Slashdot Mirror
DDoS Attacks Traced to UCSB, Stanford
michael.creasy writes, "BBC Online reports that the DDoS attacks have been traced to California." The article says there is no evidence that employees or students at Stanford or the University of California at Santa Barbara [UCSB] were connected with the attacks - they were just "zombie" sites - but that the FBI is now zeroing in on California and Oregon as the region from which the attacks most likely originated.
a) The attackers aren't 100% stupid,
b) That it'd be 100% stupid to launch an attack from a computer you're associated with, on paper,
c) Therefore, the attackers aren't likely to be in Oregon or California.
Where does that leave us? Well, 99.999% of the planet. Though I think we can rule out the oceans. (Not completely, as Navy ships have Internet access, and nobody's entirely certain what dolphins have been up to, given that the US won't sign any environmental acts to protect their food and migratory routes.)
Who are the list of suspects, oh Great and Wonderful Sherlock Holmes, Solver of a Thousand Cases, and Drinker of a Thousand More?
Well, Watson, this leaves the whole of China, Russia, Serbia, Chechnya, Greece, Iraq, Iran, France, Germany, Denmark, Cuba, virtually the entire European Union, every University on the planet, every dissatisfied citizen of the US, every bored cracker on the planet, the Luddite movement, the Internet 2 consortium, the DVD consortium, the RIAA, the MPAA, Microsoft, every company developing anti-DDOS tools, any newspaper in need of better circulation, the US Government (including the FBI), and a pack of crazed ferrits.
My goodness, Mr Holmes! How are the authorities going to work out who did it?
Elementary, my dear Watson! They're going to keep arresting people, without bail or charge, until the attacks stop. And then, so as to not look bad, they'll charge all the innocent people with something else, such as wasting police time and occupying cells without a permit.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I work at UC Santa Barbara. For are you little orangutans out there saying the FBI is wasting its time trolling around here at UCSB, well go read the news a little more carefully. The intruder did a sloppy job and didn't clean up on his way out; therefore there may be information worth investigating.
Kevin's qouted in the CNN article:
"Schmidt said the intruder was 'sloppy' in his work and failed to destroy all the logs monitoring activity on the server. "There wasn't a great effort to hide their presence.."
Scroll down to the part that says "Method of attack at UCSB."
It was really odd to see cameras and suits out and about though.
Talk about a complete lack of research-- these guys just made up something that sounded good. According to Kirk McKusick, current copyright holder of the BSD Daemon, the term 'daemon' comes directly from the mythological creatures of the same name responsible for taking care of mundane tasks.
For more detail, see Webster's dictionary, in this case we are looking at variant 2, "an attendant power or spirit". Whether daemons are evil as in "demon" variant 1 depends on whether they are working or not. Some days sendmail definately qualifies as the latter.
It's hard to overload a major site with T3 or more bandwidth coming in just by sending junk packets that don't do anything. Web sites generally have equal bandwidth going in and out, but send far more than they receive. So there's lots of excess inbound capacity. Dropping an inbound packet is a cheap operation.
The problem with SYN floods is that the server resources used are all out of proportion to the message sent. One TCP SYN message with a random IP address chews up a few K of server RAM for tens of seconds, maybe a minute. In some servers, each TCP SYN uses a slot in the pending-connection queue for the socket at which they're aimed, and worse, some servers have only a few such slots. Those servers can be locked up with a very modest attack bandwidth.
There are a few other problems, such as machines dumb enough to reply to ICMP broadcast packets and, even dumber, those that will allow an outsider to get the UDP junk message generator service (which nobody needs turned on) talking to the UDP echo service (which isn't very useful either). But those are out-and-out bugs, for which fixes are known.
Once you plug all the holes which allow small amounts of one-way attack data to use large amounts of server resources, the problem should become manageable.
All this assumes that the number of attacking zombies is in the thousands, not the hundreds of thousands. I agree that if someone takes over enough machines, and aims them all at the same target, it creates more difficult problems. But that's a lot of zombies to run without somebody figuring out who's behind the attack.
John Nagle
Menlo Park, CA
Once you stop SYN flood attacks, and have the fixes in for stupid bugs like the "Ping of death" and IP broadcast packet expansion, everything else that can happen has a reachable IP address associated with it. Those attacks are traceable back at least one level, and you can make them ineffective by imposing some kind of quota system or block based on source IP address at various levels of the server. Web servers like Apache might need to be smartened up a bit so they don't choke when a huge number of requests come in from the same IP address (and that mechanism needs to know about major proxy servers like AOL), but that's not too tough.
The key points to understand are this:
John Nagle / Menlo Park, CA