Slashdot Mirror
FBI Releases Updated DDoS Detection Tools
Alex Prestin writes, "In an effort to control the recent distributed Denial of Service attacks which everyone's heard about, the FBI has released Linux and Solaris tools to detect the presence (or absence) of the various DDoS daemons. They're available in binary form only (for now). You can get them here." Quote from the page: "Recipients are asked to report significant or suspected criminal activity to their local FBI office." Update: 02/10 07:37 by H :Here's some more information:The author of the DDoS analyses (at staff.washington.edu/dittrich) has released a network scanner to scan for active agents on your network.
It includes source, and is available here.
PLEASE use it responsibly.
And more importantly, since they're binary only, does anyone trust them?
--
Peace,
Lord Omlette
AOL IM: jeanlucpikachu
[o]_O
- Suggests that they support that MD5 is hard to "spoof,"
- Means that some verification of correctness is possible.
I'd be more impressed if they offered a 1-800 number where you could call in to verify the MD5 checksum.Better still would be to encourage people to call their local FBI office to get that number, which makes it Rather Harder to Spoof...
If you're not part of the solution, you're part of the precipitate.
I just don't trust running binary only programs from the US government. This program scans your whole directory tree, looking for signs of the offending program. But, since we don't have the source, we don't know what else it's looking for, or who it's contacting. It also must run be run with root permissions. Personally, I find this a much bigger threat than not being able to day-trade for a few hours.
Citizens Against Plate Tectonics
So... I have the ultimate revenge. Load DoS software on the computer of the person you don't like. Then rat them out to the Feds.
<BR>
<BR>Mr. FBI Agent: Sure you didn't install that software yourself...
- "Yeah man, I tell ya what, man...That dang ol' Internet, man...You just go one there and point and click...Talk about
There are already people clamoring over conspricy theories. Now they will suggest that the detection tools might contribute to the problem.
Okay, Let's say i'm an admin of a free unix shell service. I have about 10,000 users (shellyeah.org has this many). I use their tools to find that about 150 of my users are running these ddosd's. Why should I report it to them? I'd simply terminate their access and the daemons. (And maybe report them to their ISP's, tell their mommies, etc).
Bottom line, why would i want the FBI to take care of it when i can take care of it myself? I could watch the daemons for about a week and try to figure out who else is on the ddos network, and report it to those sysadmins. The 'net isn't FBI ground, no matter what they try to force on the public.
What scares the crap out of me is the thought that there is a hugely growing number of Windows boxes being run by people who know little or nothing about even the basics of security that are permanently attached to the net. I can easily imagine some sort of worm program that exploited some piece of poor security in Win95/98 to install itself on tens of thousands of machines. If done correctly, using some sort of chaining scheme, the actual creator would not have to actually touch the vast majority of these systems, making him almost impossible to find. Just send some trigger sequence to one machine, which signals the two it infected, which signals the four it infected, etc, etc.
The cake is a pie
Well, I am running the tool, and folks should know that it looks as though it is written to keep allocating memory as long as it can.. my system has 128megs of RAM and 256megs of swap, and the find_ddos program has totally exhausted my swap space.
Whatever it's doing, it's doing a lot of it. Be careful not to run it on production systems unless you can stand a bit of a DoS yourself while it runs.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Others have postulated that government is behind DoS attacks as a publicity strategy to drum up sentiment for pervasive internet monitoring. Rather than government, I wonder if it could be the supporters of the Digital Millenium Copyright Act, such as members of the Software Publishers Association and the Motion Picture and Recording industries They're painting the DVD defendants as "hackers" (which they use incorrectly to mean "computer criminal"). Here's something more to stir up hysteria about "hackers".
Sure, it could be a blackmail stunt as some people say. But the perpetrators are bound to be caught if that's the case, because they will have to persist in DoS attacks for the protection racket to work, and the persistence will get them caught.
Thus, I think it might more likely be a ploy to discredit.
Thanks
Bruce
Bruce Perens.
For anyone who's interested in actually doing this blantly illegal activity I have a test machine set up in a computer lab. DoS away at:
144.35.152.144
Slashdot social engineering at it's finest
However, like some others have said, who the hell cares if yahoo goes down for an hour?
/. (i just curse and get back to work). As much as I depend on the Internet to keep me informed and entertained, it's a nice break sometimes to turn the whole thing off and only see the world that my five senses, um, sense.
No shit, I realize that terrorism is a bad thing. But i don't run in terror when I can't load
I don't see a reason to panic or even get all fluffed up. These attacks can't stay hidden forever, nor can they do it forever without getting caught.
Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.
+&x
What's particulary painful is that this is a clear case in which source distribution would be a major plus. If this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105.
Interestingly, this means that the GNU GPL is powerless to protect the work -- something which is public domain cannot be sheltered by copyright -- but it should be eminantly possible to reverse engineer and enhance the program. Modifications themselve should be covered under copyright law, and might be governed by the GPL or another license.
I would be far happier seeing full source to any such tools before installing them on my own systems.
IANAL. This is not legal advice.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
I'm not sure why (or how) they are doing this.
First, wouldn't such a daemon have to be proxing a lot of ports to be affective or is it just a packet sniffer?
If there is a DoS attack, would it only log IP (which maybe bogus) addresses after your system has be comprimized or can it actually prevent such attacks?
Wouldn't a properly configured firewall be more effective using things like connection to connection limits and log files/grep/wc?
Besides the security issues of installing closed-source FBI software on mission critical servers, is there any advantage to using such software or is it only to help FBI nab script-kiddies not necessarily in the US?
Also, is it possible that guys like Amazon.com and Yahoo have nothing more than poorly configured firewalls?
Ozwald
Computer hackers bring down FBI website
Computer hackers used a large distributed attack against the FBI website (http://www.fbi.org) yesterday for two hours between 2 PM and 5 PM, Eastern U.S. time.
FBI officials said that most of the compromised computers requested two specific files, suggesting that the hackers might have been attempting to exploit a file-system bug that might have led to additional slowdown.
Many of the computers used in the attack sent messages causing the webpage requests to appear to come from different types of browsers, making them difficult to block.
Top FBI spook Drawoc Suomynona finally figured out how to block the attacker. "Most of the requests sent the 'referring page' as the page for a recent slashdot article. We just blocked all requests with that referrer, and the FBI server quickly became unclogged."
Slashdot (http://www.slashdot.org) is a well-known geek news site. Slashdot editor Rob Malda declined to comment, but was heard mumbling "It's crackers, not hackers, goddamnit."
Suomynona added, "We still have not found the source of these distributed attacks against websites, but we will step up our efforts to find them."
--
The shareholder is always right.
So they only have tools for detecting the multi-source denial of service program for Linux and Solaris? This would suggest to me that the current round of attacks are all based on compromised hosts running those OSs. This is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.
So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.
I found an email address - NIPC@fbi.gov
:)
Email them _nicely_ and explain why you won't use the program without the source. Leave out the conspiracy theories, for obvious reasons...
Suggestion: Use "Please provide find_ddos source code" as the subject - about 100 messages with the same subject, all asking nicely, should get their attention.
Oh yeah - ask nicely.
Did I mention that you should ask _nicely_?
----
Logging output to: LOG
Scanning running processes...
Scanning "/tmp"...
Scanning "/"...
Message from syslogd@localhost at Thu Feb 10 14:22:26 2000
localhost kernel: : rw=1, want=530244, limit=530113
Segmentation fault
we don't know what else it's looking for, or who it's contacting.
Anyone concerned about security should already know how to use tracing tools to see what a program is doing. All the good Unixes come with some kind of native execution tracing tool (called trace or truss or whatever) as well as network tools to monitor connections. Plus you have all of the various third-party tools available as well.
If you think it's looking for specific files other than the DoS programs, trace it on a test machine. If you think it's contacting the FBI and uploading your pr0n collection, put the NIC into promiscuous mode and watch for packets. The program is no different from any of the others.
Personally, I suspect that the programs are okay, if only because the FBI knows that the programs will be under this kind of scrutiny. They're not stupid.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
Let me ask the FBI a purely philosophical question: Just how stupid do you think I am?
/.
/. If the government wants us to respect the law, it should set a better example.
for god's sake, can you read the fucking README? go to the site linked in the original port, and read the fucking manual.
some of these ddos tools encrypt information like IPs; the keys are in the binaries. find_ddos decrypts the encrypted information.
being paranoid about installing some binary the fbi gives you is one thing, but being woefully underinformed and shooting off your mouth is intolerable as far as I'm concerned.
There is no WAY I'm going to install an FBI-supplied object-only daemon that runs as root.
Given that they claim to have just written this thing, there is absolutely no excuse for not releasing it as source.
Such a program could view any file and report anything it finds to an external source of its own chosing. It could install trapdoors. It could expose private crypto keys. It could monitor traffic on internal nets - or even attack external sites. It could monitor email. I could go on.
But stop a distributed DoS attack? Does this thing sink its hooks into the kernel? (Would you install it if it did?) Or does it just scan all the disks and tables for "bad" source or object code or file/program names, in the hope the perpetrator (or his sysadmin) installs it on his own machine.
This might be worth reverse-engineering. But there's no WAY anybody concerned about his system's security will execute this puppy.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm amazed that nobody has commented on how this is coming from the FBI's National Infrastructure Protection Center (NIPC), which has repeatedly proven itself to be utterly clueless when it comes to the Internet it is charged with protecting.
The NIPC's director, Michael Vatis, seems bent on using every single hiccup on the Net to prove how Essential and Important (TM) the NIPC is. When the Melissa virus hit, NIPC was running around screaming about the end of the world. After that the NIPC was warning about the evil "Y2K viruses" that never really existed (oops!). (The NIPC alert I linked to is a scream; it basically says that there are lots of Nasty Viruses out there, and that, if someone could write a Nasty Virus, they could probably write a Y2K virus, so you should panic immediately.) Now, since Melissa and Y2K failed to destroy civilization, the NIPC is beating the drum over the DoS issue, calling a bunch of script kiddies who inconvenience some people "cyber terrorists".
The common thread here is that the Net is a nasty, brutish place, and only the big tough NIPC can protect us.I'm not sure why they keep doing this, unless Vatis is such a publicity hound that he will take any excuse to "alert" people of "threats", even if those alerts do more damage than help by panicking people into distrusting the reliability of the Net. His fearmongering has become so blatant and counterproductive that he's become a favorite target of ridicule for Rob Rosenberger, the crusader for common sense regarding computer viruses.
Sure, it's bad that these big sites are suffering DoS. But it's not "terrorism", and slinging around that word only proves how cushy daily life for most people in America truly is. It's hard to imagine anyone rationally being able to compare congestion at Yahoo! to blowing up a federal building. Maybe if Vatis stopped to think for a moment before lunging to get his agency in front of the cameras of the press, he'd realize this too.
-- Jason A. Lefkowitz
Read my blog.
Well, I fought off the pangs of paranoia and doubt and su'ed and ran this thing. Scanning running processes... Scanning /tmp... Scanning /... OOPS.. load JUMPS, mem AND swap usage jumps from 15% and 0% to 100% and 100%. X halts: mouse doesn't move, xmms pauses. I try to telnet in from another machine for about 6 minutes, NOTHING. I finally go back, and it's killed X along with rc5des and itself.
Sounds like a denial of service attack itself. geez. Now I feel dirty, excuse me while I go buy a new harddrive. eww.
-- adraken
What he says is controversial only to those who would bother to reply to such inane, stupid viewpoints to begin with. Please do not give him forum.
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.
Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?
Are any of these defenses legitimate? If you were on a jury and the defendant claimed that he killed someone to demonstrate that people can be killed, would you find him innocent?
What have the DoS'ers proved? That crime can be comitted? Great, but I knew that already. I can shut down a mall with nothing more than a fork (repeatedly jam the fork into someone's face until they are dead, the mall will be closed for the day) and I can probably shut down an individual store by doing no more than pulling my pants down and taking a dump in the middle of the store; even if all the customers don't leave, the employees won't be able to help the customers because they'll spend all their time arguing over who cleans it up.
If you fill up a company's pipe with data, legitimate traffic can't get through. We knew this already, we don't need it demonstrated anymore than we need it demonstrated that streets are vulnerable to dynamite.
We do have something called the freedom of information act. Unless the information falls into certain specifically designated sensitive categories, it must be released on request. Why not file one with the FBI to obtain the source for these utilities?
I don't know if I am comfortable with blindly installing binaries from the government or anyone else for that matter.
More race stuff in one place,
than any one place on the net.
...to forward this to Reuters. :)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
bugged Martin Luther King Well, at least King was a private citizen. They snuck bugs into Detroit Mayor Coleman Young's office, pretending to be the janitor. They then proceeded to listen to him for a decade, without ever charging him of a crime. Can you say 'First black mayor of a major US city?'
In the FBI's defense, Mr. Young was engaged in mild corruption, general governmental misuse, AND he owned every nude strip club in Wayne county at a time when it wasn't legal to run those sorts of establishments.
.sig: Now legally binding!
NIPC Alert 00-034 and re-issue of National Infrastructure Protection Center Information System Alert NIPC Alert 99-029 originally issued 12/6/99; Unclassified
Beginning on 7 February 2000, a number of high-profile Denial of Service (DOS) attacks temporarily disabled significant electronic commerce Internet web sites. These cyber attacks targeted companies sites like Yahoo.com, Amazon.com, CNN.com, Buy.com, Ebay.com, Stamps.com, Exodus.com, E-trade.com, and Zdnet.com; reported victims have apparently recovered from the attacks within a few hours. Public reporting cites coordinated, Distributed Denial of Service (DDOS) attacks originating from multiple points on the Internet. The FBI is now investigating a number of these attacks; in view of these events the NIPC is re-issuing its original alert describing the DDOS exploit. Additional information can also be found on the NIPC web page at www.nipc.gov and at the Carnegie Mellon Computer Emergency Response Team Coordination Center (CERT/CC) web page at www.cert.org.
Beginning in the fall of 1999, the FBI/NIPC became aware of several instances where intruders installed DDOS tools on various computer systems to create large host networks capable of launching significant coordinated packet flooding denial of service attacks. Installation was accomplished primarily through compromises exploiting known Sun RPC vulnerabilities. These multiple denial of service tools include Trin00, Tribe Flood Network (or TFN, TFN2k, and Stacheldraht,) and were reported on different civilian, university and U.S. Government systems. The FBI continues investigation of many of these incidents, and was and is highly concerned about the scale and significance of these incidents, for the following reasons:
A.) Many of the targets are universities or other sites with high bandwidth Internet connections, representing a possibly significant threat to Internet traffic.
B.) The known cases involve real and substantial financial loss.
C) The activity ties back to significant numbers and locations of domestic and overseas Internet Protocol (IP) addresses.
D) The technical vulnerabilities used to install these denial of service tools are widespread, well-known and readily accessible on most networked systems throughout the Internet.
E) The tools appear to be undergoing active development, testing and deployment on the Internet.
F) The activity often stops once system owners start filtering for Trinoo/TFN and related activity.
Possible motives for this malicious activity range from exploit demonstration, to exploration or reconnaissance, to preparation for widespread denial of service attacks. NIPC was concerned that these tools could have been prepared for employment during the Y2K period, and remains concerned this activity could continue targeting other significant commercial, government or national sites.
NIPC requests that all computer network owners and organizations rapidly examine their systems for evidence of these distributed denial of service tools, in order to be able to quickly implement corrective measures (specific technical instructions are available from CERT/CC, SANS, NIPC, or other sources). These checks should be done to both check and clear systems of Trinoo/TFN, and related threats, and to support law enforcement efforts investigating these exploits. Recipients are asked to report significant or suspected criminal activity to their local FBI office NIPC or ANSIR Coordinator, computer emergency response support and other law enforcement agencies, as appropriate. The NIPC web site is located at www.nipc.gov.
More race stuff in one place,
than any one place on the net.
"someone's taken down the 'net!"
it used to happen all the time
back in the day when it was new
and didn't run on Wall Street's dime
there was no panic way back then
when a packet would get lost
but now each one is good as gold
and every downtime has a cost
suits came and tried taking over
and the hackers said, "hey, we're not fools,
stop what you're doing to our 'net!"
and they broke out their hacking tools
the 'net is quite a complex thing
so there are ways to take it on
to abuse the bugs and the backdoors
which open up when knocked upon
clueless experts on the tube
while at the suits the hackers laugh,
"it was so simple for our group
to cut your backbone right in half!"
some suits think that they're immune
their net's protection is quite strong
but if you think that you'll be safe...
you might find out that you're all wrong!
Yea, I guess you're right *everyone* already knew this stuff.
No, wait a second, actually most people don't know a damn thing about any of this. Maybe that's why it's on the news, and it's big news. You'd think something so obvious wouldn't be such big news, but that's because you take for granted that it is so obvious.
I'm not defending their actions, I'm saying that the cost (so far) is outweighed by the benefit.
Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?
That's funny. I type in Yahoo dot com and a page comes up. Yet, my window is still broken, my chest is still bleeding, my car is still dented, and murder victims are still dead. This was a Denial of Service attack. Roughly akin to getting a busy signal when you try and call a business, wait, not roughly, exactly.
Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet. What I don't like is people associating these type of acts with violent crime, that's when you get enough FUD involved to convice people to give up thier online rights, freedom, and privacy, in exchange for the illusion of protection that the government will promise.
+&x
So have you configured your box to tell you when you're being scanned? You'll be surprised how often it happens. Next, check your system to see if you've already been broken into. Please.
I don't really need to. Essentially when I get the chance for some real power I will anything and everything that currently will allow for itself to be networked. I have seen too many cases where anal sysadmins just didn't want to let people do anything because they were idiots and wanted to stop people from using a small ammount of vast system resources.
The mere fact that you have theories that suggest that people should not run various servers is indicative of that fact that they want total and compelte control over every facet of our lives.
If I were quite wealthy I would just run a system where I would allow free use of resources for almost anything. As such I would just put a little disclaimer that whatever people do is non of my business and that I take no legal responsibility. Plain and simple.
Slashdot social engineering at it's finest
for kicks, I downloaded the second program listed in the article posting (the one from staff.washington.edu that comes as source) and compiled it on a 2.2.12smp box. I had to comment out the LIBS line to get it to compile, and I don't know enough about Linux libraries to know whether that was a good idea or not. It seems to do what it says when run as root, and it didn't find anything on my machine or one of the others in my area. FWIW.
I use Macs for work, Linux for education, and Windows for cardplaying.
1) Unknown crackers launch DoS against biggest commercial websites. No one takes credit. Matter of fact, no one that I know of has posted a trace on these jokers.
2) NSA has been yelling about this sort of thing for months.
3) The current administration just happens to be trying to fund its current Internet security initiative.
4) The FBI just happens to have something that they "just wrote" in order to deal with precisely this kind of attack, one we haven't seen before on this scale. It's closed source. It wants to run as root.
Yeah, right.
Where are spaf and the boys when you need them? I'd like to see them take the Fibbie's code apart byte by byte and make sure they're not up to something themselves.
Gods help us if they are.
(I know, call me paranoid, fsck my karma to hell, but bigod no steenking revenooer is getting in MY box quite so easily....hmph.)
--
"We are the FBI, we have no sense of humor that we know of." -- Tommy Lee Jones ("K"), "Men In Black"
It topped out at 291M Bytes of ram used on my system, and took a little over 1 hour to run. It also didn't do any network traffic.
Do you have any idea how much stuff sysadmins ignore in a given week or month? It's quite a bit of foolishness that nobody ever knows that we saw. And often the logs are kept sparser than they could because we would really rather not remember what your favorite e-commerce sex shoppe is.
It's enough to get several people reprimanded/fired and a few criminal cases filed in your average year. Uptight, play strictly by the rules admins can make mini 1984's out of any company. Most of us don't want to. Be glad that this behavior seems rooted in the culture of sysadmins. The FBI is a very different story.
DB
Your box gets cracked and they don't touch your stuff (as you predict). They do, however use your box to launch a DDoS against whitehouse.gov or even worse from your perspective crack boxes further on that launch a DDoS. A few
days later, the secret service is knocking on your door and taking your hardware away and you end up spending thousands in legal fees.
But you can clearly indicate that someone connected and that it wasn't you. Furthermore you could very easily say that you had a little disclaimer that indicated that you in fact were not liable for anything that went wrong. This can absolve you.
Do you still think, no harm, no foul?
Oh there is foul but that's what targeted hits are for.
Slashdot social engineering at it's finest
That's funny. I type in Yahoo dot com and a page comes up. Yet, my window is still broken
It wasn't a crime against you, it was a crime against yahoo. If I break your window, it doesn't affect anyone else. Your window is broken and it will cost you money. The attack against Yahoo cost Yahoo money, primarily in lost revenue. If I broke a window at Yahoo's office, it would never affect you, but it is still illegal and there is no legitimate argument for it.
Personally I'm all for a little bit of inconvenience to increase public knowledge about the Internet
Would you be so generous if you were the victim? Would you happily say goodbye to your car if it could educate people to the threat of car theft? I mean, you're going to buy a car to replace the one that was lost, so it's not like you're actually out a car, you're just out a bunch of money.
You weren't the victim, Yahoo was.
Mostly because "CERTs have retsin" and this whole thing is pretty stinky.
More race stuff in one place,
than any one place on the net.
This conversation took place prior to the update pointing to Dave Dittrich's site. It appears the source code is public domain, so perhaps one of the knowledgeable people here can start a source tree on SourceForge for this tool.
Richard Bottoms
Would you happily say goodbye to your car if it could educate people to the threat of car theft? I mean, you're going to buy a car to replace the one that was lost, so it's not like you're actually out a car, you're just out a bunch of money.
Yes, *if* the vast majority of people on the planet didn't know a car could be stolen. Actually that's a funny example since I don't own a car (by choice, my feet and my bike work great).
Yahoo can take the hit, mainly because they have this ridiculous valuation based on the potential on the Internet. Well, guess what, the Net also raised the potential power of every person on it, who understands how it works. For these companies, in a brand new industry in a brand new medium doing something that has never been done before, to get hit with a few hours of downtime does a great deal to show people that this is not your father's cyberspace. People (I'm talking about "regular" folks now) haven't realized how much different things are, by forcing them to take a harder look, it helps *everyone* realize that computer security is not a joke, and should be taken every bit as seriously as the need to lock your car. If you don't want to get it stolen, that is. Or used in a DoS attack against your local highway.
+&x
The DOS attack is destructive with no productive benefit. It's a pointless and criminal way of saying "Hey, lookee here!" about a bunch of compromised hosts running the masters and daemons.
So I guess the grey-hat response to this black-hat action would be to write more interesting things to put on "owned" systems. Just imagine if, instead of taking down yahoo, your local script kiddie could send the seti@home score of his favorite alias through the roof in just hours. That way, he's still providing the service (calling attention to security holes) without the stupid brute-force collateral damage to Yahoo et al.
I'm kidding about seti@home. But seriously: isn't there something more productive you could do with a distributed network of "owned" systems? Something that would appeal to the script kiddie mentality without fucking things up too badly? Taggers can graduate to real grafitti artworks; where's the upward path for the script kiddie?
I suspect that the answer would have something to do with w4rez or MP3's. (Run Napster instead of trin00 on all the compromised hosts). I'm not endorsing copyright violation here, just saying that it would be a lot better than just crashing shit.
Preferential Voting: easy as 1-2-3
Actually yes I do... I run a modified version of iplog (check freshmeat) and my system logs get simulcast to another server with no other functions save for sending email out. I imagine I could make it even more secure by sending the logs to it via a serial port (entry in my knowledgebase about this) or using a 2nd network card in the server but this suffices for now and allows me to have several servers send logs to the same log box.
Every night I have a cron which greps the shit out of the log and what's left is anything unusual. (90000+ lines in 24-hour period usually drops to about 150 lines when I'm done grepping the normal stuff out) I review that every day. I also have other cron jobs which page me if my 5min load is over 5, my disk space gets too low or if there are more than 6 people logged in.
I also am working with a friend on a modified patch to Bash (the original is on the same page as iplog) which drops the connection if it's being executed as root and the terminal is not a (v)tty. Hoping to add functionality where it also sets up a -j DROP in ipmasq and mails me on it too.
Finally, there are other security measures in place like md5summing critical parts of the system before the backup, not allowing telnet or root/empty password ssh and such and so forth.
Paranoid? Yes. But then again that's what I'm paid to be.
I ran the fbi prog and sigQUITted it after less then a minute. It dumped a core file that would put netscape to shame.
; }return(0);}
-rw------- 1 root root 58589184 Feb 10 17:07 core
I'm currently straceing it, and if I find anything interesting, I'll post it here.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
Unlike CERN, the FBI can kick down doors and stop a DDoS by arresting its perpetrators and confiscating their computers. The best way to do this is to catch the perps in the act. The best way to do this is to identify and monitor a DDos the moment it begins. To do this, there must be detection software in place, and that detection software must notify the FBI instantly.
Now, if the source code to the application is readily available, it will document not only the means of discovery but also the means of FBI notification. The perpetrators of the DDoS could use this knowledge to revise their DDoS. In all likelihood they could not get around the means of discovery. However, they could easily subvert the means of notification. All they have to do is launch a simultaneous attack against the FBI's machine--jamming it with bad packets, or overloading its mail server, or simply flooding it with false positives. If the fifty or so real DDoS-origin addresses are buried under a hundred thousand bogus addresses, the perps have created such an effective smoke screen that they will almost certainly get away yet again.
Will a binary-only tool prevent this? No. But by using good obfuscation techniques they could delay decompilation for so long that the tool actually has a chance to work.
Probably the best thing the FBI could do if they wanted to nail these jerks would be to find a couple of high-profile potential targets, give them the source code to a tool under an NDA, and give the site the opportunity to inspect, approve of, compile and install the tool themselves.
--
This is not my sandwich.
I don't really need to. Essentially when I get the chance for some real power I will anything and everything that currently will allow for itself to be networked. I have seen too many cases where anal sysadmins just didn't want to
let people do anything because they were idiots and wanted to stop people from using a small ammount of vast system resources. The mere fact that you have theories that suggest that people should not run various servers is
indicative of that fact that they want total and compelte control over every facet of our lives. WHoa run that last sentence by me again! That's right, this DDOS detector is really a secret government plot to gain "complete control
over every facet of our lives." So you better not run it. Terminal doesn't need to check security because he "doen't really need to." Well I think that's obvious because " Essentially when I [Terminal] get the chance for some real power
I will anything and everything that currently will allow for itself to be networked. Whatever that means, anyone else confused besides me?
*Sigh* sometimes I get a little carried away with myself.
What I mean to say is that given the chance for some real insane bandwidth I would run all of the nice ammenities like an irc server, an http server, a cvs server, sendmail, web based interface for email (aks atdot), slashdot code, mangband, regularly pull html pages (slashdot's), gimp interface, ftp, ssh, etc. This is what I mean. Any person with any administrative ability could very easily to this and still be secure. All of these things are possible except hardly anyone does them because they are lame and foolish. I think that what we really need from the world is what we had back a few years ago when there were more free services.
Free services were the backbone of emerging internet factors back in the early days. This is what I mean. Instead of being afraid of your own shadow you should really allow more freedom.
Slashdot social engineering at it's finest
you can? you think if I broke into your machine and initiated a DoS attack, I wouldn't take the time to remove myself from your logs?
in 1992 my machine at NYU was broken into and used as a stepping stone to break into some machines in Germany. *I* was the one who had to deal with the university coming down and unplugging my stuff and trying to kick me out of housing, and I'm the one with my name in some FBI file somewhere; in my situation, it was quite clear from the logs on my machine that it was being used by someone else to attack systems.
I assure you that you don't want to deal with a situation like this, and if you're young and stupid (or perhaps just stupid) and you don't secure your machines at least enough so that Joe Skriptkiddie can't immediately root you up, you run a very considerable risk of gettign owned and used like I was.
The FBI programme brought down my system and it is currently fscking. At last check it was using over 80M of RAM. In a few minutes I'll see the strace log to see if it tells me anything. I do not recommend any one else runs this programme.
; }return(0);}
End alert.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1)
OFTC: By the community, for the community
I'm pretty sure all the online brokerages also offer 1-800 numbers where you can place trades when you are away from the Internet. I know E*TRADE does.
You're really deluded.
The more services that you make available to everyone on the internet, the more likely you are to be compromised due to some bug in some software that you're running that noone knows about today, but that someone's goign to find out about and exploit tomorrow.
You can't say that anyone with any administrative ability can put up all sorts of stuff and not get rooted. that's simply not true. you would have to be very very lucky to run a machine with that kind of availability and that much code accessible to the general public and not eventually get broken into.
Port scans. There are tools that people use to continuously probe for machines that run various operating systems. Especially if you are a student and don't have a strong firewall. Crackers will break into the network and scan for users
with various operating systems. If they find one that they know how to break, they'll do so. It's a lot like leaving your car in a dark parking lot without having a good security system. Thieves can break in within a matter of seconds.
The same is true with crackers.
Tell me how do these people actually live and how do they earn a living if they spend all day running port scanners?
Some crackers are just script kiddies trying out there new/old tools/toys. Others are professionals that are testing their skills. Either way, its good to be prepared if you are on the net. Win 95 has poor connections (no daemons and
such) and probably will not have a problem. But if you use NT, you better be careful. The default settings of RedHat are not very secure, and should be turned off. Did you select "Everything" on your install?
Suppose I am running a version of Red Hat or Debian that is extremely secure and everything is non exploitable (there are some distros out there that meet these requirements) what then? Is is still bad not to really care about security?
The best thing to do with a Linux distribution, is to install without any services. Then go back and only install the ones you use. At least you will know what you do and don't have.
One of my great dreams is to create a httpd server over a good modem link. Run the slash code and have a kick ass site without mucho buckos. The linux gazette in one of it's earlier issues discussed about taking a free page and then having your linux machine dynamically update a link on said page to your current IP number assigned and whamo instant slashdot clone!
Slashdot social engineering at it's finest
I wrote a bit of a note to the NIPC suggesting that find_ddos be open-sourced, and pointing out some of the advantages which would accrue, including portability, expansion, and increased trust. I also asked that the license under which it is distributed be clarified, so that I could know if I can legally mirror it. Here's the answer I got back:
"The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised. We will forward your comments to the appropriate personnel for consideration in this matter. Thank you for contacting us."
How's that for null program?
I believe in paranoia... I think it's a good thing. However, I do not think the FBI is stupid enough to trojan something like this. It would be found, and they know that...
I ran it on my DSL connected firewall box, as root... I also trussed and sotrussed it and monitored for network traffic. It looks to me like it's doing exactly what it claims to do. I don't claim to be an expert, but it's good enough for me.
Come on, people... if you honestly think the Feds are stupid enough to try and trojan this you need to take off the tinfoil hats and get out in the sun a little more. And if you don't think it's worth your time to ensure security of your machine you really should think a little harder. It goes way beyond just a recursive rm or two... if your box is compromised it allows someone to then use your box to stage other attacks, to spam people from your system, etc. etc. etc. And if you think you're secure just because you're obscure you are, quite simply, a fool.
I believe that just about any system can be owned given the time and resources and attention of the right people. The same goes with locks on your front doors. It won't keep the dedicated criminals at bay, but it filters out 99% of the riff raff and lets you focus on detection of the other 1%. I run a firewall on my system not because I think I'm a stud or anything, but to try and keep out the truly lame as well as to try and prevent someone from using my resources to bring down YOUR machine or spam YOUR email account or otherwise be nasty to all my internet neighbors.
I won't tell you to run the FBI binaries because I also believe they should have released source... but I will tell you to CHECK your damned systems to make sure you're not compromised and stay vigilant. If you're running a host on the internet you have a responsibility to all the other people on the internet to try and keep your box clean. If you don't want to keep your box clean, go back to AOL and reformat and reinstall windows every 3 months.
The internet was built on the theory of COOPERATION... remember? It's the same thing you all whine about day after day after day... "oh, but why is the internet going to hell... it's all these AOL lusers" everyone says. But I've got news for you, it's not the AOL lusers, it's the lusers who don't take the initiative and personal responsibility to keep their own systems clean and allow the shitheads out there to run rampant.
-- Gary F.
Here is a situation in which you might wish to report the transgression to the FBI:
I'm a user on a network of 12000 computers. I run this program, and discover that 150 have DDoS programs running. I manage to contact 100 of these users, who remove their computers from the network (I have a lot of free time, don't I.) However, 50 of the rest are unknown to me. I've contacted the network administrator, but they are uninterested in doing anything about the issue. They feel that the increased traffic will not affect our network, which is circuit-switched OC3.
At this point, I'm concerned because I cannot get the last 50 DDoS computers off the network. So, I give in an contact the FBI. I give them the ip's, and the network admin contact number. This is why.
The other reason is if you find something that might point to the originating culprit. That way justice can be served. A final reason is so that the charges against the hooligans can be increased because the FBI now has record of another 150 computers afflicted and 'damaged' and 'tresspassed' upon.
I find the last reason most convincing.
-B
The more services that you make available to everyone on the internet, the more likely you are to be compromised due to some bug in some software that you're running that noone knows about today, but that someone's goign to
find out about and exploit tomorrow.
What about Red Hat 5.2 right *looks at time on watch now!!!* or perhaps Debian 2.0? How about slackware release 3.0? I think these things are plenty old to get out all the bugs.
You can't say that anyone with any administrative ability can put up all sorts of stuff and not get rooted. that's simply not true. you would have to be very very lucky to run a machine with that kind of availability and that much code
accessible to the general public and not eventually get broken into.
What if I do something like this *sly grin*.
Any connections that originate from anywhere outside of the "approved" range and that do not originate from usage of the login program or any other apporved command and do not contain a proper exit code will drop into a restricted shell where each and every command is logged and perhaps access is not given to net enabled commands?
Slashdot social engineering at it's finest
The real danger is that these punks (or punk, co ordinated attacks could be one guppy with a pile o passwords and a little time on their hands) are forcing the PTB to take action. With or without government conspiracy the PTB will ;-)
march forth with constricting and stiltifying regulations that will hinder and shackle the rest of us, and not being able to get online or search Yahoo will make Joe newbie their ally in doing so. Sayyyy... when did that Mitnick feller
get sprung
What is a PTB? government?
Slashdot social engineering at it's finest
Why would one want to bugger a serial port? Unless your equipment is miniscule, it's going to lack a certain amount of... I/O , if you know what I mean. I mean, if you want to hump your box, that's what fufme.com is for!
My system ground to a standstill. I couldn't even check out the running processes. I have 96MB ram/130MB swap on a K6-400.
/tmp... /...
I ran it on my desktop because I was a little wary of running it on my server without knowing anything about it. My mouse all but stopped. I moved it northeast about a centimeter and the pointer was still moving, a tiny bit at a time, with a huge interval, 5 minutes later. My HD light didn't stop. I gave up waiting and came back later to find the following output:
checking
checking
killed
Strange. Needless to say I deleted the software and didn't bother running it on my server, which is less endowed than my desktop. That binary is way too large to do nothing but simple checks.
Then I remembered, "hey, this is the US Government, they can't do anything right!"
Never attribute to malevolence that which can be achieved through incompetence...
a. using really old code is a way to get owned quicker. slack 3.0 probably has some ancient version of sendmail which is guaranteed rootable remotely, among other holes. your best bet is to get new everything, and keep updated regarding patches. but thats just the problem - bugs exist BEFORE patches, and eventually, someone will find a bug in somethign that youre runnign with privs, and then U R 0wn3d as they say. how long has sendmail been around? longer than slackware, and you can bet there are probably a few holes in it still that noone has been clever enough to find (or nice enough to distribute).
b. your access restriction would be a great idea, as long as you can guarantee with absolute certainty that the programs you use to authenticate "legitimate users" are 100% bug free. if they aren't, theres a possibility of getting rooted, and once that happens, all these clever logs and tripwires of yours do you exactly 0 good. how do you think people running sshd with RSAREF felt when this "secure" shell daemon turned out to be remotely exploitable?
dont trust the internet to connect to a computer that you dont want rooted. it's a losing bet in the long run.
The basic problem is that protocol stacks derived from BSD commit substantial resources on the receipt of a SYN packet. That makes them vulnerable to TCP SYN packets with forged source IP addresses. The proper solution is to allocate only a small control block at the LISTEN -> SYN_RCVD transition, and allocate the full resources for a TCP connection only at the SYN_RCVD -> ESTAB transition. In a SYN flood, the connection never gets beyond SYN_RCVD, so this confines the attack to using up these small control blocks.
The lookup used during SYN_RCVD should be hashed, so it doesn't slow down as the number of connections in that state increases, and the allowed number of connections in SYN_RCVD should be made very large (maybe as big as 100,000) in a large server. This allows for a huge SYN flooding overload without impacting real connections much.
There's a commercial firewall from Israel that does something like this, but it really should be part of the protocol stack.
Don't reply to ICMP packets sent to broadcast addresses. This is an out-and-out bug, known for over a decade, and should have been fixed everywhere by now. Vendors that haven't fixed it yet should be subjected to public embarassment, if not litigation.
This is the tough one - being attacked by a large number of completely valid requests. One answer is to impose fairness by source IP address within the server, so that each source IP address gets equal responsiveness. This fix won't stop the problem, but it will slow it down substantially. It's going to take some new development, but the concept is conceptually similar to fair queuing, which I invented long ago. Most of the same issues apply within a server as apply in a congested router.
Implement all this, and the problem will go from being headline news to a minor nusance. Linux network hackers, get going.
I'm not currently doing protocol implementations, but I'd be glad to talk to anybody working actively on the problem. I did substantial work on TCP/IP in its early days, before going on to other things, so I do know what I'm talking about here.
There's no need; I just 'strace'd the entire thing and it's kosher. It does scan every file on your hard drive, which is kind of annoying, but fair enough they tell you that's what it does in the docs. Of course, I've only used the Linux version, so YMMV on BSD and Solaris, and if you're a real conspiracy theorist then you've got to assume that I downloaded a tainted version as I have not MD5'd it :)
--
I think there is a world market for maybe five personal web logs.
Sorry to disappoint you all, conspiracy theorists, but this binary is kosher, despite what you may wish to the contrary. How about next time, instead of just slathering on the FUD to each post, try doing a little investigation, and you might just keep from sounding like another crazed anti-government wacko. That's what I did, and lo and behold, it doesn't phone home, beam the contents of your hard drive to a secret bunker on the moon, or anything else. Of course, I could just be a minion of the Ministry of Truth myself... in fact, I am! And we're after you, Wilson! But don't take my word for it - trace out the system calls and you'll see that you have nothing to worry about. Try it:
./find_ddos -p -y
strace -e trace=network
No system calls for networking are made. I bypassed the full hard drive scan for the sake of time, but I've done that too and you have nothing to fear. So either use the tool or don't - really, I don't care - but please refrain from polluting the message boards up with more anti-government FUD. As if there wasn't enough already.
--
I think there is a world market for maybe five personal web logs.
ld: cannot open -lsocket: No such file or directory
It's been five years since I failed my programming course. I've never been the primary admin for a Un*x box before this job. I can keep the thing running, but my lack of knowledge of what our Linux box is doing at any given time is troublesome when there's a security scare going on. As far as I know, it's a fairly typical Red Hat distro, but our ISP guys set it up. What do I need to do to get it to compile?
I'd much a Windows app that can monitor the network from one location (either our NT server or my portable). In that vain I've downloaded "Nuke Nabber" which has an option for "Syslogd" - which seems to be some sort of communications standard for Un*x boxen. How do I enable it, or more importantly, how do I check to make sure it's running.
Basically, the problem is that the Internet is one big dark alley - most people can't see what's going on around them in the "virtual world". If someone can help me setup some tools to turn the street lights on in my local neighbourhood, I'd be most grateful.
(Actually, it'd be cool if anti-virus packages were expanded to cover ports and assorted network attacks...)
Geez you have horrible spelling. No offense.
I'm a loner Dottie, a Rebel.
No offense at all but a good book is Linux for Dummies published by IDG. If you prefer you can pick up Unix for Dummies which has general Unix knowlege along with Linux commands that correspond to ones for say Solaris or FreeBSD. Both books are pretty good and written with a sense of humour. They talk more about using Linux rather than admining it, there are admin books though, I would imagine IDG publishes several of them.
I'm a loner Dottie, a Rebel.
this all rather entertaining. These people should be given a medal for exemplifying problems that needed solving. The first part of the problem is a bunch of Windows users on their spiffy new cable modems without following directions and leaving file sharing on and not installing a firewall of some sort. To aid the script kiddies' attacks most people with really high bandwidth connections don't take the proper precautions security wise and leave themselves very open to trojans that the kiddies can use for DoS attacks. The second problem is the fact that these supposedly high power high profile websites don't have adquate security and/or fault tolderant systems so a backup could be brought online if an attack was taking place.
I'm a loner Dottie, a Rebel.
The type of high-test geek networking knowledge about the Internet that these DoS attacks teaches is pretty much lost on Jane Q. Public.
True, but it pressures every admin out there to make sure their network is secure, which is a good thing. It also raises a general awareness and encourages all users to get their updates, and helps to cut down on the number of machines available to the vandals.
But it does get pretty tiresome hearing the same sanctimonious line of BS about freedom, privacy and online rights everytime a pack of delinquents pulls some stunt.
That comes from an overreaction from a misinformed public. The more awareness is raised and the more information that is spread about the problem helps to minimize the Fear, Uncertainty, and Doubt that might lead people to support overly-restrictive legislation. Just another oppurtunity to educate.
+&x
As for countries that don't care, it's easy enough to put an axe (or backhoe) through the connection of most of those.. ;)
Fine. No one trusts the US' FBI. So where can I find some decent ICE (intrusion countermeasure electronics) that's as easy to deploy as an anti-virus package? I don't mind turning my company's network into a data fortress as long as someone provides some reliable, trustworthy, off-the-shelf tools.
"Cause there's 40 different shades of black, so many fortresses and ways to attack, so why you complainin'?"
The way I checked for > x users was just parsing the output of 'w' in a cron script. For your needs I would perhaps replace the login program with a wrapper which emails.
Isn't there a central .cshrc (or something) that's run for every user when they log on? or is that only true if they call it in their local .cshrc?
Mm interesting.. how would you code that anyways?
--
I think there is a world market for maybe five personal web logs.