Slashdot Mirror
DDoS Attacks Traced to UCSB, Stanford
michael.creasy writes, "BBC Online reports that the DDoS attacks have been traced to California." The article says there is no evidence that employees or students at Stanford or the University of California at Santa Barbara [UCSB] were connected with the attacks - they were just "zombie" sites - but that the FBI is now zeroing in on California and Oregon as the region from which the attacks most likely originated.
One thing I haven't seen in any news stories or most of the commentaries posted is what specific hosts and operating systems are being compromised. There was the withdrawn story to Computer Currents yesterday which claimed only Linux and Solaris were involved. I find this hard to believe. I've heard anectdotal evidence that Windows machines are the most frequently compromised hosts, via viruses.
If the truth is lurking somewhere in earshot, could it please make itself heard?
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
The idea of an RBL type system is something I've thought of independently. It seems attractive. Like the UDP and real RBL, it could be a loose affiliation, decentralized, and advisory in nature. No need to bring the government in -- little that it could likely do anyway.
Realistically, what would be required is for a given network gateway to monitor its peer and child connections. Portscanning might not be necessary, depending on the signatures of an attack. A particular peer/child which exhibited behavior indicative of compromised host(s) could be blocked off, with appropriate messages sent to administrative contacts.
At the ISP level, this would include monitoring both individual dialup/fixed IP hosts, and connections to other IP aggregators. A sufficient level of filtering/blocking would act like a circuit breaker -- portions of the net might be slowed or cut off, but global abuses of the sort experienced in the past few weeks would be avoided.
What part of "Gestalt" don't you understand?
What part of "gestalt" don't you understand?
Even if they will find someone, no one will believe them that they got the right people (=> bad publicity for FBI), and no one who would want to repeat this attack would be stopped by that. They can't lock in the cell the knowledge about bugs and DoS tools -- it's already everywhere, and if it wasn't, it could be easily found again, so why waste the money, time and effort on finding some (bad) people if it can be spent by making things invulnerable to them?
Contrary to the popular belief, there indeed is no God.
Why would it be really silly to decrypt it first? Decrpyting it allows it to be distributed to anyone on any media that you choose. It allows it to be used in players that don't respect Region Enconding. Lastly, it allows you to compress it into another format with near perfect results.
Because no other existing media can store this amount of information without either being extremely expensive (hard drives) or slow (tapes), and?
With an encrypted DVD, your limited to making byte for byte copies to another DVD that only play in MPAA blessed DVD players.
For the purpose of piracy it makes no sense because buyers have the same DVDCCA-blessed players -- and copying data for playing on other devices by legal owner of the copy is legitimate use under existing copyright law -- as legitimate as playing it.
Contrary to the popular belief, there indeed is no God.
a) The attackers aren't 100% stupid,
b) That it'd be 100% stupid to launch an attack from a computer you're associated with, on paper,
c) Therefore, the attackers aren't likely to be in Oregon or California.
Where does that leave us? Well, 99.999% of the planet. Though I think we can rule out the oceans. (Not completely, as Navy ships have Internet access, and nobody's entirely certain what dolphins have been up to, given that the US won't sign any environmental acts to protect their food and migratory routes.)
Who are the list of suspects, oh Great and Wonderful Sherlock Holmes, Solver of a Thousand Cases, and Drinker of a Thousand More?
Well, Watson, this leaves the whole of China, Russia, Serbia, Chechnya, Greece, Iraq, Iran, France, Germany, Denmark, Cuba, virtually the entire European Union, every University on the planet, every dissatisfied citizen of the US, every bored cracker on the planet, the Luddite movement, the Internet 2 consortium, the DVD consortium, the RIAA, the MPAA, Microsoft, every company developing anti-DDOS tools, any newspaper in need of better circulation, the US Government (including the FBI), and a pack of crazed ferrits.
My goodness, Mr Holmes! How are the authorities going to work out who did it?
Elementary, my dear Watson! They're going to keep arresting people, without bail or charge, until the attacks stop. And then, so as to not look bad, they'll charge all the innocent people with something else, such as wasting police time and occupying cells without a permit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's the FBI's job to hunt these guys down (maybe, do they have jurisdiction if the attack is launched from another country?) But the media has fixated on the cops and robbers aspect of this story.
If we don't solve the underlying problem this will just keep happening and we'll all be dependent on the FBI to come and save our e-commerce asses.
If you build your house on a cliff made of silt, it is your fault if it slides into the ocean.
DDoS attacks are just one kind of the "forces of nature" you get on the Internet.
Maybe an individual is ultimately responsible for this attack but catching him won't make anyone significantly safer.
EOF
Since no OS (even OpenBSD, as good as they are) is completely impervious to attack, your liability-based solution means everyone on the net has to buy hefty insurance, and the trial lawyers take 1/3 of the cash for every damage award. Sorry, it's the wrong approach.
And what about the Linux newbie with a DSL line and a static IP address? He downloads a distro and pushes the buttons, but the default is an insecure system. Who's liable? The distributor? (You can try to exempt the distributor and say that the newbie is responsible, but no jury's going to buy that -- and the law has to treat Microsoft and Linux vendors equally).
OK, Red Hat can afford it. But Debian has to disband. You've just killed them. The developers can work very hard to be sure they're secure, but can they bet their life savings on it?
There is one thing that should be mandated, possibly by agreement but if that fails, by law. If you operate an ISP and you and your customers are assigned a given segment of IP space, it's trivial to configure your routers so that packets that lie about where they came from (giving a source IP address not in your IP space) can't escape to the rest of the net. It's negligence not to do this. You can make the filtering even tighter, by filtering packets coming from customers (except where there are peering agreements or other arrangements) so they can't spoof the other customers. This kind of filtering is probably going to have to be a legal requirement (or a contractual requirement imposed by the backbone folks on their customers).
actually, you might want to take a closer look at the injunction. EVEN if the only purpose of DeCSS was to watch movies under Linux (this is a paraphrase of part of the injunction) it is still illegal becasue it circumvents barriers to access, which is illegal under the DMCA.
pity, ain't it?
Lea
I work at UC Santa Barbara. For are you little orangutans out there saying the FBI is wasting its time trolling around here at UCSB, well go read the news a little more carefully. The intruder did a sloppy job and didn't clean up on his way out; therefore there may be information worth investigating.
Kevin's qouted in the CNN article:
"Schmidt said the intruder was 'sloppy' in his work and failed to destroy all the logs monitoring activity on the server. "There wasn't a great effort to hide their presence.."
Scroll down to the part that says "Method of attack at UCSB."
It was really odd to see cameras and suits out and about though.
Really, and what can DeCSS do that is illegal?
Finkployd
I've seen DVDs copied. It would be really silly to decrypt it first. That would be like reading a text file off the screen, writing it to a piece of paper, then firing up vi and writing it to a new file on a floppy. It would be a little easier to copy it.
Why not ban pens? Who cared what they were made for, they can be used to copy books for sale on the black market.
The judge and MPAA people are wrong, just as you are.
Finkployd
Finkployd
Lastly, just because there are other ways to thwart their copy protection doesn't mean that one method should be legal.
Then why aren't my VCR, tape player, and CD burner considered illegal? There is nothing illegal about breaking copy protection for your own use. That has been proven time and again in fair use trials. Who's to say I can't make a perfect copy of my own disk if I know how. The illegal thing would be to sell them, and THAT should be punished.
If we banned every item and program that COULD be used for some illegal purpose, we would have NOTHING.
Finkployd
Talk about a complete lack of research-- these guys just made up something that sounded good. According to Kirk McKusick, current copyright holder of the BSD Daemon, the term 'daemon' comes directly from the mythological creatures of the same name responsible for taking care of mundane tasks.
For more detail, see Webster's dictionary, in this case we are looking at variant 2, "an attendant power or spirit". Whether daemons are evil as in "demon" variant 1 depends on whether they are working or not. Some days sendmail definately qualifies as the latter.
Eat more fiber.
(Ask a stupid question...)
Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
Hmmmm....yes. Portscanning. Then place the results on a PUBLIC, NON-ENCRYPTED, high-profile Web site that port monkeys and script kiddies visit a lot (Slashdot sounds good :) and then allow the 1337 D00DZ HAVE AT EM!!!
:)
Yeah, let's do it!
My journal has hot
The article states, "A university spokesman confirmed that a flood of hacker messages had been sent to CNN's site via one of the servers at the campus."
To the hackers, wherever you are, whoever you are:
Please stop sending 'hacker messages' -- do it for the children.
Why would china want to exspose all of its shells by DoSing a couple of 'dot-com' companies for a few hours? If they were really interested in info-war, I'm sure they'd keep it secret, untill they could actualy use the advantage
[ c h a d o k e r e ]
ReadThe ReflectionEngine, a cyberpunk style n
so does that point the finger back at the gov't again? No sorry, what was I thinking, a government agency lying for political gain, I must be on crack again. Thank god for the CIA!
(google's got the Valentines feeling, how sweet)
+&x
USAToday (dead tree) had quotes from our hero JohnV as well as quotes from /. and some AOL chatrooms. Looks like we're in good company....
+&x
No DDoS attacks are not a kind of force of nature. A force of nature is something that happens on it's own, not something that is initiated by a person.
By the logic you used in the parent to this thread, it would be your fault if somebody was to shoot you dead, because "you could have been wearing a bullet proof vest."
Even though there are problems with the net, act of senseless stupidity are not to be excused because they can be done.
As someone else who was "there" when all this started, I can state the major problem with your theory: the NSF stopped funding the backbone. Sure you'd have the occasional techy running some kind of site across his isdn line or modem, but you would definitely not see the kind of bandwidth that exists today without all the ecommerce to fund it.
Moderator points come in sets of five, not magic moderation rings with an infinite number of wishes. (Unlike the ability of trolls to post.)
Some moderators try to use them mainly for moderating interesting stuff UP, rather than moderating trolls down. If they burn them all on the latter, they don't get to call your attention to important stuff.
Later comments are seen by fewer moderators, and thus less likely to be dinged.
Moderation is done by readers of the already-posted items - not by a hypothetical staff approving or disapproving of postings before they're made. So items following-up an item already moderated down are less likely to be looked at and disapproved, even if the moderator is willing to waste his points on the Nth followup on an off-topic thread.
And moderators can't moderate responses to articles where they've already posted a response. (I, for instance, currently have three moderator points left, and am blowing my ability to use them anywhere in this article by posting this reply.)
So don't look for consistency in moderation. Be greatful you get any benefit from it at all.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Strong authentication all along the data path is what we really need. That won't stop the attacks but it will help point the finger of blame and that can be an excellent incentive to strengthen an organizations security practices.
But strong authentication comes from strong crypto. And strong crypto in the US has been crippled by the US Government's export controls, which remove most of the financial reward for work on it by US programmers. (They can't export their products, so such products can't become a world standard, so they can't become a US standard, so they can't be sold. So the programmers find something else to do, where they CAN make some money.)
And who are the biggest lobbiests against removing those export controls?
The FBI and the NSA.
And why did they want the controls to remain?
So they can read everybody's wiretapped communications (NSA, FBI) and confiscated or copied disks (FBI, NSA).
And maybe so they can install their OWN intrusionware, so they can read it when the traffic hasn't been in the US (NSA, FBI drug warriors) or without having to sieze the computers and tip off those observed (FBI, NSA).
And maybe so they can plant things, disrupt targeted organizations' operations, or play damaging and often fatal "dirty tricks" on those they don't like (as both the FBI and the spook agencies are known to have done in every decade since their inception).
So now their interference with crypto has come home to roost - by leaving the US information infrastructure open to attack, until a large scale attack is under weigh.
Don't they both have charters that say they're supposed to work toward preventing that sort of thing?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Granted what they pulled off was quite impressive, is it really "hacking" in the true sense of the word?
Loath as I am to give psychopaths any reenforcement...
The trinoo/TFN/stacheldraht tools do show there's some talent under a couple of the black hats.
Some coboys ARE cattle rustlers. Some sailors ARE pirates. And some hackers ARE crackers and/or vandals.
Talent and psychopathy aren't well correlated, so there are a small number of people who have both. About one in a hundred is a psychopath, and that applies to hackers as well as every other group. Some fraction of psychopaths don't learn enlightened self-interest, and so remain amoral and prone to doing great damage to others to obtain minor, short-term benefits to themselves.
Of course, once the tools {and their install tools} are written, it doesn't take brains to install and use them. Just access to the tools and a lack of morals.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
**you** are responsble for what your computer does
Can't handle that? Then get your machine off of the net. This is no different than your kid or one of his friends finding your gun, unsecured laying loose in a drawer, and using it to blow someone away.
It might be argued that having a bulldozer with a lock that can be picked with a hairpin makes you partly to blame when somebody steals it and uses it to knock down a department store. But if you accept that argument...
Who is at fault for the loose security on the bulldozer when all the bulldozers come from each of the handfull of bulldozer factories with such locks, all identical? Must every customer install his own lock? Must every customer become a better locksmith than the experts working at the factories? Shouldn't there at least be something in the manual telling the customers that they need to change the lock?
And who is at fault for the loose security on the bulldozer when the government bans locks that can't be picked with a hairpin?
Let's stick to putting the blame where it belongs: on the criminal.
And let's stick to solving the problem at its sources, which include the government's ban on strong cryptography.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'd expect that China would hold off on actual use of its intrusionware until it could use it as part of a coordinated effort.
Shooting at someone makes them tend to put on body armor. Making a series of attacks with intrusionware puts a lot of experts to work rendering that particular style of intrusionware unworkable - and making future intrusionware more difficult to write.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Even more disgusting was hearing the TV news quoting antionline as to where the crackers are located .... :-( I guess some people are making money from this
I don't think that they're looking for the actual packet monkeys in California/Oregon, but evidence that will lead them to the real location. By analyzing the logs of the machines used in the attacks they can help narrow down the location of the perps.
However, I doubt they'll have much luck. As has been said, while the machines that were compromised no doubt hold clues to the origin of the attacks, the people involved probably did a good job of covering their tracks. I somehow doubt they just telnetted in from their houses and executed the attacks. Nevertheless, closing in on a point where we know there's been a break-in is simply the best way to start.
I do blame the media for propagating the idea that the perps are in the California/Oregon area, though. This case has shoown just how difficult it is to describe the real way the Internet works to the average person on the street.
How 'bout if the GOVERNMENT goes around port-scanning the machines in the net for exploitable holes, and then requires that those people take their machines off the net until they've got the holes fixed up?
(I know, I know, it would piss off a lot of people, who would complain about government interference - it would be an odd sort of backlash though: "The government wouldn't let me keep my system insecure!")
Maybe you could do something like the RBL system, where you have people cooperatively portscanning the net, reporting machines that they find "open", then trying to get the owners to fix them up (providing advice where necessary), but RBLing them if they don't cooperate?
A News.com article says that the FBI is now looking for a German programmer named, "Mixter" who allegedly wrote the programs that were used in the DoS attacks.
He vehemently denies any involvement with these incidents and does not condone people using his tools for such nefarious purposes. The article goes on to say, "Their[people who write these kind of tools] work is controversial, however, because the programs they write can fall into the wrong hands when posted on the Web." This brings up an interesting point. Since these tools have been written everybody needs to assume that they are already in the wrong hands, and anyone responsible for the security of their networks should be pounding themselves with DoS attempts using these tools, so that they can learn how to protect themselves.
Sig goes here
I've seen DVDs copied. It would be really silly to decrypt it first. That would be like reading a text file off the screen, writing it to a piece of paper, then firing up vi and writing it to a new file on a floppy. It would be a little easier to copy it.
Why would it be really silly to decrypt it first? Decrpyting it allows it to be distributed to anyone on any media that you choose. It allows it to be used in players that don't respect Region Enconding. Lastly, it allows you to compress it into another format with near perfect results. With an encrypted DVD, your limited to making byte for byte copies to another DVD that only play in MPAA blessed DVD players.
Sig goes here
You could just play into a video capture card
But the video would have to be digital to analog converted and than analog to digital converted. This would result in a substantial loss in quality. The movie industry is only concerned about perfect digital copies of their work being freely available.
Sig goes here
Is this a joke??????
Were you being facetious????
How many times does our government have to prove they can't be trusted? Where have you been?
Ignore Alien Orders
It's hard to overload a major site with T3 or more bandwidth coming in just by sending junk packets that don't do anything. Web sites generally have equal bandwidth going in and out, but send far more than they receive. So there's lots of excess inbound capacity. Dropping an inbound packet is a cheap operation.
The problem with SYN floods is that the server resources used are all out of proportion to the message sent. One TCP SYN message with a random IP address chews up a few K of server RAM for tens of seconds, maybe a minute. In some servers, each TCP SYN uses a slot in the pending-connection queue for the socket at which they're aimed, and worse, some servers have only a few such slots. Those servers can be locked up with a very modest attack bandwidth.
There are a few other problems, such as machines dumb enough to reply to ICMP broadcast packets and, even dumber, those that will allow an outsider to get the UDP junk message generator service (which nobody needs turned on) talking to the UDP echo service (which isn't very useful either). But those are out-and-out bugs, for which fixes are known.
Once you plug all the holes which allow small amounts of one-way attack data to use large amounts of server resources, the problem should become manageable.
All this assumes that the number of attacking zombies is in the thousands, not the hundreds of thousands. I agree that if someone takes over enough machines, and aims them all at the same target, it creates more difficult problems. But that's a lot of zombies to run without somebody figuring out who's behind the attack.
John Nagle
Menlo Park, CA
Once you stop SYN flood attacks, and have the fixes in for stupid bugs like the "Ping of death" and IP broadcast packet expansion, everything else that can happen has a reachable IP address associated with it. Those attacks are traceable back at least one level, and you can make them ineffective by imposing some kind of quota system or block based on source IP address at various levels of the server. Web servers like Apache might need to be smartened up a bit so they don't choke when a huge number of requests come in from the same IP address (and that mechanism needs to know about major proxy servers like AOL), but that's not too tough.
The key points to understand are this:
John Nagle / Menlo Park, CA
My understanding is that the FBI's Charter has changed in the last ~5 years, so that they are no longer prohibited from conducting international operations. At the same time, the CIA's Charter was changed, so that they are no longer prohibited from conducting domestic operations.
Although Mongoose raised the point jokingly, it is not such an outlandish idea that NSA may have been involved in this as a fundraising effort. Anyone remember a little incident in Waco, Texas a few years ago...? You know, ATF, FBI, Army National Guard (Delta Force?). There have been, IMHO, credible claims that ATF's beef with Koresh started as a fundraiser. BTW - what in the HELL does the Bureau of Alcohol, Tobacco, and Firearms need OV-10 Broncos for!?
Anyway, while I am all for the concept of 'LAW ENFORCEMENT' (as lbergstr said), I think it is important to ask what law was broken here, who should be enforcing that law, and what methods should they use? Frankly, I would be less concerned about NSA fundraising activities than media stunts aimed at increasing NSA/FBI/CIA's power to intrude into our lives.
I predict Bill Clinton will propose to increase federal law enforcement agencies' power to crack down on 'Cyber-Terrorism' after next week's meeting. Then again, he may simply issue another "classified" executive order...
Question Authority
If appearance and essence were the same thing, there would be no need for science -- Dr. Michio Kaku
Stanford is one of the top CS schools around, they oughta know better. On the other hand, they also probably have one of the best connections. As for UCSB, they were in one of the very first ARPAnet tests back in the 60s, so they should know what they're doing with this stuff, too.
WARNING: there is a trojan on your