m4n (fill in derogitory remark here)."

3. Packet bombardment has concentrated around port 1337.

4. You're using Red Hat.

Hmnn. Perhaps my lame attempt to be funny has failed...

"You ever have that feeling where you're not sure if you're dreaming or awake?"

Binary only? BWAHAHAHAHAHAH!

[mortonda]

Oh man that just made my day. I'm supposed to run a binary only security tool written by the FBI?
ROFL!

Actually, this may work, but not in the intended way... all the script kiddies run it themselves to see if it works - the program reports back to the FBI - BAM! got 'em.

heheh, I like it.

What gets detected?

[angst_ridden_hipster]

Presumably, the FBI has identified the specific DoS programs that were used in the Yahoo and subsequent attacks. But how hard is it to change the signature and/or name of the program?

Since we don't know what they're looking for, we don't know that they're doing it right. And unless we run as root, we can't look at what piece of code is using what port. AND, since we don't have the source available and don't know exactly what it's doing, we're certainly not running the code as root.

So it kind of seems like a "oh shit -- let's look like we have a solution!" ploy to reassure Wall Street. It doesn't seem like a viable approach to really address the problem.

Some ideas have been advanced here on /. as well as other areas as to how to control this kind of problem. I think that getting responsible sysadmins and ISPs (or convincing irresponsible syasadmins and ISPs to try harder) is really the first step.

Just my humble and ignorant opinions...

Re:Well I for one won't comply with this.

[slashdot-terminal]

For anyone who's interested in actually doing this blantly illegal activity I have a test machine set up in a computer lab. DoS away at:
144.35.152.144

Re:Well I for one won't comply with this.

[ucblockhead]

"ping"

Has anybody tried decompiling it yet?

[GMontag]

I am sure some of our overseas friends could take this apart and see ALL of what it does.

Re:Has anybody tried decompiling it yet?

Im glad you asked that.

They claim in the README its written in C.
its not. its written in c++ (but why lie about it!)

section .gnu.linkonce.t._._19__pointer_type_info
_._19__pointer_type_info()

compiled with a gnu compiler (yay)

and i hope that the fact that i see these:

15 00 00 00 sethi %hi(pthread_mutex_trylock), %o2

is only because they compiled gcc with --enable-threads so they have thread-safe exceptions....

Though my disassembler (Solaris dis) cant demangle the c++ function names,
HOWEVER the code does not look evil at a glance.

Copyright in US Fed government works

[KMSelf]

What's particulary painful is that this is a clear case in which source distribution would be a major plus. If this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105.

Interestingly, this means that the GNU GPL is powerless to protect the work -- something which is public domain cannot be sheltered by copyright -- but it should be eminantly possible to reverse engineer and enhance the program. Modifications themselve should be covered under copyright law, and might be governed by the GPL or another license.

I would be far happier seeing full source to any such tools before installing them on my own systems.

IANAL. This is not legal advice.

What part of "Gestalt" don't you understand?

Re:Copyright in US Fed government works

[jesser]

...this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105....

Interestingly, this means that the GNU GPL is powerless to protect the work...

Are there any strong arguments against modifying copyright law to allow the United States government to release information under copyright, but only under the GPL or a GPL-style license?

--

Re:Copyright in US Fed government works

[KMSelf]

I'm missing your meaning here.

I believe the original rationale for disallowing copyright in federal government works was to prevent the government from, say, passing a new law, but not providing legal right for anyone to publish the law. Think through the various wrinkles on that one. There are a number of avenues for abuse.

Note that the prohibition applies only to the US Federal government. State governments may, if allowed under their own statutes, hold copyright in their own work. Other national goverments may also, if allowed under their own statutes, claim copyright in their own works. I believe there have been cases in which each of these mechanisms have been used, most recent on the international scope involving Australia and encryption policy, IIRC.

Note also that the US government can hold copyright if it has been assigned the copyright by the former rights holder.

Not sure what all the legal arguments are, but the case for allowing US Gov't claims to copyright for GPLd works of its own authorship are weak. In many cases, the government is in somewhat the same position as academics who created the BSD and X licenses -- reuse, either under free or proprietary terms, is to be encouraged.

Once code has been authored (or modified) and released under the GPL by another party, the problem should be moot.

What part of "Gestalt" don't you understand?

You never know..

[dlb]

This week's DDoS attacks could very well have been the FBI beta testing their new app.

This puzzles me

[Ozwald]

I'm not sure why (or how) they are doing this.

First, wouldn't such a daemon have to be proxing a lot of ports to be affective or is it just a packet sniffer?

If there is a DoS attack, would it only log IP (which maybe bogus) addresses after your system has be comprimized or can it actually prevent such attacks?

Wouldn't a properly configured firewall be more effective using things like connection to connection limits and log files/grep/wc?

Besides the security issues of installing closed-source FBI software on mission critical servers, is there any advantage to using such software or is it only to help FBI nab script-kiddies not necessarily in the US?

Also, is it possible that guys like Amazon.com and Yahoo have nothing more than poorly configured firewalls?

Ozwald

Re:This puzzles me

[edhall]

Also, is it possible that guys like Amazon.com and Yahoo have nothing more than poorly configured firewalls?

With a DDoS attack a firewall becomes just another box to get choked on traffic. And even if it is able to filter out the attack, it can't do anything to unclog routers upstream.

When Amazon, Yahoo!, and so on say that there is no guaranteed way to prevent such attacks, they're not just trying to cover their asses. All they can do is have the routers upstream of an attack configured to filter it out-- which generally means blocking some legitimate traffic along that route as well. The latter is why they are limited in the precautions they can take beforehand.

-Ed

Distributed attack against FBI

[jesser]

Thursday, February 11, 2000
Computer hackers bring down FBI website

Computer hackers used a large distributed attack against the FBI website (http://www.fbi.org) yesterday for two hours between 2 PM and 5 PM, Eastern U.S. time.

FBI officials said that most of the compromised computers requested two specific files, suggesting that the hackers might have been attempting to exploit a file-system bug that might have led to additional slowdown.

Many of the computers used in the attack sent messages causing the webpage requests to appear to come from different types of browsers, making them difficult to block.

Top FBI spook Drawoc Suomynona finally figured out how to block the attacker. "Most of the requests sent the 'referring page' as the page for a recent slashdot article. We just blocked all requests with that referrer, and the FBI server quickly became unclogged."

Slashdot (http://www.slashdot.org) is a well-known geek news site. Slashdot editor Rob Malda declined to comment, but was heard mumbling "It's crackers, not hackers, goddamnit."

Suomynona added, "We still have not found the source of these distributed attacks against websites, but we will step up our efforts to find them."

--

Re:Distributed attack against FBI

[Mouse]

Truly creative piece of satire -- it expresses the impotence of the FBI matter such as these.

I can say one thing, though, this man has just earned himself an FBI file and some good, ole fashioned Echelon monitoring.

Not installing binary-only software from the FBI!

[mjuarez]

Who knows what else, aside from detecting DDoS does it do? Give us the source, then we'll install it and check our machines.

I have a couple of Linux boxes, but wouldn't dream of ever installing software from the FBI on it, unless I can peruse and check the source.

In the meanwhile, and as someone else already said, who the hell cares if big-name sites go down? My site's running ok! :)

Binary only is silly

[fridgepimp]

This move is boneheaded not only because it furthers conspiracy theorists musings, but because it actually limits the technical scope of the solution.

Of the 6-8 Linux file/web servers we run, none of them run on Intel boxes. A couple are running on apple hardware (LinuxPPC) and a number are running on mips...

no matter how much I want to, I can't do anything with these.

Re:Well I for one won't comply with this.

[nevets]

Port scans. There are tools that people use to continuously probe for machines that run various operating systems. Especially if you are a student and don't have a strong firewall. Crackers will break into the network and scan for users with various operating systems. If they find one that they know how to break, they'll do so. It's a lot like leaving your car in a dark parking lot without having a good security system. Thieves can break in within a matter of seconds. The same is true with crackers.

Some crackers are just script kiddies trying out there new/old tools/toys. Others are professionals that are testing their skills. Either way, its good to be prepared if you are on the net. Win 95 has poor connections (no daemons and such) and probably will not have a problem. But if you use NT, you better be careful. The default settings of RedHat are not very secure, and should be turned off. Did you select "Everything" on your install?

The best thing to do with a Linux distribution, is to install without any services. Then go back and only install the ones you use. At least you will know what you do and don't have.

Steven Rostedt

Diassembly anyone?

[RenQuanta]

If someone has spare time on their hands, maybe they could disassmble the bugger. Or, they could run this binaries on a sacrificial box in an isolated 10.0.0.0 network, with sniffers running everywhere to see if this thing tries to phone home...

Re:Diassembly anyone?

[drix]

There's no need; I just 'strace'd the entire thing and it's kosher. It does scan every file on your hard drive, which is kind of annoying, but fair enough they tell you that's what it does in the docs. Of course, I've only used the Linux version, so YMMV on BSD and Solaris, and if you're a real conspiracy theorist then you've got to assume that I downloaded a tainted version as I have not MD5'd it :)

--

Re:Diassembly anyone?

[Roundeye]

and/or it detects it's running under strace (or truss, as a local admin trussed it with the same results)...

:-)

Re:Diassembly anyone?

[drix]

Mm interesting.. how would you code that anyways?

--

Strings in find_ddos

[David+Frankenstein]

I suppose the argument for not releasing the source is to make it harder for the bad guys to change signatures to avoid being detected. Like we can't type "strings -a". Some of the strings it's looking for are interesting...

Besides obvious stuff like "Tribal Flood", others are:

blowfish_decipher
blowfish_encipher
des_crypt

and even

security_through_obscurity

With messages like "Encryption string found" it *appears* (no know for sure 'till source is released) that any old encrypted stuff is tagged as suspect!

Re:Strings in find_ddos

[vyesue]

for god's sake, can you read the fucking README? go to the site linked in the original port, and read the fucking manual.

some of these ddos tools encrypt information like IPs; the keys are in the binaries. find_ddos decrypts the encrypted information.

being paranoid about installing some binary the fbi gives you is one thing, but being woefully underinformed and shooting off your mouth is intolerable as far as I'm concerned.

Re:Strings in find_ddos

[toolj23]

I had access to a machine that was comprimised. After getting everything under control I searched through what logs were left and found a few scrips and tools. Got a few IP addresses too. Got a nice .bash_history log.

/tmp --

had a bad version of /bin/login and also a few bind tools and scanning tools.

"/usr/sbin/. /" --
(. space space)
this had a few other scanning progs in it. had programs called "digger" -- "d" -- "n" -- "b" -- "s" -- "pscan" along with a few scanning logs.

"/usr/sbin/. /. /" --
this had a program called "snoof" in it.

"/usr/sbin/. /. /. scan" --
this had a bunch of UTILS. including a README for the hydratools.

"hydratools release 0.8.8
created by phreeon.
maintained by fiba.
shoutouts to hit, je[t], and smokee.
released on thursday, march 4, 1999.

release notes:

**this is a private release. do not distribute it to anyone outside of
hydra.** "

It also contained quit a few scanning and exploiting programs.

A lot of the programs also have source along with it.

To address the Blowfish comment...

There were multiple copies of blowfish.c and blowfish.h around the system. So obviously they have a reason to scan for them.

Linux and Solaris

[crow]

So they only have tools for detecting the multi-source denial of service program for Linux and Solaris? This would suggest to me that the current round of attacks are all based on compromised hosts running those OSs. This is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.

Re:Linux and Solaris

[rangek]

his is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.

Check out some of these links for a more "technical" report.

Re:Linux and Solaris

[PapaZit]

Most of the DDoS tools that I've seen work best from Solaris or Linux. I've never seen a Stacheldraht attack from anything but a solaris box -- though it's supposed to run under Linux, IIRC. Linux, in turn, is the favorite personal OS of script kiddies and packet monkeys.

(And please, turn your flamethrower off. I know that there are plently of legit linux users. I'm one of 'em.)

Re:Well I for one won't comply with this.

[SEWilco]

So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.

...true tales of the FBI...

[FreeBSDrew]

"Yes, Commissioner? I think I've found the source of these malicious DoS attacks... have you ever heard of Rob Malda?"

"Yes, the infamous Commander of Tacos! We know all about him... he and his evil gang, the Slashdotters, have terrorized web-sites throughout the land with their awesome distributed DoS capabilities. A link goes up on the main page -- and boom! The site is impossible to contact within as little as five minutes! Why, with that kind of power, and his evil mutant slave Hemos, he's -"

"Sir?"

"Yes, what is it?"

"Hemos is a human, sir."

"I'll be damned if I'm tricked into believing that again, mister! As I was saying, with that kind of power, (and an evil mutant slave *AHEM*), this Commander of Tacos is unstoppable!"

"Yes, sir, I once thought that myself. But he has a weakness -- his code."

"What?!"

"You heard my correctly sir. That Slash code. It's available freely to all now, right there on Slashdot. You can pass it on to the crack [smoking] analysts at the NSA, and --

"And we'll know just how he does it, and how to stop him! By gar, Drew, you're right! How an I ever pay you back?"

"Just buy CDs from Walnut Creek and support FreeBSD, sir. FreeBSD is the OS of true Americans. Slashdot and its evil ways are the product of the godless socialist Fins and their 'Linux'."

"Damned straight! I'll get right on it! [trailing off] Jensen! Preorder 500 copies of FreeBSD 4.0 from Walnut Creek, stat!"

[drew hangs up] "*Sigh* Yet another mystery solved by the powers of a BSD 4.4 lite OS.

be sure to tune in next week, when Drew has Linus deported for serial buggery!

Re:...true tales of the FBI...

[Jahf]

ROFLMAO

Someone mark the parent to this up for Humor ...

(yeah, and mark this one down for being off-topic if you insist)

This could be a "win-win" if the FBI would

[alumshubby]

...just read a few of these replies with an open mind. Hell, if they understand that their software *could* be decompiled eventually anyway, what would it hurt to make the source available to the community? They'd get a lot more goodwill, possibly some cooperation, and maybe even some constructive criticism. It could be learning and bridge-building at the same time.

is the source included?

[xDroid]

I WILL NOT download and install any binaries on my system!
I will only install programs I compile from the source.

Think about it, what if the DDoS daemon sniffer has a trojan?
What if the FBI is behind the DDoS attacks?
It would be a perfect reason to distribute a hacker sniffer.

[disclaimer]
I don't think that the FBI is intentionally running a DDoS attack.
And I don't think the FBI has malicious trojans in their software.
[end disclaimer]

But, it's something to think about.

Re:is the source included?

[jeillah]

What's the problem? I ran it and everything is fine. In fact I feel fine. Matter of fact I feel pretty damn good. Matter of fact I feel like getting a haircut and a shave. Think I'll wear a suit to work tommorrow. Gotta remember not to drive over 55 on the way home tonight...

Email them - Nicely! - and ask for source

[Booker]

I found an email address - NIPC@fbi.gov

Email them _nicely_ and explain why you won't use the program without the source. Leave out the conspiracy theories, for obvious reasons...

Suggestion: Use "Please provide find_ddos source code" as the subject - about 100 messages with the same subject, all asking nicely, should get their attention. :)

Oh yeah - ask nicely.

Did I mention that you should ask _nicely_?
----

Re:Email them - Nicely! - and ask for source

[Phil+Wherry]

FYI, here's the response I received:

The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised.

Thank you for contacting us.

NIPC Watch and Warning Unit


Phil Wherry wrote:

Good afternoon! I note with interest that you're providing tools to detect distributed denial-of-service attack daemons. I applaud your efforts to stem the recent tide of d-o-s attacks.

As a matter of sound security practice, however, it's considered unwise to run code downloaded from the Internet without appropriate precautions. Given that the code you're distributing requires root-level access to one's system, inspection and compilation of the source code strikes me as the appropriate level of due diligence.

So, to sum up: I'd like to run the find_ddos tool to reassure myself of the health of the systems I manage. But this won't be practical until and unless the source code for the utility is released. I think I'm not alone in wanting this level of assurance; please consider releasing the source!

Phil Wherry
psw@wherry.com

Tact.

[Sakhmet]

Conspiracy theories aside, the FBI, and the American Government in general need to become better versed in tact.

You don't serve bacon to a Jewish guest, you don't serve wine to a Muslim Guest, and you don't give binaries to the Open-Source community.

My opinion, use it as you wish.

Sakhmet.

"The surest way to corrupt a youth is to instruct him to hold in higher esteem those who think alike than those who think differently."

Re:Trusting the police...

[MaggieL]

...is something we learned *NOT* to do back when our country *was* your country.

Re:Well I for one won't comply with this.

[ucblockhead]

Win 95 has poor connections (no daemons and such) and probably will not have a problem.

Maybe...Maybe not. True, there's no sendmail. But it certainly does have some open ports, so you have to trust in Redmond that there aren't any holes in, say, SMB. And it is a lot harder to figure out how to turn that sort of thing off under Windows.

But I think the bigger vulnerability is all of those things (Can you say "ActiveX"?) that make it possible for someone to run arbitrary code on a machine. Once there, you can open any damn port you want. One can imagine such a trojan horse spitting out an ip somewhere as its first action. Then it silently waits for a command.

A halfway-decent start...

[Captain+Sarcastic]

OK, people, let's hold off a second on the knee-jerk "It's a conspiracy!" response that seems to be automatic to anything done by the FBI.

The FBI is providing a program to detect DDoS attacks. It's lame, it's probably not that effective, the source code is unavailable, and they are overlooking the general level of trust that Slashdotters have for the FBI.

So go ahead and accuse the FBI of suspicious timing, and feel free to cast aspersions on their motives, and by all means consider them responsible for any and every possible disaster going back to the Garden of Eden debacle.

And when you're done, let me know what YOU'VE done to deal with this. At least they're trying to do something...

Warning: Conspiracy Theory

[GOD_ALMIGHTY]

Between some of the stories on Slashdot, comments and a discussion at my local UG last night the following conspiracy theory has bubbled up.

<conspiracy>
Janet and the FBI want a 40% increase in their budget mainly for fighting Cybercrime.

Soon afterwards massive DoS attacks hit the major consumer sites. No government or foriegn (non US) sites are hit. The attacks take place during offtimes for most sites; Etrade before the market opens, Ebay during dinnertime.

The attacks are of the scariest type, not much protection for the victim, shows a vast number of systems connected to the net are easily compromised.

Two days later the FBI has a 'solution' to the help alleviate the problem, available to all.
</conspiracy>
Whether or not you trust the FBI or the Federal Gov., this attack has been very convienent for the FBI and Federal law enforcement. I directly helps their position in Congress and in the public eye.

Most of the time we have seen script kiddies attack government sites and high profile sites in the Internet 'community' as opposed to just hitting big commercial sites. This may be a new strain of the script kiddie 'virus' or it could be your favourite spooks (maybe the FBI is coordinating with the NSA, sorry, more conspiracy) advancing their collective agenda.

Remember: the price of freedom is eternal vigilence.
(the price of getting a quick post on /. is bad spelling)

Just some food for thought (or mental masturbation, your choice)

Its a DoS itself!

[Shishak]

I ran this on one of my main linux boxes and it at 100MB RAM in a couple seconds and kept on going til it maxxed out swap and crashed. I think the Feds feel left out in the DoS game and want to show they can crash computers all by themselves.

"Now, I hope and pray that I will, but, today I am still just a bill"

Go figure...

[gotroot801]

Logging output to: LOG
Scanning running processes...
Scanning "/tmp"...
Scanning "/"...

Message from syslogd@localhost at Thu Feb 10 14:22:26 2000 ...
localhost kernel: : rw=1, want=530244, limit=530113
Segmentation fault

Re:Well I for one won't comply with this.

[ucblockhead]

Cable modem users are probably even better because they are continually connected, and their IPs don't change.

Re:Well I for one won't comply with this.

[LRJ]

and not for Winblows?

So trace it!

[devphil]

we don't know what else it's looking for, or who it's contacting.

Anyone concerned about security should already know how to use tracing tools to see what a program is doing. All the good Unixes come with some kind of native execution tracing tool (called trace or truss or whatever) as well as network tools to monitor connections. Plus you have all of the various third-party tools available as well.

If you think it's looking for specific files other than the DoS programs, trace it on a test machine. If you think it's contacting the FBI and uploading your pr0n collection, put the NIC into promiscuous mode and watch for packets. The program is no different from any of the others.

Personally, I suspect that the programs are okay, if only because the FBI knows that the programs will be under this kind of scrutiny. They're not stupid.

Re:Well I for one won't comply with this.

[Oirad]

Well since I don't have any access to one of those nifty permanent internet connections that usually go to slobs and rich businessmen

Well, I would hardly think I'm a slob or rich businessman. I'm a college student paying $35/mo for my cable modem. And no, mommy and daddy aren't paying for anything, either. I'm paying for school, putting myself in debt and working 20 hours/week, which is extending my time in school by at least a year, probably two. So please, keep your generalizations to yourself.

I smell backdoor.....

[diphead]

"Here everyone, this will make your site less vulnerable to all of those hackers. Why are we doing this? Um uh... we just want to make the world a better place, yeah that's right"

Re:I smell backdoor.....

[Steve+B]

They're available in binary form only

Let me ask the FBI a purely philosophical question: Just how stupid do you think I am?
/.

Ahh, could this be the "Mac Attack" bug?

[MrScience]

There was an article less than two months ago about a Mac OS9 Flood Attack capability. John Copeland had discovered that macintosh computers could be used, against the owner's knowledge, to create a massively distributed DoS atatck quite easily.

Has anyone analyzed the packets to determine if they match the requisite 1500 byte ICMP Echo-Request packets? The quote below seems to indicate that, if this is indeed what is going on, it cuold be prevented quite easily.

The Internet Service Providers (ISPs) must take action to drop long ICMP packets in the backbone networks (any packet longer than 1499 bytes, at least). -- John Copeland


You should never, never doubt what nobody is sure about.

ROFL! This really does deserve a +5

[GMontag]

This story would be even funnier if it was not so believable!

Re:ROFL! This really does deserve a +5

[Ian+Schmidt]

No, it's funny BECAUSE it's believable. I actually believed it the first time I read it. I was even thinking "wow, those bastards made the referrer point to Slashdot!".

Funny, funny stuff. If Slashdot went to 6 that post surely would deserve it :)

Binaries only?

[jcr]

Well, it would seem that the FBI still doesn't know a fucking thing about data security.

"Oh, Sure, Ms. Reno. I'm going to take a program without source code from the agency that bugged Martin Luther King, and run it on my machine just because you said so."

Fuck you. Get a goddamned warrant if you want to know what's on my machine.

-jcr

Re:Binaries only?

[technos]

bugged Martin Luther King Well, at least King was a private citizen. They snuck bugs into Detroit Mayor Coleman Young's office, pretending to be the janitor. They then proceeded to listen to him for a decade, without ever charging him of a crime. Can you say 'First black mayor of a major US city?'

In the FBI's defense, Mr. Young was engaged in mild corruption, general governmental misuse, AND he owned every nude strip club in Wayne county at a time when it wasn't legal to run those sorts of establishments.

You Morons

[howardjp]

Quit bitching about the source being available! If you were half decent programmers, you'd sick a debugger on it and see what in the hell it was doing!

$ strings find_ddos (Solaris version)

[pimp]

A brief sampling...

blowfish_decipher
k00lip
shameless_self_promotion
show_shit
commence_smurf
des_encrypt
aes_encrypt
security_through_obscurity
1 - Change IP antispoof-level (evade rfc2267 filtering)
9 - TARGA3 flood (IP stack penetration), usage: -i victim%s..
sitf: executing %s instead of %s
sitf: hiding content of file (%s)
sitf: hiding directory (%s)
sitf: hiding file/process (%s)
sitf: hiding promisc flag on interface
sitf: setting uid(%d) to uid(0)

Overseas avoids the legal bill problem.

[GMontag]

Here, if the Government calls a cat a dog, it legally becomes a dog.

There are plenty of cases where perfectly legal activity is met by the feds with enormous legal bills (search for Bill Cheek).

Anyway, any analysis would be interesting. Also, some threads farther down this post, suggest that just running this FBI crap will eat up all of your memory anyway, thus generating a self inflicted DoS attack.

Not me!

[Ungrounded+Lightning]

There is no WAY I'm going to install an FBI-supplied object-only daemon that runs as root.

Given that they claim to have just written this thing, there is absolutely no excuse for not releasing it as source.

Such a program could view any file and report anything it finds to an external source of its own chosing. It could install trapdoors. It could expose private crypto keys. It could monitor traffic on internal nets - or even attack external sites. It could monitor email. I could go on.

But stop a distributed DoS attack? Does this thing sink its hooks into the kernel? (Would you install it if it did?) Or does it just scan all the disks and tables for "bad" source or object code or file/program names, in the hope the perpetrator (or his sysadmin) installs it on his own machine.

This might be worth reverse-engineering. But there's no WAY anybody concerned about his system's security will execute this puppy.

feds need clue stick beating

[heh2k]

not only is it closed source, for some bizarre reason, but they only compiled it for x86 linux! it does no good on the at least tens of thousands of non x86 linux boxes (and bsd). these feds really have no idea what they're doing.

Re:Well I for one won't comply with this.

[X-Type]

Yes, and a DDoS client from a cable would be more useful.

checksum

[aozilla]

Well, even though they are binary files, at least there is a checksum file. I'm sure any hackers who break into the FBI computer and replace the files won't think to replace the checksum file too.

Need Solaris personto check this out with truss...

[Daeslin]

If someone running Solaris 7.0 (aka SunOS 5.7) or greater could run these with truss -f and sotruss, we can see all system calls and shared library calls which would go a long ways to determining if these appear suspicious or not. Post the results and we'll see what's up.

Anyone see any probs with that?

FBI NIPC scrambling for spotlight again

[jalefkowit]

I'm amazed that nobody has commented on how this is coming from the FBI's National Infrastructure Protection Center (NIPC), which has repeatedly proven itself to be utterly clueless when it comes to the Internet it is charged with protecting.

The NIPC's director, Michael Vatis, seems bent on using every single hiccup on the Net to prove how Essential and Important (TM) the NIPC is. When the Melissa virus hit, NIPC was running around screaming about the end of the world. After that the NIPC was warning about the evil "Y2K viruses" that never really existed (oops!). (The NIPC alert I linked to is a scream; it basically says that there are lots of Nasty Viruses out there, and that, if someone could write a Nasty Virus, they could probably write a Y2K virus, so you should panic immediately.) Now, since Melissa and Y2K failed to destroy civilization, the NIPC is beating the drum over the DoS issue, calling a bunch of script kiddies who inconvenience some people "cyber terrorists".

The common thread here is that the Net is a nasty, brutish place, and only the big tough NIPC can protect us.

I'm not sure why they keep doing this, unless Vatis is such a publicity hound that he will take any excuse to "alert" people of "threats", even if those alerts do more damage than help by panicking people into distrusting the reliability of the Net. His fearmongering has become so blatant and counterproductive that he's become a favorite target of ridicule for Rob Rosenberger, the crusader for common sense regarding computer viruses.

Sure, it's bad that these big sites are suffering DoS. But it's not "terrorism", and slinging around that word only proves how cushy daily life for most people in America truly is. It's hard to imagine anyone rationally being able to compare congestion at Yahoo! to blowing up a federal building. Maybe if Vatis stopped to think for a moment before lunging to get his agency in front of the cameras of the press, he'd realize this too.

-- Jason A. Lefkowitz

Re:FBI NIPC scrambling for spotlight again

[mrBoB]

A-f***ing-men brother.

Re:FBI NIPC scrambling for spotlight again

[Black+Parrot]

> I'm not sure why they keep doing this, unless Vatis is such a publicity hound...

They're getting ready for an IPO?

--

They make it sound like a US-only problem...

[seti]

"Contact your local FBI department."

like, since when does Europe or whatever have an FBI?

Re:They make it sound like a US-only problem...

[GrimJim]

It's clear that the message here is targeted at a US population. I've seen news reports elsewhere which mention that it's not uncommon for such DoS attacks to involve compromised servers (unbeknownst to the legitimate operators of the site) outside the target country, and I'm sure the FBI is aware of this.

Someone at the FBI is a smart cookie in responding decisively and publicly. I think it's a move to start up a division within the FBI that is dedicated to cybercrime and expand from there. This DoS attack might be ammunition in a future argument in favor of key escrow or somesuch. I noted that Patrick Naughton was nabbed in an FBI sting operation. Don't be surprised if the FBI continues to maintain a high profile when it comes to staking out law enforcement turf on cybercrime.

Re:Well I for one won't comply with this.

[X-Type]

Because you can do DDoS attacks using win32 machines.

what if it's not a US based attack?

[blixco]

Will we get the MPAA to help the FBI to destroy the life of the guy in China that is shutting Yahoo down? Seriously, if I have servers in china, s.e. asia, australia, and brasil all running trin00, and the master control is in Zaire...what the hell is the FBI going to do about it? Get angry?

Is the current wave of attacks still ongoing?

[HarryCaul]

I haven't heard of any today...

Thought crime?

[JohnKatz]

"[disclaimer] I don't think that the FBI is intentionally running a DDoS attack. And I don't think the FBI has malicious trojans in their software. [end disclaimer]"

Last I checked you are alowed to think bad things about the FBI/GVMT. If you think the FBI is Evil then just say it, you don't need a disclaimer. This isnt China...

Re:Thought crime?

[JohnKatz]

heh, The FBI only has the FBI's best interests in mind.

Re:Well I for one won't comply with this.

[ucblockhead]

Though you wouldn't want cable modems on the same subnet!
<P>

find_ddos is an attack in itself!!!

[adraken]

Well, I fought off the pangs of paranoia and doubt and su'ed and ran this thing. Scanning running processes... Scanning /tmp... Scanning /... OOPS.. load JUMPS, mem AND swap usage jumps from 15% and 0% to 100% and 100%. X halts: mouse doesn't move, xmms pauses. I try to telnet in from another machine for about 6 minutes, NOTHING. I finally go back, and it's killed X along with rc5des and itself.

Sounds like a denial of service attack itself. geez. Now I feel dirty, excuse me while I go buy a new harddrive. eww.

Go to Dave Dittrich's page! Do it now!

[Sanjuro]

I got this link today out of my SANS newsletter. Dave, Marcus Ranum, and others developed their own scanners *and* provide C source code. Also, he has several reports on trin00, TFN, and stacheldrahtas well as pertinent links on the subject. http://www.staff.washington.edu/dittrich

PLEASE DO NOT REPLY TO THIS PERSON'S COMMENTS.

[Wakko+Warner]

I know I'm breaking my own rule here, but from now on I will no longer reply to him either. He's just posting shit like this to get the bonus karma from heavily-replied-to comments.

What he says is controversial only to those who would bother to reply to such inane, stupid viewpoints to begin with. Please do not give him forum.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:PLEASE DO NOT REPLY TO THIS PERSON'S COMMENTS.

[slashdot-terminal]

I know I'm breaking my own rule here, but from now on I will no longer reply to him either. He's just posting shit like this to get the bonus karma from heavily-replied-to comments.

Well thanks for the slame Wakko I sure that a "mature" person like you can just silence dissidents and pretend they aren't here.

I am not deliberately interested in gaining karma however I am interested in figuring out why I should care when I and the vast majority of Americans cannot see why anyone should care about issues that are mainly concerned with the security of machines that has historically cost several thousand dollars and had even more expensive per month costs to achieve them.

Essentially what people do when they do little scare tactics is that they try to subdue the isolation of their plight. I had a reasonable idea (from many periodicals and reference books about computer security) that internet security was pretty much fixed for most uses.

What he says is controversial only to those who would bother to reply to such inane, stupid viewpoints to begin with. Please do not give him forum.

Now, now, now little man do you realise that I care little for what happens. I can just as easily just get another account on slashdot change my wording slightly and then succeede. It's that simple. Bingo. Do you know that I have been on slashdot's database in my third account reincarnation. I have had people flame those 2 other accounts before and I just bounced back. I know I am unpopular and quite frankly I see this as a plus. I want to probe the world before I get out in it.

Largely security concerns are not valid if I just have say crap on my machine. Tell me what the problems are if you have nothing but OS system components and a net connection? What possible problems could actualyl happen say someone could actually crack your box? I have backups and such and I don't really care if some ass manages to format the partition. With all the modern hardware out there and the speed and ease of installation there is little reason to care.

Re:Well I for one won't comply with this.

[nevets]

My version of Win 95 hasn't been updated since 1997. I did not have SMB active, or any other service, except for what AOL installed. I also don't have Active X. All in all, I was thinking to back when I first installed Win 95. So my thoughts about it being "secure" by network ignorance may no longer be valid.

Today I have Road Runner and a Linux firewall, and I have finally installed SMB to interact with my other Linux boxes using Samba. Even at my work, our Win 95 machines are pretty much network "dumb" and except for a few who share their "C:\" drive (users being network "dumb" in this case) most are not able to be spoken to.

Steven Rostedt

Updated IP

[slashdot-terminal]

Actually make that
144.35.152.212 that I am currently monitoring.

FOIA and FBI Source Code

We do have something called the freedom of information act. Unless the information falls into certain specifically designated sensitive categories, it must be released on request. Why not file one with the FBI to obtain the source for these utilities?

Binaries

[348]

I don't know if I am comfortable with blindly installing binaries from the government or anyone else for that matter.

Re:Please don't install binaries from anyone...

[ArdentFool]

I think that there must be something more to all of this, that bureau has got to know that NO ONE with any sense at all will be installing their "tools" -- i believe that it is just another part of the overall ploy -- can you see the headlines and openings on the news programs: "FBI Distributes Toolset for Foiling the DoS Attacks!" -- it will play well in the media and get Joe and Jane BeerCan to support dumping more $$$ to their risky eavesdropping and violation schemes...

I tried it but....

[CTalkobt]

After it started scanning the /. directories it bombed out with a message that it had allocated too much memory ( I've got 192+swap for 256k). I'm sorta suspect of a simple scanner needing more than this...

One warning - it gobbles memory fast. If you run it, run it during a very idle time.

Re:I tried it but....

[CTalkobt]

Uh, duh. Make that 256megs, not 256k.

:-)

I dare you...

[jd]

...to forward this to Reuters. :)

Re:I dare you...

[dlb]

..Just make sure you fix the date first.

Re:I dare you...

[fluffhead]

And fix the URL. It's fbi.gov not fbi.org. Just picking them nits....

#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

This is the alert

[348]

This is the alert posted jointly from DOJ, the FBI and NIPC

NIPC Alert 00-034 and re-issue of National Infrastructure Protection Center Information System Alert NIPC Alert 99-029 originally issued 12/6/99; Unclassified
Beginning on 7 February 2000, a number of high-profile Denial of Service (DOS) attacks temporarily disabled significant electronic commerce Internet web sites. These cyber attacks targeted companies sites like Yahoo.com, Amazon.com, CNN.com, Buy.com, Ebay.com, Stamps.com, Exodus.com, E-trade.com, and Zdnet.com; reported victims have apparently recovered from the attacks within a few hours. Public reporting cites coordinated, Distributed Denial of Service (DDOS) attacks originating from multiple points on the Internet. The FBI is now investigating a number of these attacks; in view of these events the NIPC is re-issuing its original alert describing the DDOS exploit. Additional information can also be found on the NIPC web page at www.nipc.gov and at the Carnegie Mellon Computer Emergency Response Team Coordination Center (CERT/CC) web page at www.cert.org.
Beginning in the fall of 1999, the FBI/NIPC became aware of several instances where intruders installed DDOS tools on various computer systems to create large host networks capable of launching significant coordinated packet flooding denial of service attacks. Installation was accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. These multiple denial of service tools include Trin00, Tribe Flood Network (or TFN, TFN2k, and Stacheldraht,) and were reported on different civilian, university and U.S. Government systems. The FBI continues investigation of many of these incidents, and was and is highly concerned about the scale and significance of these incidents, for the following reasons:
A.) Many of the targets are universities or other sites with high bandwidth Internet connections, representing a possibly significant threat to Internet traffic.
B.) The known cases involve real and substantial financial loss.
C) The activity ties back to significant numbers and locations of domestic and overseas Internet Protocol (IP) addresses.
D) The technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet.
E) The tools appear to be undergoing active development, testing and deployment on the Internet.
F) The activity often stops once system owners start filtering for Trinoo/TFN and related activity.
Possible motives for this malicious activity range from exploit demonstration, to exploration or reconnaissance, to preparation for widespread denial of service attacks. NIPC was concerned that these tools could have been prepared for employment during the Y2K period, and remains concerned this activity could continue targeting other significant commercial, government or national sites.
NIPC requests that all computer network owners and organizations rapidly examine their systems for evidence of these distributed denial of service tools, in order to be able to quickly implement corrective measures (specific technical instructions are available from CERT/CC, SANS, NIPC, or other sources). These checks should be done to both check and clear systems of Trinoo/TFN, and related threats, and to support law enforcement efforts investigating these exploits. Recipients are asked to report significant or suspected criminal activity to their local FBI office NIPC or ANSIR Coordinator, computer emergency response support and other law enforcement agencies, as appropriate. The NIPC web site is located at www.nipc.gov.

Re:Not gonna work anyway.

[GargoyleMT]

Are you perhaps referring to Ken Thompson's "Reflection on Trust"? For all those who know nothing about it, the url is here. Well worth a read.

Makes one wonder exactly where to stop distrusting once you've become paranoida about security.

Gee, I must be bored...

[jjeffries]

"someone's taken down the 'net!"
it used to happen all the time
back in the day when it was new
and didn't run on Wall Street's dime

there was no panic way back then
when a packet would get lost
but now each one is good as gold
and every downtime has a cost

suits came and tried taking over
and the hackers said, "hey, we're not fools,
stop what you're doing to our 'net!"
and they broke out their hacking tools

the 'net is quite a complex thing
so there are ways to take it on
to abuse the bugs and the backdoors
which open up when knocked upon

clueless experts on the tube
while at the suits the hackers laugh,
"it was so simple for our group
to cut your backbone right in half!"

some suits think that they're immune
their net's protection is quite strong
but if you think that you'll be safe...
you might find out that you're all wrong!

You can trust the spooks

[JohnKatz]

FED: Here, down load this binary and run it as ROOT

CluelessLinuxLuser: Sure! Who better to know whats good for me then the FBI!

CluelessLinuxLuser: Hey, can i get the source?

FED:no

CluelessLinuxLuser: Can you tell me a little more about how it works?

FED: no

CluelessLinuxLuser: Umm...I don't know if this is such a good idea then

FED: TRUST US! Its good for you AND the children, you don't hate children...do you?

CluelessLinuxLuser: NO, NO! Don't worry, I will run your spook binary on my networked PC as root.

(FED thinks to him self) ::HAHA, MS has their sheep, now we have ours! ::

Please read this one, good info.

[GMontag]

Respectful request to mod up please?

Perfect Trial for FreeBSD4.0-RC

[tonyt]

Since the FreeBSD4.0-RELEASE candidate sources have been recently released, this government binary could be the first program to try out in a jail().

jail is a slick new feature in 4.0, that encapsulates the process "in it's own private hell". look somewhere else for a more technical discussion.

Re:Well I for one won't comply with this.

[slashdot-terminal]

So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.

I don't really need to. Essentially when I get the chance for some real power I will anything and everything that currently will allow for itself to be networked. I have seen too many cases where anal sysadmins just didn't want to let people do anything because they were idiots and wanted to stop people from using a small ammount of vast system resources.

The mere fact that you have theories that suggest that people should not run various servers is indicative of that fact that they want total and compelte control over every facet of our lives.

If I were quite wealthy I would just run a system where I would allow free use of resources for almost anything. As such I would just put a little disclaimer that whatever people do is non of my business and that I take no legal responsibility. Plain and simple.

A vast geek-wing conspiracy

[SkulkCU]

It is eminently clear to me what is happening. The technology 'experts' have finally succeeded in creating far-reaching dependencies on the machines of hell that they have conjured. And now, these "techies" are using computers as their personal drones and foot soldiers to inflate their egos and promote their anarchist agendas. Make no mistake; these are the same spindly pale-faced freaks that you used to shove in lockers. Now, they are hell-bent on revenge because nature has dealt them a painfully small hand. This is a conspiracy; and it is vast. Not only far reaching because of the amount of people involved, but also because of how long it has been happening. Decades ago the seeds were planted with the beginning of what became the Y2K fiasco. They purposefully created fear in order to strip us of our money and our pride. Is there anything that can be done to stop these heathens? Yes, and the points below are a great outline as to how and where to begin overthrowing the nerdopoly we find ourselves serving under and slaves to.

1) Dispose of your personal computer. AOL chat and your personal greeting card software have not contributed anything to your life.

2) If there is a report about "hackers" on the television, turn it off. All of the media is now a collective puppet to these ingrates and atheists that they are reporting on, and have refused to expose the truth about the real danger that these 'people' pose to our society. They exist only to expose our children to pornography, our minds to confusion, and our wallets to theft.

3) Demand that your local library and schools remove computers. These places should be a second home where we are provided with assurances that our American and Christian ideals are protected, not a social petri dish or a home for anarchist and anti-democratic sentiments.

There are certainly other measures that we can take to protect ourselves from these wholly evil creatures of technology and lust, but I think these are important first steps. Thank Our Lord that we have still have the American government and tried-and-true capitalism looking out for us.

Yes, I was kidding.

Violation of LGPL

[johnnyb]

ldd ./find_ddos reveals: not a dynamic executable Hmmmm.... I'm guessing they linked with glibc, which, since they didn't release source code, means they violated the LGPL. For those who are unaware, the LGPL allows anyone to dynamically link for any reason, but forbids static linking (which is what they did).

2nd program (w/ source) seems OK...

[imac.usr]

for kicks, I downloaded the second program listed in the article posting (the one from staff.washington.edu that comes as source) and compiled it on a 2.2.12smp box. I had to comment out the LIBS line to get it to compile, and I don't know enough about Linux libraries to know whether that was a good idea or not. It seems to do what it says when run as root, and it didn't find anything on my machine or one of the others in my area. FWIW.

Me either (was: Re:Not me!)

[warpeightbot]

OK, let's add'em up.

1) Unknown crackers launch DoS against biggest commercial websites. No one takes credit. Matter of fact, no one that I know of has posted a trace on these jokers.

2) NSA has been yelling about this sort of thing for months.

3) The current administration just happens to be trying to fund its current Internet security initiative.

4) The FBI just happens to have something that they "just wrote" in order to deal with precisely this kind of attack, one we haven't seen before on this scale. It's closed source. It wants to run as root.

Yeah, right.

Where are spaf and the boys when you need them? I'd like to see them take the Fibbie's code apart byte by byte and make sure they're not up to something themselves.

Gods help us if they are.

(I know, call me paranoid, fsck my karma to hell, but bigod no steenking revenooer is getting in MY box quite so easily....hmph.)

--
"We are the FBI, we have no sense of humor that we know of." -- Tommy Lee Jones ("K"), "Men In Black"

Topped out at 291MBytes

[Bryan+Andersen]

It topped out at 291M Bytes of ram used on my system, and took a little over 1 hour to run. It also didn't do any network traffic.

Re:Topped out at 291MBytes

[tatsu69]

Mine topped out at over 550 MBytes of memory. Luckily I have a 1G swap and 256 RAM.

Hmmm....

[deeny]

Well, I too am in the category of "does not trust binaries from the FBI." It doesn't matter what the intent is of the FBI programmers. I tend to think that the guys who coded it were probably on the up-and-up.

That said, I still think the leading candidate for the attacks is the NSA....

...which, if you think about it, increases the likelihood that the FBI code is exactly what they represent. While I might believe that the DDoS attacks might have been NSA, I consider it considerably less likely that the NSA and FBI would cooperate. :)

_Deirdre

Who are the cops

[dbrutus]

Do you have any idea how much stuff sysadmins ignore in a given week or month? It's quite a bit of foolishness that nobody ever knows that we saw. And often the logs are kept sparser than they could because we would really rather not remember what your favorite e-commerce sex shoppe is.

It's enough to get several people reprimanded/fired and a few criminal cases filed in your average year. Uptight, play strictly by the rules admins can make mini 1984's out of any company. Most of us don't want to. Be glad that this behavior seems rooted in the culture of sysadmins. The FBI is a very different story.

DB

Re:Who are the cops

[IntlHarvester]

Hah, yes. Occassionally there's a segement on the news-- Did you know that your company can read your E-Mail! Even if you delete it! And, believe it or not, it's totally legal! (Fortunately for them, their e-mail content is profoundly boring and contains about 10,000 copies of the same stupid jokes.) One just has to chuckle at the folks who take the phrase "personal computer" a little too seriously.
--

Take a minute and think a bit

[dbrutus]

Your box gets cracked and they don't touch your stuff (as you predict). They do, however use your box to launch a DDoS against whitehouse.gov or even worse from your perspective crack boxes further on that launch a DDoS. A few days later, the secret service is knocking on your door and taking your hardware away and you end up spending thousands in legal fees.

Do you still think, no harm, no foul?

DB

Re:Take a minute and think a bit

[slashdot-terminal]

Your box gets cracked and they don't touch your stuff (as you predict). They do, however use your box to launch a DDoS against whitehouse.gov or even worse from your perspective crack boxes further on that launch a DDoS. A few
days later, the secret service is knocking on your door and taking your hardware away and you end up spending thousands in legal fees.

But you can clearly indicate that someone connected and that it wasn't you. Furthermore you could very easily say that you had a little disclaimer that indicated that you in fact were not liable for anything that went wrong. This can absolve you.

Do you still think, no harm, no foul?

Oh there is foul but that's what targeted hits are for.

Re:Need Solaris personto check this out with truss

[bobsquatch]

Two comments:

• Checking the Solaris executable shouldn't give you any confidence in the Linux executable.
• man strace

--

Moderators

[348]

This should be marked up.

Thank you

A thought on trust and the FBI

[billybob+jr]

I believe that the desired level of parnoia is in between the fbi-please-trample-my-rights and the twitching-holding-a-gun-in-the-corner level of paranoia.

Trusting too much can obviously cause problems. People take advantage of you, governments gain control, too much control. On the other hand, being paranoid can consume quite a bit of energy and be counter-productive.

That being said, I remember studying the US revolution in school and thinking that the colonists were sometimes excessively paranoid, however I could never fault the result. Anyway, I hope that no one here would blindly trust the fbi, without even considering that they may not be looking out for your best interests.

Remember kids:
rational fear == good
irrational fear == bad

Source code

[stingray]

I have not checked the sources, but If the source code is there, can these people who are using these DDoSs just look to see what it is checking for, and modify there program accordingly?

FBI & /.

[rlb]

I contacted the Hayward office of the FBI and spoke with a plesant young man who had never heard of Slashdot. He will be passing a suggestion up the chain of command of adding the source code of find_ddos to SourceForge as well as making it available on the FBI web site.

This conversation took place prior to the update pointing to Dave Dittrich's site. It appears the source code is public domain, so perhaps one of the knowledgeable people here can start a source tree on SourceForge for this tool.

Richard Bottoms

Re:Well I for one won't comply with this.

[gordie]

Some cable modem systems use DHCP with a short lease life, or other methods to force an IP change and do not issue static IPs. Roadrunner in my area does this for example. This is not for security, but to give headaches to people trying to run an unauthorized (read warez) sites.

What's a script kiddie to do?

[homunq]

The DOS attack is destructive with no productive benefit. It's a pointless and criminal way of saying "Hey, lookee here!" about a bunch of compromised hosts running the masters and daemons.

So I guess the grey-hat response to this black-hat action would be to write more interesting things to put on "owned" systems. Just imagine if, instead of taking down yahoo, your local script kiddie could send the seti@home score of his favorite alias through the roof in just hours. That way, he's still providing the service (calling attention to security holes) without the stupid brute-force collateral damage to Yahoo et al.

I'm kidding about seti@home. But seriously: isn't there something more productive you could do with a distributed network of "owned" systems? Something that would appeal to the script kiddie mentality without fucking things up too badly? Taggers can graduate to real grafitti artworks; where's the upward path for the script kiddie?

I suspect that the answer would have something to do with w4rez or MP3's. (Run Napster instead of trin00 on all the compromised hosts). I'm not endorsing copyright violation here, just saying that it would be a lot better than just crashing shit.

Re:What's a script kiddie to do?

[Dirtside]

Actually, by endorsing Napster, you have given the RIAA's lawyers the legal right to physically sodomize your entire family. This is a little-known provision of the DMCA...

Would not remote detection be..

[Axe]

...easily defeated with hacked standard services that are activated only if receiving some obscure encrypted message. Say hacked finger who will start up Some other daemon when you "finger A$RWEPE" ? Or smth to this effect? How you remotely detect those? Careful check of the system files maybe the answer but I for one have about 20 LIux boxes in the lab - all of them reconfigured by their users a bit. - I am not going over each one for sure. They were reasonably secured (Everything possible down adtelnet replaced with ssh), but who knowswhat could have happened...

Re:Well I for one won't comply with this.

[tzanger]

So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.

Actually yes I do... I run a modified version of iplog (check freshmeat) and my system logs get simulcast to another server with no other functions save for sending email out. I imagine I could make it even more secure by sending the logs to it via a serial port (entry in my knowledgebase about this) or using a 2nd network card in the server but this suffices for now and allows me to have several servers send logs to the same log box.

Every night I have a cron which greps the shit out of the log and what's left is anything unusual. (90000+ lines in 24-hour period usually drops to about 150 lines when I'm done grepping the normal stuff out) I review that every day. I also have other cron jobs which page me if my 5min load is over 5, my disk space gets too low or if there are more than 6 people logged in.

I also am working with a friend on a modified patch to Bash (the original is on the same page as iplog) which drops the connection if it's being executed as root and the terminal is not a (v)tty. Hoping to add functionality where it also sets up a -j DROP in ipmasq and mails me on it too.

Finally, there are other security measures in place like md5summing critical parts of the system before the backup, not allowing telnet or root/empty password ssh and such and so forth.

Paranoid? Yes. But then again that's what I'm paid to be.

Its complaining about SSLeay

[spudnic]

I have run this on one of my boxes. The only complaints I get are related to SSLeay. Can someone explain to me what this means?

BFD: /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 768 >= 512 for section `'
BFD: /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 1024 >= 512 for section `'
BFD: /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 768 >= 512 for section `'
BFD: /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 768 >= 512 for section `'
BFD: /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 1024 >= 512 for section `'
BFD: /usr/src/SSLeay-0.9.0b/test/riptest: invalid string offset 5632 >= 512 for section `'

Just because you're paranoid....

[maroberts]

..means you use Linux! :-)

Reading the comments about the DDoS detector indicates what a paranoid bunch of people us Slashdotters appear to be! Most of us won't touch an FBI binary with a bargepole and those of us that do seem to be testing what it does on some spare machine before we release it on our real systems.

In my current area of Linux interest, the field of DVD, DeCSS and css-auth, it has been suggested that Linux users may be happy with binary only drivers to get round our legal problems - these comments show that appears to be utter cr*p. Unless we have at least thge opportunity to see the source code, we won't let such things anywhere near our systems.

Interesting....

[cdlu]

I ran the fbi prog and sigQUITted it after less then a minute. It dumped a core file that would put netscape to shame.
-rw------- 1 root root 58589184 Feb 10 17:07 core

I'm currently straceing it, and if I find anything interesting, I'll post it here.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}

why binary? one possibility

[theonetruekeebler]

As has been pointed out by at least one person on this discussion, there are some good reasons to be mistrustful of an FBI-distributed binary as root on your Unix system, considering the FBI's track record in respecting the personal privacy of the citizens it was created to protect. It is a shame that its long and consistent track record has necessitated such caution on the part of practically everyone outside the agency, because this DDoS scanner really does need to be run as a binary. Here's why:

Unlike CERN, the FBI can kick down doors and stop a DDoS by arresting its perpetrators and confiscating their computers. The best way to do this is to catch the perps in the act. The best way to do this is to identify and monitor a DDos the moment it begins. To do this, there must be detection software in place, and that detection software must notify the FBI instantly.

Now, if the source code to the application is readily available, it will document not only the means of discovery but also the means of FBI notification. The perpetrators of the DDoS could use this knowledge to revise their DDoS. In all likelihood they could not get around the means of discovery. However, they could easily subvert the means of notification. All they have to do is launch a simultaneous attack against the FBI's machine--jamming it with bad packets, or overloading its mail server, or simply flooding it with false positives. If the fifty or so real DDoS-origin addresses are buried under a hundred thousand bogus addresses, the perps have created such an effective smoke screen that they will almost certainly get away yet again.

Will a binary-only tool prevent this? No. But by using good obfuscation techniques they could delay decompilation for so long that the tool actually has a chance to work.

Probably the best thing the FBI could do if they wanted to nail these jerks would be to find a couple of high-profile potential targets, give them the source code to a tool under an NDA, and give the site the opportunity to inspect, approve of, compile and install the tool themselves.

--

Re:Well I for one won't comply with this.

[slashdot-terminal]

I don't really need to. Essentially when I get the chance for some real power I will anything and everything that currently will allow for itself to be networked. I have seen too many cases where anal sysadmins just didn't want to
let people do anything because they were idiots and wanted to stop people from using a small ammount of vast system resources. The mere fact that you have theories that suggest that people should not run various servers is
indicative of that fact that they want total and compelte control over every facet of our lives. WHoa run that last sentence by me again! That's right, this DDOS detector is really a secret government plot to gain "complete control
over every facet of our lives." So you better not run it. Terminal doesn't need to check security because he "doen't really need to." Well I think that's obvious because " Essentially when I [Terminal] get the chance for some real power
I will anything and everything that currently will allow for itself to be networked. Whatever that means, anyone else confused besides me?

*Sigh* sometimes I get a little carried away with myself.

What I mean to say is that given the chance for some real insane bandwidth I would run all of the nice ammenities like an irc server, an http server, a cvs server, sendmail, web based interface for email (aks atdot), slashdot code, mangband, regularly pull html pages (slashdot's), gimp interface, ftp, ssh, etc. This is what I mean. Any person with any administrative ability could very easily to this and still be secure. All of these things are possible except hardly anyone does them because they are lame and foolish. I think that what we really need from the world is what we had back a few years ago when there were more free services.

Free services were the backbone of emerging internet factors back in the early days. This is what I mean. Instead of being afraid of your own shadow you should really allow more freedom.

Smoking crack is bad for your lungs AND your brain

[vyesue]

you can? you think if I broke into your machine and initiated a DoS attack, I wouldn't take the time to remove myself from your logs?

in 1992 my machine at NYU was broken into and used as a stepping stone to break into some machines in Germany. *I* was the one who had to deal with the university coming down and unplugging my stuff and trying to kick me out of housing, and I'm the one with my name in some FBI file somewhere; in my situation, it was quite clear from the logs on my machine that it was being used by someone else to attack systems.

I assure you that you don't want to deal with a situation like this, and if you're young and stupid (or perhaps just stupid) and you don't secure your machines at least enough so that Joe Skriptkiddie can't immediately root you up, you run a very considerable risk of gettign owned and used like I was.

WARNING!!!

[cdlu]

The FBI programme brought down my system and it is currently fscking. At last check it was using over 80M of RAM. In a few minutes I'll see the strace log to see if it tells me anything. I do not recommend any one else runs this programme.

End alert.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}

Re:Yahoo is insignificant, Ameritrade etc is not.

[Mr.+X]

I'm pretty sure all the online brokerages also offer 1-800 numbers where you can place trades when you are away from the Internet. I know E*TRADE does.

Conspiracy or not, doesn't matter

[Malfeasence]

The real danger is that these punks (or punk, co ordinated attacks could be one guppy with a pile o passwords and a little time on their hands) are forcing the PTB to take action. With or without government conspiracy the PTB will march forth with constricting and stiltifying regulations that will hinder and shackle the rest of us, and not being able to get online or search Yahoo will make Joe newbie their ally in doing so. Sayyyy... when did that Mitnick feller get sprung ;-)

Re:Conspiracy or not, doesn't matter

[slashdot-terminal]

The real danger is that these punks (or punk, co ordinated attacks could be one guppy with a pile o passwords and a little time on their hands) are forcing the PTB to take action. With or without government conspiracy the PTB will
march forth with constricting and stiltifying regulations that will hinder and shackle the rest of us, and not being able to get online or search Yahoo will make Joe newbie their ally in doing so. Sayyyy... when did that Mitnick feller
get sprung ;-)

What is a PTB? government?

Re:Conspiracy or not, doesn't matter

[Malfeasence]

Powers that be... sorry for the late reply had to go teach people stuffs

Re:Well I for one won't comply with this.

[vyesue]

You're really deluded.

The more services that you make available to everyone on the internet, the more likely you are to be compromised due to some bug in some software that you're running that noone knows about today, but that someone's goign to find out about and exploit tomorrow.

You can't say that anyone with any administrative ability can put up all sorts of stuff and not get rooted. that's simply not true. you would have to be very very lucky to run a machine with that kind of availability and that much code accessible to the general public and not eventually get broken into.

Re:Well I for one won't comply with this.

[slashdot-terminal]

Port scans. There are tools that people use to continuously probe for machines that run various operating systems. Especially if you are a student and don't have a strong firewall. Crackers will break into the network and scan for users
with various operating systems. If they find one that they know how to break, they'll do so. It's a lot like leaving your car in a dark parking lot without having a good security system. Thieves can break in within a matter of seconds.
The same is true with crackers.

Tell me how do these people actually live and how do they earn a living if they spend all day running port scanners?

Some crackers are just script kiddies trying out there new/old tools/toys. Others are professionals that are testing their skills. Either way, its good to be prepared if you are on the net. Win 95 has poor connections (no daemons and
such) and probably will not have a problem. But if you use NT, you better be careful. The default settings of RedHat are not very secure, and should be turned off. Did you select "Everything" on your install?

Suppose I am running a version of Red Hat or Debian that is extremely secure and everything is non exploitable (there are some distros out there that meet these requirements) what then? Is is still bad not to really care about security?

The best thing to do with a Linux distribution, is to install without any services. Then go back and only install the ones you use. At least you will know what you do and don't have.

One of my great dreams is to create a httpd server over a good modem link. Run the slash code and have a kick ass site without mucho buckos. The linux gazette in one of it's earlier issues discussed about taking a free page and then having your linux machine dynamically update a link on said page to your current IP number assigned and whamo instant slashdot clone!

NIPC on Not Opening Source

[Frater+219]

I wrote a bit of a note to the NIPC suggesting that find_ddos be open-sourced, and pointing out some of the advantages which would accrue, including portability, expansion, and increased trust. I also asked that the license under which it is distributed be clarified, so that I could know if I can legally mirror it. Here's the answer I got back:

"The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised. We will forward your comments to the appropriate personnel for consideration in this matter. Thank you for contacting us."

How's that for null program?

Just a little too much paranoia

[Foz]

I believe in paranoia... I think it's a good thing. However, I do not think the FBI is stupid enough to trojan something like this. It would be found, and they know that...

I ran it on my DSL connected firewall box, as root... I also trussed and sotrussed it and monitored for network traffic. It looks to me like it's doing exactly what it claims to do. I don't claim to be an expert, but it's good enough for me.

Come on, people... if you honestly think the Feds are stupid enough to try and trojan this you need to take off the tinfoil hats and get out in the sun a little more. And if you don't think it's worth your time to ensure security of your machine you really should think a little harder. It goes way beyond just a recursive rm or two... if your box is compromised it allows someone to then use your box to stage other attacks, to spam people from your system, etc. etc. etc. And if you think you're secure just because you're obscure you are, quite simply, a fool.

I believe that just about any system can be owned given the time and resources and attention of the right people. The same goes with locks on your front doors. It won't keep the dedicated criminals at bay, but it filters out 99% of the riff raff and lets you focus on detection of the other 1%. I run a firewall on my system not because I think I'm a stud or anything, but to try and keep out the truly lame as well as to try and prevent someone from using my resources to bring down YOUR machine or spam YOUR email account or otherwise be nasty to all my internet neighbors.

I won't tell you to run the FBI binaries because I also believe they should have released source... but I will tell you to CHECK your damned systems to make sure you're not compromised and stay vigilant. If you're running a host on the internet you have a responsibility to all the other people on the internet to try and keep your box clean. If you don't want to keep your box clean, go back to AOL and reformat and reinstall windows every 3 months.

The internet was built on the theory of COOPERATION... remember? It's the same thing you all whine about day after day after day... "oh, but why is the internet going to hell... it's all these AOL lusers" everyone says. But I've got news for you, it's not the AOL lusers, it's the lusers who don't take the initiative and personal responsibility to keep their own systems clean and allow the shitheads out there to run rampant.

-- Gary F.

Why report (Re: This bugs me.. )

[bjk4]

Here is a situation in which you might wish to report the transgression to the FBI:

I'm a user on a network of 12000 computers. I run this program, and discover that 150 have DDoS programs running. I manage to contact 100 of these users, who remove their computers from the network (I have a lot of free time, don't I.) However, 50 of the rest are unknown to me. I've contacted the network administrator, but they are uninterested in doing anything about the issue. They feel that the increased traffic will not affect our network, which is circuit-switched OC3.

At this point, I'm concerned because I cannot get the last 50 DDoS computers off the network. So, I give in an contact the FBI. I give them the ip's, and the network admin contact number. This is why.

The other reason is if you find something that might point to the originating culprit. That way justice can be served. A final reason is so that the charges against the hooligans can be increased because the FBI now has record of another 150 computers afflicted and 'damaged' and 'tresspassed' upon.

I find the last reason most convincing.

-B

Re:Why report (Re: This bugs me.. )

[SpaceCadet]

I can see that happening, if you've got a shitty admin. Good admins, on the other hand, listen to users, even if the user IS clueless. Why? Because it's still data. If you have to listen to ten minutes of rambling to get the useful data - that's worth it. Hell, we all read hundreds of Slashdot comments looking for the few good ones. Where's the difference?

Re:Why report (Re: This bugs me.. )

[bjk4]

This is more a case for the admin, who should patch the boxes or add a firewall.

Why should I have the network admin patch my box? I own my box. I pay for access to the network. I don't want to let the network admin anywhere near my box.

The fatal assumption many people are making about the issue is that the network admin has access to every single box on a network. This isn't the case, quite often. Even if they do, you still want to report it just so that the FBI gets a damage assessment so that the crackers get a larger fine/prison term.

The user has holes on their box and the admin gets blown off.

This can happen. The network admin is in charge of keeping an experimental network of 12 thousand computers running. This is quite a job. They (the network admin department) do not have the resources to manage every single computer. Nor can they install any kind of management software due to varying platforms, personal right and legal issues also withstanding.

Have fun!
-B

Re:Well I for one won't comply with this.

[slashdot-terminal]

The more services that you make available to everyone on the internet, the more likely you are to be compromised due to some bug in some software that you're running that noone knows about today, but that someone's goign to
find out about and exploit tomorrow.

What about Red Hat 5.2 right *looks at time on watch now!!!* or perhaps Debian 2.0? How about slackware release 3.0? I think these things are plenty old to get out all the bugs.

You can't say that anyone with any administrative ability can put up all sorts of stuff and not get rooted. that's simply not true. you would have to be very very lucky to run a machine with that kind of availability and that much code
accessible to the general public and not eventually get broken into.

What if I do something like this *sly grin*.

Any connections that originate from anywhere outside of the "approved" range and that do not originate from usage of the login program or any other apporved command and do not contain a proper exit code will drop into a restricted shell where each and every command is logged and perhaps access is not given to net enabled commands?

What?

[DragoonAK]

Why would one want to bugger a serial port? Unless your equipment is miniscule, it's going to lack a certain amount of... I/O , if you know what I mean. I mean, if you want to hump your box, that's what fufme.com is for!

Re:Well I for one won't comply with this.

[Postmaster+General]

If you actually believe that someone sits in front of their monitor, watching the port scanner do it's "thing", then you are really more naive than you sound.

This statement alone gives me the impression that you know a very limited amount about computers and software in general.

It would not be very hard to set up a port scanner to detect activity on a certain number of ports (user-defined, if needed,) and then make a utility (also not too hard to code) take appropriate action (action that may also be user-defined) automatically when any suspicious activity is detected.

Of course, the next "witty" comment you'll most likely make to this would probably be something like, "Ok, how do you know which activity is suspicious?". Simple, ever hear of pattern recognition? Write a simple algorithm that does rudimentary pattern recognition (of course, you could make it more robust and complicated, if you have the code skills to do so.)

I honestly don't know why I'm even gracing you with my responses, as you're posts have done nothing but prove to show how little you think before you post.

Re:Well I for one won't comply with this.

[Postmaster+General]

It's just this "don't care" atitude that put all the victimized sites in the situation where they were attacked.

If they did care, they would've taken the necessary measures to protect themselves against such an attack, thereby saving themselves from public embarrasment and financial loss.

Your apathetic atitude to this situation does absolutely nothing to add to this discussion at all.

What about the possibility of such things happening on WinNT or 95/98?

What about it? Same thing I said above, lack of concern over DoS attacks, or system security in general, will also affect these operating systems. There are patches available for all these operating systems. Patches that will diminish the risk of being victimized by a DoS attack. However, lack of concern will do nothing to get these people to take the necessary steps to install these patches.

Think before you post next time, and try to grow up a little too ... you really are a bit too naive to be posting here.

Re:Well I for one won't comply with this.

[Postmaster+General]

It's just this "don't care" atitude that put all the victimized sites in the situation where they were attacked.

If they did care, they would've taken the necessary measures to protect themselves against such an attack, thereby saving themselves from public embarrasment and financial loss.

Your apathetic atitude to this situation does absolutely nothing to add to this discussion at all.

What about the possibility of such things happening on WinNT or 95/98?

What about it? Same thing I said above, lack of concern over DoS attacks, or system security in general, will also affect these operating systems. There are patches available for all these operating systems. Patches that will diminish the risk of being victimized by a DoS attack. However, lack of concern will do nothing to get these people to take the necessary steps to install these patches.

Think before you post next time, and try to grow up a little too ... you really are a bit too naive to be posting here.

This software will DoS *your* box

[jfunk]

My system ground to a standstill. I couldn't even check out the running processes. I have 96MB ram/130MB swap on a K6-400.

I ran it on my desktop because I was a little wary of running it on my server without knowing anything about it. My mouse all but stopped. I moved it northeast about a centimeter and the pointer was still moving, a tiny bit at a time, with a huge interval, 5 minutes later. My HD light didn't stop. I gave up waiting and came back later to find the following output:

checking /tmp...
checking /...
killed

Strange. Needless to say I deleted the software and didn't bother running it on my server, which is less endowed than my desktop. That binary is way too large to do nothing but simple checks.

Then I remembered, "hey, this is the US Government, they can't do anything right!"

Never attribute to malevolence that which can be achieved through incompetence...

Re:Well I for one won't comply with this.

[vyesue]

a. using really old code is a way to get owned quicker. slack 3.0 probably has some ancient version of sendmail which is guaranteed rootable remotely, among other holes. your best bet is to get new everything, and keep updated regarding patches. but thats just the problem - bugs exist BEFORE patches, and eventually, someone will find a bug in somethign that youre runnign with privs, and then U R 0wn3d as they say. how long has sendmail been around? longer than slackware, and you can bet there are probably a few holes in it still that noone has been clever enough to find (or nice enough to distribute).

b. your access restriction would be a great idea, as long as you can guarantee with absolute certainty that the programs you use to authenticate "legitimate users" are 100% bug free. if they aren't, theres a possibility of getting rooted, and once that happens, all these clever logs and tripwires of yours do you exactly 0 good. how do you think people running sshd with RSAREF felt when this "secure" shell daemon turned out to be remotely exploitable?

dont trust the internet to connect to a computer that you dont want rooted. it's a losing bet in the long run.

No it not, and the comment is kinda silly.

[law]

No it's not, and the comment is kinda silly.
"Multiple Source Denial of Service"
(MS-DOS) Has been around for a while, I read about last year, and thought about it before.
The guy who wrote the detector has documented it pretty well much better then I could.
What is kinda scary is that it could realy be Script Kiddies behind it.
The Code is not half as evil as it could be.

Why we track down and arrest crackers

[B.D.Mills]

...the old (cr/h)acker defense "We're doing it to show you how bad your security is."

Ten reasons why we track down and arrest crackers:

1. To show them that they can be traced.
   
2. To give them a chance to sleep at night instead of spending all night cracking.
   
3. To show them that they're losers with no life.
   
4. To "confiscate" their toys so we can play with them for a while.
   
5. To show them what search warrants look like.
   
6. To use them as training dummies for the Dog Squad.
   
7. Because their mother complained that all that computer equipment in their bedroom was making the room impossible to clean.
   
8. To offer them employment in the NSA.
   
9. To expose them to sunlight and fresh air for once in their lives.
   
10. Because they have committed crimes and need to be brought to trial and punished.
    

--

interesting??

[mikpos]

I was under the impression that trin00 was installed by compromising (mostly) Solaris boxen with buffer overruns. Consequently, almost no one is running it intentionally. Someone here is a bit ignorant, either the moderator or me. Hope it's not me :)

Fear, Loathing and Linux

[neopenguin]

OK, let me get this right... Admins should

Know how to secure their boxes

Know what services are running and what they do

Thoroughly check out any binaries before they unleash them

And how does running an (evidently) buggy mystery binary from the FBI help here? Imagine that instead of releasing this piece of crap they released a comprehensive guide to Linux security with steps that Admins could take to secure their systems aginast this DDoS and links to useful resources to maintain security (CERT etc.)

Now, as a complete newbie with LinuxPPC running on an orphaned UMAX Mac-Clone, I have done my best to educate myself. I've read "Running Linux" from cover to cover despite some Wintelocentric parts. I've spent countless hours reading Man and Info pages and scouring LDP etc. for such info as I can get. I still switch to Mac OS to go online because I know enough to know that I don't yet know what has been installed on my Linux system or how to configure it for secure operation. I do intend to learn. but I have a gripe: I almost get the feeling that there was a secret "obfuscated documentation" contest, or that there is a movement to preserve a kind of artificial expertise by keeping docs obscure. My personal favorite is the seemingly detailed Man page (or O'Reilly book) that cannot be understood without first resorting to a long chain of other docs (doc dependencies?). This FBI bin, and the thinking behnd it, seems like a step in exactly the wrong direction, but the distros could do a lot more. I would love to read the security manual but my distro didn't come with one.

Well, It kind of turned into a rant, but I'm sure I am not alone in this.

Re:Fear, Loathing and Linux

[Lion-O]

I would love to read the security manual but my distro didn't come with one.

Online documentation perhaps?

What this is really doing

[treebeard77]

is looking for MP3 files and reporting back to momma


;-)

We all insist on open source, what about hardware?

[astrophysics]

Few of us seriously consider running software from the FBI without source, unless it's to test it. Similarly, we know not to trust programs from MS, Real, ..., or cookies from DoubleClick. But what about hardware? Do you know what that router is really doing? Or what about your switch?

How can we apply the same standards to hardware as we do for software?

How to fix the vulnerabilities (technical)

[Animats]

These vulnerabilities can be fixed. Here's how:

• SYN flooding
  The basic problem is that protocol stacks derived from BSD commit substantial resources on the receipt of a SYN packet. That makes them vulnerable to TCP SYN packets with forged source IP addresses. The proper solution is to allocate only a small control block at the LISTEN -> SYN_RCVD transition, and allocate the full resources for a TCP connection only at the SYN_RCVD -> ESTAB transition. In a SYN flood, the connection never gets beyond SYN_RCVD, so this confines the attack to using up these small control blocks.

  The lookup used during SYN_RCVD should be hashed, so it doesn't slow down as the number of connections in that state increases, and the allowed number of connections in SYN_RCVD should be made very large (maybe as big as 100,000) in a large server. This allows for a huge SYN flooding overload without impacting real connections much.

  There's a commercial firewall from Israel that does something like this, but it really should be part of the protocol stack.

• ICMP broadcast floods
  Don't reply to ICMP packets sent to broadcast addresses. This is an out-and-out bug, known for over a decade, and should have been fixed everywhere by now. Vendors that haven't fixed it yet should be subjected to public embarassment, if not litigation.

• HTTP request overload
  This is the tough one - being attacked by a large number of completely valid requests. One answer is to impose fairness by source IP address within the server, so that each source IP address gets equal responsiveness. This fix won't stop the problem, but it will slow it down substantially. It's going to take some new development, but the concept is conceptually similar to fair queuing, which I invented long ago. Most of the same issues apply within a server as apply in a congested router.

Implement all this, and the problem will go from being headline news to a minor nusance. Linux network hackers, get going.

I'm not currently doing protocol implementations, but I'd be glad to talk to anybody working actively on the problem. I did substantial work on TCP/IP in its early days, before going on to other things, so I do know what I'm talking about here.

Re:How to fix the vulnerabilities (technical)

[Animats]

Update: somebody already tried that fix to SYN flooding and put it into some versions of BSD. This issue was worked on in 1997, and there are some solutions. I'm not totally in agreement with that fix (Dave Borman's), because it doesn't retransmit SYN ACKs, and that's a protocol violation which could affect legitimate connections.

There's a patch for Linux, too, using something called a "SYN-cookie". This is a marginal idea, and I don't know if it made it into any of the standard Linux distributions. But if you're under attack, you might want to turn it on.

Re:How to fix the vulnerabilities (technical)

[Akaji+Monkey]

MacOS (8.0/8.1 at least) replies to ICMP broadcasts, as do BorderWare (a firewall product!), Telebit Netblazers, some printers, and no doubt many other minor products. It's a disgrace, but it's not going to stop anytime soon, methinks.

Re:How to fix the vulnerabilities (technical)

[Roundeye]

There's a patch for Linux, too, using something called a "SYN-cookie". This is a marginal idea, and I don't know if it made it into any of the standard Linux distributions. But if you're under attack, you might want to turn it on.

It appears to be fairly standard in the major distributions (whether or not it is enabled by default is another matter -- and a question to which I don't know the answer). I have been using SYN cookies for nearly a year now (although the few SYN floods directed at me may have had little result anyway). I tend to make my machines look as much like black holes as possible... and I'm also not Yahoo. :->

Re:How to fix the vulnerabilities (technical)

[Darwin2000]

ICMP is the attack being used. You can't stop it at attacked site. Not responding doesn't mean your not getting 5billion packets from 1000 source A networks with 200 machines on each.
Everyone is hurt by this type of attack except the person forging the packets with the targets IP as the return address.

The only way to stop this is to make sure EVERYONE"S router has do not send broadcast ICMP Ping packets turned on in all routers by default.

True syn attackes were stopped with BSDI putting out the first solution patch after getting news. To my knowledge this is a very workable and usefull solution.

SMURF type attacks are the problem taking these networks down at this point I believe. I have posted on this already.

Re:Well I for one won't comply with this.

[ErikZ]

128 charactors in length?
Geezus, what do you type in? The Illiad?

Later
Erik Z

Re:Well I for one won't comply with this.

[Cyno]

If you have to run something from the FBI to see if anyone has hacked your system, you might as well give the FBI a root account.

You trust them, don't you?

For chrissake, chill out all

[drix]

Sorry to disappoint you all, conspiracy theorists, but this binary is kosher, despite what you may wish to the contrary. How about next time, instead of just slathering on the FUD to each post, try doing a little investigation, and you might just keep from sounding like another crazed anti-government wacko. That's what I did, and lo and behold, it doesn't phone home, beam the contents of your hard drive to a secret bunker on the moon, or anything else. Of course, I could just be a minion of the Ministry of Truth myself... in fact, I am! And we're after you, Wilson! But don't take my word for it - trace out the system calls and you'll see that you have nothing to worry about. Try it:

strace -e trace=network ./find_ddos -p -y

No system calls for networking are made. I bypassed the full hard drive scan for the sake of time, but I've done that too and you have nothing to fear. So either use the tool or don't - really, I don't care - but please refrain from polluting the message boards up with more anti-government FUD. As if there wasn't enough already.

--

Re:For chrissake, chill out all

[drix]

Hah.. I called him Wilson. Even I'm not so sci-fi illiterate as to forget it's WINSTON, and I'd prefer Conrad to Crichton any day of the week :)

--

Okay, I need help.

[Kris_J]

I've downloaded the source mentioned in the update, but when I "make dds" I get...

ld: cannot open -lsocket: No such file or directory

It's been five years since I failed my programming course. I've never been the primary admin for a Un*x box before this job. I can keep the thing running, but my lack of knowledge of what our Linux box is doing at any given time is troublesome when there's a security scare going on. As far as I know, it's a fairly typical Red Hat distro, but our ISP guys set it up. What do I need to do to get it to compile?

I'd much a Windows app that can monitor the network from one location (either our NT server or my portable). In that vain I've downloaded "Nuke Nabber" which has an option for "Syslogd" - which seems to be some sort of communications standard for Un*x boxen. How do I enable it, or more importantly, how do I check to make sure it's running.

Basically, the problem is that the Internet is one big dark alley - most people can't see what's going on around them in the "virtual world". If someone can help me setup some tools to turn the street lights on in my local neighbourhood, I'd be most grateful.

(Actually, it'd be cool if anti-virus packages were expanded to cover ports and assorted network attacks...)

Re:Okay, I need help.

comment out the LIBS line in the Makefile

Re:Okay, I need help.

[Kris_J]

Thanks. That worked.

Now, syslogd... I got it to work for a moment, but I can't workout where to add the "-r" so it always interacts with the network. Does anyone know which .conf file (or whatever) I need to edit to permanantly enable remote logging from syslogd?

FBI binary network tools

[Gothmolly]

Yeah, like I'd download and install a binary-only "network scanner" from the _FBI_.

Re:We all insist on open source, what about hardwa

[Gothmolly]

Easy dude, just put 127.0.0.1 ad.doubeclick.net and others in your hosts file. Insta-spam filter.

Don't cooperate with the Gestapo

[rlglende]

Even if they appear to be doing good.

Better we should put a web site and share the info with each other. We don't need a LEA in this until it is time to get subpoenas, and this can be done at a local level.

Where is the Constitutional grant of power to the Feds which allows the FBI to exist?

lew

Re:Fake Bruce...

[GNUs-Not-Good]

Read it again. He is right. Little double negative action going on there.

Think again.

[EQ]

To take such a flippant attitude about securing your own system, and then to claim that "hey I didnt know" would work as a defense against those Reno and Company (or big corporate lawyers), well, your post shows that you are now, beyond doubt, a brainless fuckwit. Ever heard of a legal term called "depraved indifference"? With your attitude, you better get to know that one, and "culpable negligence" as well. They will be slamming into you in civil and criminal court someday.

And I will cheer them on - because I work for one of the affected companies, and that hit cost us revenues - which could affect my raise, my salary, my stock, my options, and the stability of my job. So Joe Citizen (in spite of your inability to see past the end of your little high-school ego) was affected, and thats why joe citizen should care: from me whose salary could be affected, to the stores where I shop and spend that salary, to the taxes I pay to help those less fortunate, etc. No man is an island kid, learn it.

HAND or FOAD, your choice.

The biggest problem with binnarys

[Felinoid]

Theres a lot of cool advantages to using source code that get premoted.. Easyer to hunt down trojens and other back doors... easyer to improve.. easyer to fix..

Easyer to port.....
Lets think about this for a moment... The Internet is a patchwork of operating systems.. Some SGI, some Linux, some Solarus.. NT here OS/2 there... ohh theres a 3B2 tucked in the corner...
You could release half a million binarys and still miss a few..
Porting to some isn't nessisarly going to be an easy task.. Getting it to work under NT for example may be a bit of an effort... under Dos may be futile... But say SCO Unix or SunOS may need only a recompile....

The best bet to getting this running on as many systems as posable is to releace code....
So why make binary only?
We may know better than to trust security by obscurity but the FBI still believes in it.
It'll be like pulling teath to convence then to open source it.
I think the best selling point is this... Sysadm will not put up with secrets being keep from them.
The crackers will eventually figure out how it works and if it can be thwarted they will do it. Leaving us with a useless binary we can not change.
So you'll release an upgrade? Not on my box...
Once cracked twice shy.. You won't get a second chance.. if they can not fix the code on the fly then WHEN it gets bypassed your code will be tossed out the window never to be seen again...
You have some time... release the code so we can adapt before the crackers...

Re:The biggest problem with binnarys

[Graymalkin]

Geez you have horrible spelling. No offense.

Re:The biggest problem with binnarys

[Felinoid]

No kidding [Horrific speller here]
Might you have made more of a comment than that one line?
Input is a good thing :)

Re:Well I for one won't comply with this.

[The+Man]

Indeed. Despite any other measures you may take: plugging holes, using bug-free ip implementations, etc, it eventually comes down to this:

If site A has more bandwidth than site B, site A can DoS site B.

If sites A1, A2, A3,...An together have more bandwidth than site B, they can DDoS site B.

If sites A1, A2, A3,...An forge ip headers and use sufficient methods to obfuscate their true locations, they can DDoS site B with impunity, and for a much longer period of time since once their original IPs are blocked, they can simply forge new ones.

Finally, if any of sites A1, A2, A3,...An are in countries with little or no motivation/resources to track down/extradite/prosecute the offenders, they can DDoS site B with total impunity, even without disguising themselves.

So yes, there really is no way to prevent this completely. It becomes a slugging match: whoever has more bandwidth wins. Every single time. Which, incidentally, is what makes this week's attacks so interesting - the sites being DoS'd have tremendous bandwidth.

Re:Well I for one won't comply with this.

[The+Man]

you really are a bit too naive to be posting here

Wow, too naive for Slashdot??? He must be very naive indeed.

Re:Any suggestions?

[Graymalkin]

No offense at all but a good book is Linux for Dummies published by IDG. If you prefer you can pick up Unix for Dummies which has general Unix knowlege along with Linux commands that correspond to ones for say Solaris or FreeBSD. Both books are pretty good and written with a sense of humour. They talk more about using Linux rather than admining it, there are admin books though, I would imagine IDG publishes several of them.

theory on why it's slow

[peter]

Maybe the author didn't take /proc or /dev into account, or /proc was different on the kernel he was using relative to 2.2.14 (which I assume most people are using.) I haven't run the program on my system, and I don't plan to.
If there are command line options to control what dirs are scanned, then maybe someone should try limitting it to that. Maybe the program reads whole files into memory before checking them, so big files take massive amounts of RAM.
For some people who have IDE disk drives but haven't used hdparm to tweak them, they will almost certainly find that the system is _much_ more responsive while doing massive I/O if they set multi-count (-m) as high as possible, and use -c 1 -u 1 -d 1. On my P200MMX w/ Quantum Fireball CR, quake remains playable while updatedb is running :)

If someone is running it now, use strace -o logfile -p pid to take a peek at what it's doing. See if it reads in the whole file or what.
#define X(x,y) x##y

I have found...

[Graymalkin]

this all rather entertaining. These people should be given a medal for exemplifying problems that needed solving. The first part of the problem is a bunch of Windows users on their spiffy new cable modems without following directions and leaving file sharing on and not installing a firewall of some sort. To aid the script kiddies' attacks most people with really high bandwidth connections don't take the proper precautions security wise and leave themselves very open to trojans that the kiddies can use for DoS attacks. The second problem is the fact that these supposedly high power high profile websites don't have adquate security and/or fault tolderant systems so a backup could be brought online if an attack was taking place.

Re:Well I for one won't comply with this.

[Rogain]

I'd be more worried about what ELSE those FBI binaries are doing!

Think People!

[Schlacht]

I hope you arent all clammoring to install software distibuted by the government to help you track and protect yourself from net intrusions. Thats like handing your local police the keys to your house and car.

Scheesch, get a clue! We already have this huge machine to feed with our tax dollars, "law enforcement". What better new machine to start to feed "Net Security". Just think before you jump on some bandwagon you cant get off till it's rollin about 70mph. I have a real problem with the source of these 'attacks', Noone has claimed responsibility, this is odd. Maybe Im not informed well enought, but noone is claiming it .... why not? Think People.

Re:Think People!

[Lion-O]

Noone has claimed responsibility
So? I know of quite some bomb terrorist attacks which were never claimed. Also done by the goverment? "I don't think so Tim".

Re:Well I for one won't comply with this.

[Kris_J]

I also have other cron jobs which page me if my 5min load is over 5, my disk space gets too low or if there are more than 6 people logged in.

Can someone do me something like a cron job that sends me an e-mail every time anyone logs into our (Red Hat) Linux box? Something "For Dummies"-esque. Only me and our security maintence contractors should ever log in. (BTW: we use SSH, not Telnet, if that makes any difference). TIA,

Re:Well I for one won't comply with this.

[Kris_J]

This kinda neatly illustrates that the solution needs to be implemented before the packets hit the target. Obviously making sure your hardware can't be used in a DDoS attack is just as important, if not more so, than putting in filter rules to block sus packets.

As for countries that don't care, it's easy enough to put an axe (or backhoe) through the connection of most of those.. ;)

So where is some good ICE?

[Kris_J]

Fine. No one trusts the US' FBI. So where can I find some decent ICE (intrusion countermeasure electronics) that's as easy to deploy as an anti-virus package? I don't mind turning my company's network into a data fortress as long as someone provides some reliable, trustworthy, off-the-shelf tools.

Fire Extinguisher

[JimStoner]

This is London calling...

*dunk (sound of knuckle rapping lightly on forehead)*

Wake up Dude - We did nothing of the sort.

Re:Well I for one won't comply with this.

[TomV]

I also don't have Active X

ActiveX is marketing-speak for COM. COM is the object model underlying 32-bit Windows. Everything you can see in Windows is a COM object. And the only difference between COM and ActiveX is the spelling.

My version of Win 95 hasn't been updated since 1997.

This bit's really scary. That would put you about 200 security patches behind the rest of us. I assume you're not running an unpatched '97 build of Linux. Time to Service Pack the living daylights out of your WinBoxes.

TomV

I don't seem to get it...

[Lion-O]

Instead of finding replies in which people actually appreciate the fact some official instance is actually doing something I see a lot of unsubstantiated (hope I got the grammar right )complaints instead.

I'd say be glad that there is at least some official bureau who is actually doing something and isn't to arrogant to ask us for help. Dunno but IMHO they got it quite right with the choice of platforms too. A Linux binary? Cool. I know of goverments who would release such tools for DOS and who would also wonder why no-one is using it & laughing their heads of instead.

As for the so-called backdoor; if those people complaining were really concerned they should be aware that a nice firewall & some 1st level of clueness can fix these problems. I haven't tried the program myself (yet) but I never saw any complaints about the program needing to be suid or something in here. I would not be surprised if most of the people complaining didn't even bother to check out what program they are talking about which is, IMVHO, like showing bits off cluelessness.

Do I really have to?

[nevets]

Time to Service Pack the living daylights out of your WinBoxes.

Do I really have to? It is my home machine. I only use it for accounting. It is also behind a Linux firewall that I do keep up to date. I do NOT use it for email, so I do feel safe. Although I do use it to browse the web a litte, but I use Netscape 4.7.

I'd email you but you don't have your address posted.

I assume you're not running an unpatched '97 build of Linux.

Actually, I do. My laptop, which I only connect to my LAN when I download files from it, is an old Slackware distro that I installed with diskettes. The last update on it was to get my kernel to 2.0.35. But it follows the same as the Windows box: behind a firewall, don't browse the web or read email from it, yada yada yada.

Steven Rostedt

Re:Well I for one won't comply with this.

[tzanger]

Can someone do me something like a cron job that sends me an e-mail every time anyone logs into our (Red Hat) Linux box?

The way I checked for > x users was just parsing the output of 'w' in a cron script. For your needs I would perhaps replace the login program with a wrapper which emails.

Friday morning updates at NYTimes

[treebeard77]

(free reg. req'd) Evidence Suggests Web Attacks Were Work of More Than One Group By MATT RICHTEL WITH JOEL BRINKLEY FROM FRIDAY'S TIMES As attacks against prominent Web sites appeared to be tapering off, law enforcement and computer security experts said evidence now suggested that the digital assaults had been the work of more than one person or group.
RELATED ARTICLE: Web Attacks Have Government Revisiting Laws and Security

Trojan

[jsin]

I don't know if any of you have experimented with this, this is what happened to me.

I ran find_ddos on RedHat 6.1. It began to run, gave me an "agreement" to sign, and the proceeded to innocently "scan" my system for ddos signatures.

After about two minutes, my telnet session was dropped, so I opened another terminal and logged in, only to find the process for "find_ddos" was no longer running. What was running "in.identd" about 100 times.

I didn't think much of this because it was a test box and we have many users running different experiments all the time, so I left it.

I came back today and it was still acting in an unusual fasion, so I decided to restart the system. After issuing a "shutdown -r now", the shutdown process began and I logged out and started a ping from my workstation to let me know when the system was back online, only it never went offline.

In fact, I can't seem to shut the system down at all remotely, I actually had to power cycle the system to stop it. Now I'm worried that this thing put it's claws into an init file or something and is running in stealth mode for some devious gov purpose.

Again, any feedback on you experience with this code would be appriciated.

This tool ITSELF is a DoS attack

[Baron]

I don't know what experiences other people have had with this thing, but in very short order it was using 100 megs of memory on a Linux machine with only 96 megs of physical RAM and it didn't seem to be anywhere close to finished. I had to kill it before it killed the machine.

My already limited confidence in the competence of the NIPC has been struck another blow. Maybe they haven't released the source because they don't want anyone to confirm what an utter piece of shit this thing is, or do a much better job than they can do for free instead of millions of dollars of taxpayer money.

Re:Binary Only?

[HiThere]

On the internet no one knows you're a ...

Antionline taking a swing at wired over DDoS delim

[TheMo-Man]

http://www.antionline.com/cgi-bin/News?type=antion line&date=02-07-2000&story=DOS.news Check this out... sounds like 1. Antionline has gone Bitch on Us and plays for Team Fed. 2. There appears to be animosity between the two sites as far as who is the "Definative" news source about hackers...

Despite the great history the US govt has...

[Kaht]

...of being honest, I don't think I'll just
assume that the FBI is being friendly, and
really cares if my computer if on or not.

Re:Well I for one won't comply with this.

[Kris_J]

Isn't there a central .cshrc (or something) that's run for every user when they log on? or is that only true if they call it in their local .cshrc?