Slashdot Mirror
Ask Security Guru Dave Dittrich About DDoS Attacks
Yes, this is the University of Washington Dave Dittrich behind the software the FBI is trying to get you to use to help find the people doing the massive DoS attacks that have made headlines all over the place. Learn more about Dave and check out the info about the current brou-hah-hah on his home page, then ask away. We'll send the 10 - 15 highest-moderated questions to Dave Friday evening, and post his answers as soon as he can get them to us in between answering questions from mainstream media types who, as you can imagine, are all over him right now.
To what extent do you believe that the huge amount of media exposure given to these attacks has provided the perpetrators of these offences with both justification and encouragement for their actions? Do you believe that the attacks would have continued were it not for the fact that so much media attention was given to the original attacks upon Yahoo? If media attention is likely to lead to further attacks by either the original perpetrator/s or others, should the media adopt a policy of silence (as, for example, they might have in the wake of the Littleton incident [back in the real world]) or does such information want to be free? What is the value of such attacks, and of the subsequent media attention they garner, as a wake-up call to those who are still unaware of the potential pitfalls of the Internet and e-commerce? --George.
Disregard this post - this is not from VA Linux. This is called FALSE ADVERTISING AND LIBEL.
Yeah, I'm that guy.
I am at Carnegie Mellon University and I have a Linux box that runs two eggdrop bots for a couple of IRC channels. (For those who don't know what they do - they just keep a channel's operators in proper order).
A week or two before Yahoo!, CNN, and other big name companies were hit with this denial of service attack, some people (the same ones??) decided to try and take over one of the channels one of my machine's eggdrop bots runs. The attack lasted approximately 6 hours from beginning until end. When all was said and done, the network usage at Carnegie Mellon was 100% saturated and I received an e-mail in the morning that I had tried to crack a computer in the department of energy services (wherever that is).
Now, the box is usually not under too much of a load, but does have several purposes - it is an FTP server, and a file server (I play my MP3s from it).
All throughout the attack, my box actually held up against the attack! I was able to keep playing my MP3s, I was also able to continue (at a very slow pace however) my FTP transfers.
What I want to know is if MY box (and Carnegie Mellon in general) could stand up to the DDoS attack, why shouldn't Yahoo! and CNN and other huge companies have enough network infrastructure to waylay such an attack? Was it just that my box was hit on a very low scale? Or are corporate networks just not up to snuff?
You should never take life too seriously - You'll never get out of it alive.
Dave, we've seen several reports implicating Solaris and Linux specifically in the DoS attacks, and the tools provided by you and the FBI are aimed at Linux and Linux-like operating systems. Are these OSs representative of the actual clients which are being co-opted as zombies to launch the DoS attacks, or are they merely typical upstream or intermediate systems with sufficiently rich toolsets to allow monitoring and filtering of traffic.
Information I'd heard from someone who'd experienced an attack was that clients were in fact most typically Windows machines -- which makes sense as they are very common and very easily compromised. The compromising code was described as a windows or Java virus time bomb, pre-set to launch against a specified site at a specified time -- somewhat different from the "master" and "slave" scenario described in the trinoo papers. Several copies of the virus have been retained. How does this fit with your experience?
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?
--
Xenu loves you!
OK, it has been obvious for years that TCP/IP is vulnerable to DoS attacks of all kinds. My question is who do you think has the best chance of fixing the DoS issues, hardware people such as Cisco (router makers) or ethernet chipset makers, or software people like kernel and network driver developers, or is it more of an issue of everyone will just have to work togther to take TCP/IP to the next level? ...or is it just an issue of network admins need to learn how to apply existing technologies effectively to keep the skript kiddies under control?
I can think of several ways in which these may be Illegal.
First of all simply taking down a web site costs a company a huge amount, These web sites are the places where these companies conduct commerce. If they are not online they are loosing money.
Second, I can see this as being a form of Rackateering. I'm not sure how the law is written, but I can see them being hit under the RECO laws that were ment to hit the mob, They are using an interstate attack to stop a legit biz.
Third, Stock Fraud, Imagine that the people who did this took a short position on stock in Yahoo, then slamed the server, the stock goes down and they make a fortune. It does not take a big movement of the market to make (or lose) a lot of money for a lot of people. And this is definitly insider trading.
I'm sure the FBI and the DOJ will find a few others too. I hope they nail whomever did this one to the wall.
Erlang Developer and podcaster
While you've done an excellent job analyzing the various DDoS tools, one thing I think we all realize about DoS tools is that, as time passes, we *are* going to lose the ability to detect whether a packet is fully legitimate or if
8 /1338245&cid=60">Window Shopping Hordes</a>--people who search for everything but buy...nothing at all.
contains a covertly channeled service denial command.
What's more insidious is that I don't think we're going to even be able to determine the nature of an attack in progress. Given enough compromised clients, it's more than conceivable that enough pseudo-browsers surfing at a humanistic rate could take down at highly database-driven sites, not to even mention overload the maximum number
of streams a multimedia site can supply. Such an attack would only reflect itself as the attack of the <a href="http://slashdot.org/comments.pl?sid=00/02/0
If we won't always be able to detect the initiation of these attacks, and we won't always be able to detect the commencement of these attacks, would it be fair to say that the only moderately reliable fingerprint of an looming attack is the single packet or set of packets that compromised the OS into loading the attack daemon in the first place?
If so, how can we use such fingerprints to our advantage? Should arbitrary core routers initiate tracer logs and NOC notification when large scale OS compromise fingerprints are detected?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc.
Nope, Sig. You need stateful analysis when you cross the single packet barrier--for example, when the presence of an outgoing SYN creates a temporary tunnel through the firewall for an incoming ACK of a given Port/ISN+1.
It's just a comparison of the 32 bit Source Address with the 32 bit Network Address of the physical interface. That kinda thing doesn't even require Store And Forward...it's one or two AND ops. Where you start getting problems is when you have a layer or two of peered networks...but how many universities route packets for eachother?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.
Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
A switch functions by only analyzing the raw ethernet (or mac) address.
Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.
> A router works at a higher level, and CAN do
> stateful analysis... but for speed you really
> shouldn't - that's what the firewall is for.
> Firewalling the backbones would be... umm..
> very bad.
For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."
I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"
That's not firewalling the backbones. That's managing the access points.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I'm currently looking for a job and I am very interested in the security side of System Administration. My question: Could you give a SysAdmin wanna-be some helpful advice, ideas, suggestions, etc. concerning career path? In my particular case, I don't have a CS or MIS degree (Liberal Arts actually) and about a year and a half of experience as an operator. I'm a Linux user and read O'Reilly books aplenty. Any advice would be greatly appreciated.
----------------
"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
Co-founder and designer at Music Nearby: http://musicnearby.com
Not only that, but some of us can't run it even if we wanted to (and without source, I wouldn't want to anyway). Where's my Linux/Sparc executable? What about one for my DGUX/m88k machine? The internet is not just Linux/x86 and Solaris.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I'm no IPv6 expert, but as I understand it, space is reserved for this information in an IPv6 packet, but it's not mandatory to fill it, it's only recommended. Maybe someone who knows more about IPv6 can confirm this?
"The invisible and the non-existent look very much alike." -- Delos B. McKown
peterrenshaw ~ Another Scrappy Startup
This question might be seen as a troll, but it is not.
Why do you want to help the FBI, Dave?
The FBI is an apparatus for the Big Brother, the same Big Brother which has taken away so many of our basic rights, and the same Big Brothers which has done a lot to limit our rights online !
Why are you helping the FBI, Dave?
Muchas Gracias, Señor Edward Snowden !
What do you think about setting up an ongoing distributed scanning effort, to identify compromisable machines, and to get the owners to lock them down?
I would like your opinion both on whether this is doable and whether it would likely prove useful.
Thanks,
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
Why should businesses and individuals trust the government?
As a business, why should it try to help the FBI? I've seen and heard about "busts" which leave a company high and dry. As a business, I wouldn't want something like what happened to Steve Jackson Games happen to me. If you want the support of both businesses and individuals.. what are you doing to assure them that you won't use heavy-handed tactics like stealing their computers or data? More institutions would come forward with their logfiles and information if they knew the FBI could be a) trusted with that information (there has been rumor that agencies like the NSA give out trade-secrets to shut down competing industry) and b) would not conduct an investigation of a scale or type which would interfere with normal business operations. I don't want to hear about how "illegal" such operations are.. I want to know who's accountable when such abuses are made, what procedures are in place to deal with such a contingency, and how effective these measures are.
If you want to help national security - drop the pretenses and be honest with us.
Doesn't have be a "Yahoo! competitor" -- it can be some lamer day trader with a short position on his ETrade account.
You write:
But is that really true? If every router refused to pass packets that clearly lie about their origin, IP spoofing would be a lot harder to do.
If we could conclusively determine that the attack originated from within, say, Iraq, we would ask Baghdad to prosecute and we'd give them the tools to do so. If they refused, or denied, we could conceivably label that harboring a terrorist, and take retaliatory/defensive action.
Of course, I have a very hard time imagining the Clinton Administration taking any kind of for-real action against terrorists. Remember his Great Crusade Against Terrorism in 1998? The one that coincided with impeachment, and dropped off radar in February 1999?
Is collateral damage a concern? I mean, if a site like Yahoo! is hit with a gigabit of data per second, won't that take up a lot of the bandwidth between the DoS clients and the target?
Or are these sites so close to the Internet backbone that the additional traffic is localized?
--
how to invest, a novice's guide
I know you're not a shrink or a sociologist, but I'm still very interested in your opinion: What is it about these smurf attacks that the people find so facinating, or horrible? Do they really pose that serious a threat to network security? Why do the media find it fascinating?
BTW, the DDoS scanner is a nice hack. Thanks for releasing the source!
Finding God in a Dog
In Quake, bots can be used to aim and fire weapons, and they're dealy efficient. How do you tell the difference from an exceptional human and a standard aiming bot?
With the schemes that pay you to surf, they try to make sure that someone is actually at the computer being exposed to the ads. They do this by monitoring mouse and keyboard activity. They claim to be able to detect bots, but I recall a quote from one CompSci professor who said that he'd fail any of his students that couldn't produce an undetectable bot.
In the real world, you can tell that a traffic jam is artificial when you see the truck parked across the road, but how do you detect a DDoS attack with a low probability of false positives (or false negatives)?
What solutions, suggestions and advice can you offer people designing network systems and technologies to defend against DoS attacks? On what level should this be handled (IP, Application)? How can writers of new protocols (like ip6), servers (like Apache) and operating systems (like BSD or Linux) deal with this?
What do you have to say to the idea that this could be a DoS attack launched by computers infected with an Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a syncronized DoS?
I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?
The tools for detection, and your explanations of the clients are great, but could the community get a chance to see some of the logfiles of the floods? You want this fixed real fast, post a few of those and let the brainpower of all the whitehat hackers loose on the problem.
Returned Peace Corps IT Volunteer
It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?
I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this, and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.
The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30PM in Los Angeles to be a DoS attack.
To solve these problems, you have to know what's causing it. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).
In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home email and find out.
With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the web?
Eloi, Eloi, lema sabachtani?
www.fogbound.net
Given that this attack could be originated by someone in Europe or Asia, what sense is there in the FBI getting so involved? How will they handle the matter if it turns out that the cracker is in Lybia, or Iran or Iraq? What if he's in China ? What good does it do to try to track the cracker down, when a more productive effort would be to increase security awareness, and get people to configure thier equipment properly?
Hey Rob, Thanks for that tarball!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
People who don't know how to drive should stay off the road. Most people feel that way.
The Internet is being marketed like eye candy and everyone I repeat EVERYONE wants everyone to get on the "NET". These newbies and MSCE dime a dozen sys admins are setting up the whole net for a big crash. There is NOT WAY to protect the stuipd and lazy from crackers. Everyday there is more fresh meat for the crackers to exploit. Secure 3 systems and 20 more hit the net for the first time. I have scanned my subnet on RR and I have found people with their systems wide OPEN, I could have printed on their printers for christs sake.
This issue is about locking down systems connected to the net. That is where the whole problem started. The best admin can't be expected to keep up with all exploits on all of his systems all the time, but he should have this Internet pointed systems LOCK DOWN and a good firewalling/auditing plan in place to help him out.
If we can't get admins with big pipes and big iron to keep the lid on their systems how in the world do you think Joe PIII 750 with a DSL is going to fare ?
A persistant Internet connection is not a toy. People should have to take a class before they
are giving such a powerfull weapon. People have had to take driving tests for years and everyone is better off for it. I wager that I could cause more damage with my computer then with any type of moter vehical any day, of course nobody would get killed, but we seem to have even put a price tag on that as well.
I was going to make an observation along these lines, only with respect to network hardware manufacturers (Nortel, Cisco, Lucent et al.). Their end-user connectivity products (as opposed to backbone products) should not be forwarding spoofable-origin packets to the Internet BY DEFAULT. This would not be unduly burdensome to implement in software or hardware, although of course getting upgrades out to everybody is still an issue. Unfortunately, it seems the old distinctions of bridge vs. router vs. switch vs. gateway have all but disappeared these days in the rush to hook everything to the net....
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak
Most network-savvy folks know that IPv4 was never designed for a hostile environment that the Internet has become.
For the Slashdot community: Is now the time to start pushing IPv6 to the World At Large, since IPv4 now has two large weaknesses (spoofing and small address space)? And what would you say to convince them or unconvice Slashdot readers?
As you respond to this question, could you please reply in a fashion such that on-looking journalists can quote you to the general public?
Lee-nooks
at least, that's more or less how Linus pronounces it... which is the only thing that really counts...
"It's tough to be bilingual when you get hit in the head."
Perhaps you're not exactly the perfect person to answer this question, but it seems to me that many companies claim outlandishly large costs of "damage" running in the millions and hundreds of millions, when these things occur. In your opinion, are these claims justified, or are they just scare tactics?
(I know sites like eBay and Amazon, for example, do a lot of business, but really, millions of dollers lost? If I really wanted to buy the book, I could wait three hours till the site was back up, and they wouldn't lose any money. Where do these numbers come from?)
Jazilla.org - the Java Mozilla
It's 10 PM. Do you know if you're un-American?
I believe there's some law about real-life protesting... you're allowed to stand in front of a building and protest, as long as you don't prevent customers from getting into the building. I assume that it's not a huge stretch to extend that law to the 'net.
- Understand the problem well enough
- Spot good solutions if they come along
Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.
TCP already includes `niceness' tests checking that TCP flows backoff
correctly rather than flooding the network, at the pain of being
blacklisted. Could similar traffic analysis tools stop DDoS? How
might this work, or if not, why not?
Why should I as the average net citizen and as a citizen of the United States care that sites are being taken down[?]
Because it cost the targets a lot of money. And they'll have to make that up. So their prices will go up to make it back. Which means their competitors don't have to cut prices as hard. And Joe Random Consumer ends up footing the bill.
And that's YOU, friend.
And meanwhile, the law enforcement people will spend a lot more money hunting down and prosecuting the perpetrators. Paid for by YOUR tax money. And so your taxes go up, or your other services go down. Bucks out of your pocket again, or inconvenience because your road wasn't fixed or whatever.
And sysadmins at ISPs and thousands of sites all over then internet will spend a bunch of time thrashing around over the issue. They don't work for free. Cost of internet service goes up - or doesn't go down as fast. That gets folded into the price of everything the ISP's customers sell, and into your internet bill. Meanwhile you don't get other fixes as fast.
I could go on.
But there's a silver lining:
The digital anarchy will start patching this set of holes. This kind of DoS attack will get harder, and an unmodified version may become impossible. The net will be more robust.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Do we classify the engineers of these DOS attacks as Script Kiddies or Cyber Terrorists? And does the fact that the have only attacked big, commercial sites make them criminal losers or heroic vigilantes protesting the commercialization of the 'net?
Further, _if_ it is a protest, does it make it any less wrong? Let us assume for a second that a group calling themselves the "Anti-Open Source Brigade" starting shutting down Slashdot regularly, out of the sincere political conviction that Open Source was really a terrible evil? Forget that their logic may be flawed; these are a group of committed, idealistic young men who knock Slashdot off-line quite successfully for hundreds of hours during a two month period. And not just Slashdot: Freshmeat goes down, and all of the Anodover sites, and Redhat, and every important Open Source proponent site on the 'net? Is it okay because their motives were pure?
Lastly: if this were MS going down, how many cries of jubilation would we be hearing on Slashdot? And would it makes us hypocrites?
Neopets - the best free game on the Int
Short-term, your tools help act as "virus-checker" type solutions. In terms of long-term solutions for DoS+spoofing attacks, the main one I've seen proposed is to convince all ISPs to filter their outbound traffic to prevent outbound spoofing of packets claiming to come from other networks.
Given that IP spoofing is a fundamental flaw in IPv4, does this rise of spoofing-abetted DoS attacks increase the potential value of moving networks to IPv6 (with its per-packet authentication headers)? What solution would be best from your point of view?
--LP
On point three, you don't seem to get it. You can't put fake info in their IPv6 packets without detection (and discard) being possible at each router in the network thanks to the authentication header (which acts like a digital signature.) IP spoofing can't be detected at the packet level unless you can make sufficient assumptions about the ever-changing network and program them into each of your routers.
And back to point two, tracking compromised systems is a huge benefit since it A) speeds up the time to shut down/notify offending sites *much* more rapidly, even if they were hacked, and B) makes things much riskier for the hackers attempting to carry out such attacks.
--LinuxParanoid
With all the WAY inaccurate information in the previous article about the recent DoS attacks (and in the news) and such I'm glad to see /. is going to someone who has some good info and is involved in the whole deal. YAY /. for maybe even raising the bar for the media elsewhere.
Mega dittos. To use a phrase I don't often admit to.
As part of the wild life and as a lover of the wilderness, I'm so glad to see a post here without the anarchist-paranoid party line. Without the general public's support, both direct and indirect (through firms they patronize as well as through policies adopted by the government), there would probably have been no Internet and certainly there would have been no world wide web.
If people with good to excellent understanding ignore these net reliability issues, then people of little to no understanding will deal with them. Perhaps ending privacy and annonymity as we know it.
Personally I suspect that securing 10,000 networks belonging to corporations, universities, and others with big fat pipes would go a LONG ways to denying the average script kiddie any base for these DDoS attacks.
We're entirely unworried about someone breakign into your machines and trojannign the code you're distributing. thats what md5 checksums are for, and that's why everyone uses them.
What we're concerned with is the fact that you want us to run precompiled code. We don't know what this code does, because you won't release the source to it. We don't trust your assurances that it does what you advertise, and we're not about to potentially compromise our machines by installing government software on them.
What are you hiding? Surely you know that if someone really wants to get around your scanner, they'll take the time to disassemble it and figure out how they're being scanned. The average person responsible for doing actual work, however, doesnt have that type of time at his disposal; Joe Sysadmin is going to laugh at your attempts to get him to run untrusted software.
Considering that the targets of these attacks have been large corporations and such I ask this.
Why should I as the average net citizen and as a citizen of the United States care that sites are being taken down. And since the FBI is involved does this mean this is a serious matter?
Slashdot social engineering at it's finest
But I have perfectly functioning DSL, so I sold my modem and can't dial up anymore. What would I do then?
For how much? A couple of bucks? I am sorry if you can afford DSL I don't think your hurting and if you can access E-trade I would especially say your not hurting at all.
I have access to only at 2400bps modem at home does that mean that it is a crime if I don't have a local number for a BBS to E-trade? When you get some technology you become dependent on it. When you chose to live 50 miles from work and relied on your can and it dies do you feel cheated?
I say you made the choice now live with it.
Slashdot social engineering at it's finest
Couldn't this whole problem be obviated by having ISPs modify their routers not to allow packets out that don't have a legal source address? If you're FlashTechComNet, and your entire network is under the address (say) 127.0.x.x, then if you just make your routers drop outgoing packets that have source addresses not in that netmask, doesn't that prevent this kind of thing? Obviously you can still try and flood someone, but you're going to have to be using IPs from that subnet, which makes you much easier to catch.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Are these attacks really illegal? Are companies really loosing money? I see this as a form of protest (possibly) and if you were going to buy a cd from amazon and it was down...you could always come back later or go somewhere else. So what type of individual(s) do you think are responsible...perhaps a profile?
Chaos, Mayhem, and Destruction: Not
Isn't the intersection of the sets:
- Clueless enough to allow massive DoS out of their network.
- Yet likely to install this detector.
pretty darn small?Shut up, be happy. The conveniences you demanded are now mandatory. -- Jello Biafra
- ISP companies, campus security, and companies that have connected all their machines to the internet tend not to have a good understanding of security.
- Those that don't have a good understanding take a dim view of their customers that do.
- It seems like the average security expert is a former "criminal hacker type" (mediaspace: a perception of reality defined by the media)
What is our best hope for getting out of the dark ages of computer security anytime soon?It strikes me as insanely easy to propogate this type of flood attack using a virus with this little dealie as part of the payload. If the virus kept track of the IP addresses of the machines it tried to infect it could be quite deadly. (send command to ping target IP to all possibly infected IP addresses using forged information then Ping target IP) The worst part is that the system could get recursive. (Machine X knows that it tried to infect machine Y. Machine Y knows that it tried to infect machine X. Commands bounce back and forth between them. Ouch. And tracing that one back would be close to impossible...
-----
No Zen is good zen
There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.
Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.
Thanks.
"History doesn't repeat itself, but it does rhyme." Mark Twain
Mr. Harper, the old fairgrounds caretaker
More race stuff in one place,
than any one place on the net.
-Colbey (Josh Rosenberg)
With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?