Slashdot Mirror
FBI Releases Updated DDoS Detection Tools
Alex Prestin writes, "In an effort to control the recent distributed Denial of Service attacks which everyone's heard about, the FBI has released Linux and Solaris tools to detect the presence (or absence) of the various DDoS daemons. They're available in binary form only (for now). You can get them here." Quote from the page: "Recipients are asked to report significant or suspected criminal activity to their local FBI office." Update: 02/10 07:37 by H :Here's some more information:The author of the DDoS analyses (at staff.washington.edu/dittrich) has released a network scanner to scan for active agents on your network.
It includes source, and is available here.
PLEASE use it responsibly.
There are already people clamoring over conspricy theories. Now they will suggest that the detection tools might contribute to the problem.
Okay, Let's say i'm an admin of a free unix shell service. I have about 10,000 users (shellyeah.org has this many). I use their tools to find that about 150 of my users are running these ddosd's. Why should I report it to them? I'd simply terminate their access and the daemons. (And maybe report them to their ISP's, tell their mommies, etc).
Bottom line, why would i want the FBI to take care of it when i can take care of it myself? I could watch the daemons for about a week and try to figure out who else is on the ddos network, and report it to those sysadmins. The 'net isn't FBI ground, no matter what they try to force on the public.
What's particulary painful is that this is a clear case in which source distribution would be a major plus. If this code is a work of the US Federal Government, then it is not protected by copyright under 17 USC 105.
Interestingly, this means that the GNU GPL is powerless to protect the work -- something which is public domain cannot be sheltered by copyright -- but it should be eminantly possible to reverse engineer and enhance the program. Modifications themselve should be covered under copyright law, and might be governed by the GPL or another license.
I would be far happier seeing full source to any such tools before installing them on my own systems.
IANAL. This is not legal advice.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
Computer hackers bring down FBI website
Computer hackers used a large distributed attack against the FBI website (http://www.fbi.org) yesterday for two hours between 2 PM and 5 PM, Eastern U.S. time.
FBI officials said that most of the compromised computers requested two specific files, suggesting that the hackers might have been attempting to exploit a file-system bug that might have led to additional slowdown.
Many of the computers used in the attack sent messages causing the webpage requests to appear to come from different types of browsers, making them difficult to block.
Top FBI spook Drawoc Suomynona finally figured out how to block the attacker. "Most of the requests sent the 'referring page' as the page for a recent slashdot article. We just blocked all requests with that referrer, and the FBI server quickly became unclogged."
Slashdot (http://www.slashdot.org) is a well-known geek news site. Slashdot editor Rob Malda declined to comment, but was heard mumbling "It's crackers, not hackers, goddamnit."
Suomynona added, "We still have not found the source of these distributed attacks against websites, but we will step up our efforts to find them."
--
The shareholder is always right.
his is the first technical information on this attack that I've run into. Everything else I've seen seems to be targeted to the non-geek crowd.
Check out some of these links for a more "technical" report.
I'm amazed that nobody has commented on how this is coming from the FBI's National Infrastructure Protection Center (NIPC), which has repeatedly proven itself to be utterly clueless when it comes to the Internet it is charged with protecting.
The NIPC's director, Michael Vatis, seems bent on using every single hiccup on the Net to prove how Essential and Important (TM) the NIPC is. When the Melissa virus hit, NIPC was running around screaming about the end of the world. After that the NIPC was warning about the evil "Y2K viruses" that never really existed (oops!). (The NIPC alert I linked to is a scream; it basically says that there are lots of Nasty Viruses out there, and that, if someone could write a Nasty Virus, they could probably write a Y2K virus, so you should panic immediately.) Now, since Melissa and Y2K failed to destroy civilization, the NIPC is beating the drum over the DoS issue, calling a bunch of script kiddies who inconvenience some people "cyber terrorists".
The common thread here is that the Net is a nasty, brutish place, and only the big tough NIPC can protect us.I'm not sure why they keep doing this, unless Vatis is such a publicity hound that he will take any excuse to "alert" people of "threats", even if those alerts do more damage than help by panicking people into distrusting the reliability of the Net. His fearmongering has become so blatant and counterproductive that he's become a favorite target of ridicule for Rob Rosenberger, the crusader for common sense regarding computer viruses.
Sure, it's bad that these big sites are suffering DoS. But it's not "terrorism", and slinging around that word only proves how cushy daily life for most people in America truly is. It's hard to imagine anyone rationally being able to compare congestion at Yahoo! to blowing up a federal building. Maybe if Vatis stopped to think for a moment before lunging to get his agency in front of the cameras of the press, he'd realize this too.
-- Jason A. Lefkowitz
Read my blog.
Personally I think this very much legitimizes the old (cr/h)acker defense "We're doing it to show you how bad your security is." That seems like exactly what is happening, on a massive scale, it's about time, IMHO.
Does your window provide adequate security against a rock? Would it be okay for me to show you just how little security your clothing provides against a knife blade? Does your car frame have sufficient security against a sledgehammer? Should the victims of Son of Sam be greatful for demonstrating just how vulnerable they are to high velocity projectiles?
Are any of these defenses legitimate? If you were on a jury and the defendant claimed that he killed someone to demonstrate that people can be killed, would you find him innocent?
What have the DoS'ers proved? That crime can be comitted? Great, but I knew that already. I can shut down a mall with nothing more than a fork (repeatedly jam the fork into someone's face until they are dead, the mall will be closed for the day) and I can probably shut down an individual store by doing no more than pulling my pants down and taking a dump in the middle of the store; even if all the customers don't leave, the employees won't be able to help the customers because they'll spend all their time arguing over who cleans it up.
If you fill up a company's pipe with data, legitimate traffic can't get through. We knew this already, we don't need it demonstrated anymore than we need it demonstrated that streets are vulnerable to dynamite.
"someone's taken down the 'net!"
it used to happen all the time
back in the day when it was new
and didn't run on Wall Street's dime
there was no panic way back then
when a packet would get lost
but now each one is good as gold
and every downtime has a cost
suits came and tried taking over
and the hackers said, "hey, we're not fools,
stop what you're doing to our 'net!"
and they broke out their hacking tools
the 'net is quite a complex thing
so there are ways to take it on
to abuse the bugs and the backdoors
which open up when knocked upon
clueless experts on the tube
while at the suits the hackers laugh,
"it was so simple for our group
to cut your backbone right in half!"
some suits think that they're immune
their net's protection is quite strong
but if you think that you'll be safe...
you might find out that you're all wrong!
1) Unknown crackers launch DoS against biggest commercial websites. No one takes credit. Matter of fact, no one that I know of has posted a trace on these jokers.
2) NSA has been yelling about this sort of thing for months.
3) The current administration just happens to be trying to fund its current Internet security initiative.
4) The FBI just happens to have something that they "just wrote" in order to deal with precisely this kind of attack, one we haven't seen before on this scale. It's closed source. It wants to run as root.
Yeah, right.
Where are spaf and the boys when you need them? I'd like to see them take the Fibbie's code apart byte by byte and make sure they're not up to something themselves.
Gods help us if they are.
(I know, call me paranoid, fsck my karma to hell, but bigod no steenking revenooer is getting in MY box quite so easily....hmph.)
--
"We are the FBI, we have no sense of humor that we know of." -- Tommy Lee Jones ("K"), "Men In Black"
Did you see that Ruby Ridge/Waco double feature last week?
+&x
I believe in paranoia... I think it's a good thing. However, I do not think the FBI is stupid enough to trojan something like this. It would be found, and they know that...
I ran it on my DSL connected firewall box, as root... I also trussed and sotrussed it and monitored for network traffic. It looks to me like it's doing exactly what it claims to do. I don't claim to be an expert, but it's good enough for me.
Come on, people... if you honestly think the Feds are stupid enough to try and trojan this you need to take off the tinfoil hats and get out in the sun a little more. And if you don't think it's worth your time to ensure security of your machine you really should think a little harder. It goes way beyond just a recursive rm or two... if your box is compromised it allows someone to then use your box to stage other attacks, to spam people from your system, etc. etc. etc. And if you think you're secure just because you're obscure you are, quite simply, a fool.
I believe that just about any system can be owned given the time and resources and attention of the right people. The same goes with locks on your front doors. It won't keep the dedicated criminals at bay, but it filters out 99% of the riff raff and lets you focus on detection of the other 1%. I run a firewall on my system not because I think I'm a stud or anything, but to try and keep out the truly lame as well as to try and prevent someone from using my resources to bring down YOUR machine or spam YOUR email account or otherwise be nasty to all my internet neighbors.
I won't tell you to run the FBI binaries because I also believe they should have released source... but I will tell you to CHECK your damned systems to make sure you're not compromised and stay vigilant. If you're running a host on the internet you have a responsibility to all the other people on the internet to try and keep your box clean. If you don't want to keep your box clean, go back to AOL and reformat and reinstall windows every 3 months.
The internet was built on the theory of COOPERATION... remember? It's the same thing you all whine about day after day after day... "oh, but why is the internet going to hell... it's all these AOL lusers" everyone says. But I've got news for you, it's not the AOL lusers, it's the lusers who don't take the initiative and personal responsibility to keep their own systems clean and allow the shitheads out there to run rampant.
-- Gary F.
The basic problem is that protocol stacks derived from BSD commit substantial resources on the receipt of a SYN packet. That makes them vulnerable to TCP SYN packets with forged source IP addresses. The proper solution is to allocate only a small control block at the LISTEN -> SYN_RCVD transition, and allocate the full resources for a TCP connection only at the SYN_RCVD -> ESTAB transition. In a SYN flood, the connection never gets beyond SYN_RCVD, so this confines the attack to using up these small control blocks.
The lookup used during SYN_RCVD should be hashed, so it doesn't slow down as the number of connections in that state increases, and the allowed number of connections in SYN_RCVD should be made very large (maybe as big as 100,000) in a large server. This allows for a huge SYN flooding overload without impacting real connections much.
There's a commercial firewall from Israel that does something like this, but it really should be part of the protocol stack.
Don't reply to ICMP packets sent to broadcast addresses. This is an out-and-out bug, known for over a decade, and should have been fixed everywhere by now. Vendors that haven't fixed it yet should be subjected to public embarassment, if not litigation.
This is the tough one - being attacked by a large number of completely valid requests. One answer is to impose fairness by source IP address within the server, so that each source IP address gets equal responsiveness. This fix won't stop the problem, but it will slow it down substantially. It's going to take some new development, but the concept is conceptually similar to fair queuing, which I invented long ago. Most of the same issues apply within a server as apply in a congested router.
Implement all this, and the problem will go from being headline news to a minor nusance. Linux network hackers, get going.
I'm not currently doing protocol implementations, but I'd be glad to talk to anybody working actively on the problem. I did substantial work on TCP/IP in its early days, before going on to other things, so I do know what I'm talking about here.