Slashdot Mirror
Mixter Speaks About the Latest DDoS
ochinko writes, "This is an interview with the German programmer who wrote TFN and TFN2K. Basically he says that it's quite easy to launch such attacks but extremely difficult, if not impossible, for the initiators to be tracked." Suck.com has a pretty good article on the attacks, as well. Maybe I should take credit for the DDoS attacks and become an international superstar.
There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.
Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...
Working for the (other) man
Does anyone but me see the goal behind these attacks? Think of the names... CNN (owned by Time/Warner) Etoys (obvious) Yahoo (corperatism ruined a once great story) etc.. all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality. Perhaps this will cath their attention... Maybe things like the Fox flash page, frivolous lawsuits, etc. will be diminished. Or not ;) I'm not saying this kind of behavior should be encouraged, or if it is even accceptable... it IS very poor advocacy. I'm just saying, i think i know where these guys are coming from... I'm practically there myself. In fact, I think alot of us are.
I don't want to paint Mixter in the same light as the script kiddies who launched the attack. However, it is ludicrous to compare his DoS programs with the likes of, what I would call, "true" security professionals (e.g. cDc, l0pht, Solar Design, etc.). What he did, was make a bigger, better, and badder-ass gun for the script kiddies. The monkeys could have flooded major sites before Mixter made his presense felt. Mixter merely made it easier for the monkeys, both to execute and get away with.
No rational and reasonably intelligent person would have denied the possibility of this "security problem". The vulnerability to flooding isn't a security flaw per se, that could just be patched if the victims were a little more aware. Unlike l0pht (et. al) he isn't putting pressure on the manufacturers and vendors by releasing his code.
That being said, Mixter didn't do these attacks. He isn't evil, and I have a certain amount of respect for him. I do have problem, though, with portraying his creation of these DoS programs as being intrinsically good, nevermind his motives.
Ok, I know who did it. It was my cousin's sister's broker's dealer's aunt's friend who told me that they knew a guy who happened to have the next ASN up from this girl who once exchanged Email with a cypherpunk who was loosely refered to in Cryptonomicon which was secretly a true story about this guy who towed my car for me.... um, where was I?
;-)
Oh yeah, Hemos did it.
This is from the suck.com article.:
But the people who truly deserve the blame for the public's hours-long inability to swap "Steam Engine" jackknives on eBay are the short-sighted, tight-fisted monkeys who managed to build a multi-billion dollar industry on an insecure networking system, something so fragile that it can be brought to its knees by anyone willing to bother. The fact that a target as big and fat as Yahoo is fundamentally vulnerable to something as simple as a DoS attack is a clear invitation to go right ahead and shut them down.
Whoa, that's pretty intense there. They also go on to say that since vandalism is inevitable, its up to the people who will be vandalized to protect themselves. I agree to a good extent.
My question is this: How can you properly protect against many DOS attacks? Once so many requests come in from one IP, you block that IP? I can see problems there, such as if many customers through one ISP go through a cachebox. The way I see it, stopping this is just as hard as stopping the slashdot effect. What types of protections are there concering router-level protection?
thanks..
PS - I know that packets coming from our ISP cannot be spoofed due to our routers, so if my box (soul.apk.net) caught wind of the problem, nothing would be allowed out anyway. However, I don't think it's always our job to do the security for outgoing traffic.
- Mike Roberto
-- roberto@apk.net
--- AOL IM: MicroBerto
Berto
There are basically two problems: a huge number of machines vulnerable to off-the-shelf attacks, and the difficulty of detecting packet storms with phony source addresses. Both of these are fixable, but not trivially.
One way to address the first problem is to have a certain percentage of machines set up by default to detect and immediately report break-in attempts. This will detect large-scale attacks, and will trace them back one level. Not all machines need to have this, just 1% or so. If, say, most Linux machines did this, the problem would get much smaller. If most Microsoft machines did it, the problem would go away. We'll probably see this happen over the next year or two.
I can think of a few ways to address the second problem, some of which I've already discussed. With a little help in some routers, some interesting things become possible. Suppose there was an ICMP control message you could send to a router which said "turn on Record Route on IP packets sent to me for the next N seconds." Given that primitive, you could build a backwards traceroute.
The fact of the matter is that there is nothing the cDc (et. al) does, that can't be created independantly by other hackers. Imagine a world in which none of these exploits are disclosed, and also that 99% of sites on the internet run NT4.0. Without disclosure and general public knowledge of these exploits, MS would never act to patch it--it costs a great deal of money. Some may argue that it is not necessary to actually create a trivial exploit that script kiddies can exploit. While this may have some merit (I even agree somewhat with this approach, it depends largely on the circumstances and the vendor), it has been shown with MS (and a few others), time and time again, that they'll simply dismiss a vulnerability as "theoretical", or even "impossible", unless you make it known that you're going to create an exploit for it--and have demonstrated your abilities to make it a reality before.
What we have today with open disclosure, is a system where operating systems, vendors, and sysadmins become somewhat seasoned and hardened to attack because of this kind of disclosure.
Somwhat more debatably: Although script kiddies may be a pain in the ass, and their motives are selfish and childish, they do (collectively) ironically serve a function of sorts. Without script kiddies, it would be much easier to shrug off the importance of these flaws; it would potentially allow for a terrorist group, foreign government, or even a group of criminals to do serious economic damage in a wide-spread, highly coordinated, and professional attack. Remember that the independant acts of a million script kiddies all doing their own thing, is likely not nearly as dangerous as the coordinated efforts of a professional organization (not to mention that the professional organization could do it by suprise, virtually overnight)
That being said, to clear up any confusion, I don't believe the internet is, at this point at least, terribly significant to our ACTUAL economy (GDP...as opposed to the imaginary one the press and politicans love to talk about). Even the actions of terrorists are not going to have all that great an impact (in my "other" scenario)--just that they'd have a greater impact were it not for disclosure. (Although, with corporate networks today being connected to the internet in various fashions, there is potential of significant information loss through the internet)
February 14, 2000
By DAVID P. HAMILTON and JIM CARLTON
Staff Reporters of THE WALL STREET JOURNAL
Computer sleuths and federal investigators continued to narrow their search for the culprits behind last week's hacker attacks against Yahoo! Inc. and other Web sites, obtaining evidence from several computers used in the attacks that points to at least two potential suspects.
While the investigation appears to be making progress, law-enforcement officials say they haven't yet come up with hard suspects. However, evidence obtained from analysis of network traffic, computer-security logs and monitoring of Internet-hacker channels known as Internet Relay Chat, or IRC, has let investigators focus on the activities of two known hackers. So far, the two have been identified only by their online pseudonyms.
See recent articles about hacker attacks on major Web sites.
Join the discussion: Has the recent wave of denial-of-service attacks done anything to change your view of e-commerce and online trading or the companies in those industries? Do attacks such as these on major Web sites change the way you view the Internet and computing in general?
The hacker raids, which overloaded major e-commerce sites with packets of meaningless data in so-called denial-of-service attacks, didn't threaten any data stored on those Internet servers. Many in the security community initially derided the attacks as unsophisticated, saying they could be conducted with tools widely available on the Internet.
Now, however, it appears that at least one of the attackers may have been far more skilled than the apparent copycats that followed, said David Brumley, a system-software developer in Stanford University's information-technology department who has taken an active role in the hunt for the perpetrators. The hacker, who is believed to be responsible for the attack on Yahoo -- the first of last week's large-scale assaults -- mounted a particularly complex operation using highly customized tools, Mr. Brumley said.
Mr. Brumley said this hacker's online pseudonym is known, but he wouldn't reveal it to avoid jeopardizing the investigation. He added that this hacker appears to have dropped out of regular IRC chats in the last few days. The hacker is thought to reside in the U.S., he said.
A second, apparently less-skilled hacker believed to live in Canada was being watched as a possible copycat, said Michael Lyle, chief technical officer of Internet-security firm Recourse Technologies Inc. (www.recourse.com). The hacker, known by the online pseudonym "mafiaboy," allegedly was recorded in an IRC chat soliciting orders to shut down the Cable News Network and E*Trade Group Inc. sites, Mr. Lyle said.
Stanford's Mr. Brumley confirmed that a hacker using the mafiaboy pseudonym was a focus of the investigation. However, he said, some in the hacker community don't believe the person behind the name was involved in the attacks. Indeed, mafiaboy is said to have later retracted the claims and a law-enforcement official said that authorities, while scrutinizing his actions, aren't sure he is responsible.
Mr. Lyle and other security experts at Recourse, of Palo Alto, Calif., said they have viewed snippets of dialogue and have verified more of it from other hackers, and plan to give the information to the Federal Bureau of Investigation. "We think there were several hackers who launched the attacks in copycat fashion," Mr. Lyle said.
Interest also has grown in a hacker identified as "Mixter." In a series of e-mail exchanges with The Wall Street Journal, online-news provider ZDNet and other media, Mixter has described himself as a 20-year-old German programmer living in the area of Hanover, Germany.
Mixter is credited with having authored the Tribe Flood Network software, or TFN, one of the interrelated-attack tools believed to have been used in the attacks. A similar software is "trinoo." A third, called stacheldraht-German for barbed wire-is based on TFN but uses trinoo features. Mixter is credited only with TFN.
In e-mail interviews, Mixter said -- in fluent English -- that he had no direct connection to the attacks and criticized the use of his software to paralyze online companies. He said TFN was written solely to demonstrate Internet-system weaknesses.
Mixter first appeared on the Internet hacker scene around July 1998, posting less-well-known software programs he had authored on security-related Web sites, according to Dave Dittrich, a University of Washington computer-security expert who has analyzed some of Mixter's software.
Mixter has voluminous postings at a site called Packet Storm, a division of Kroll-O'Gara Information Security Group in Palo Alto. Last month, a paper Mixter wrote on Internet security won a $10,000 prize in a Packet Storm competition. Mixter's most recent addition to the site is a lengthy treatise on how to deal with attacks such as last week's.
A law-enforcement official said the FBI is trying to talk to Mixter through German authorities, but that Mixter isn't a leading suspect at this point.
The FBI has run into problems retracing the source of the attacks because some sites used weren't keeping complete logs of computer traffic, according to a person involved in the case. "Some of the sites didn't capture all of the traffic" because their record-keeping software isn't set up to record that level of detail, a law-enforcement official said.
With help from computer experts at the affected Web sites, the FBI is still analyzing what information they have gleaned from those logs. In addition, according to someone involved in the case, dozens of agents from field offices -- including San Francisco, Los Angeles, Atlanta and Boston -- are conducting interviews with sources who monitor hacking activity.
"There hasn't been a huge number of people taking credit," said a law enforcement official, but the FBI is looking at them all.
The first major breaks in the case came late last week, when investigators learned that computers at several California universities, including Stanford, the University of California at Santa Barbara and the University of California at Los Angeles, were involved in the attacks. Several university officials said their computers were infiltrated prior to the attacks and used to fire the barrage of data packets that temporarily knocked out several sites, including Yahoo, Amazon.com Inc., eBay Inc., E*Trade and CNN, a unit of Time Warner Inc.
At UC Santa Barbara a network programmer noted "abnormalities" in the university's network traffic when he logged in Tuesday night. After further checks, the programmer discovered the following morning that one computer on the network had been broken into and used to attack the CNN Web site, according to Robert Sugar, the university's acting director of information technology.
Upon that discovery, the programmer alerted both CNN officials and the FBI, Mr. Sugar said. Campus officials said the hacker who broke into that computer left many traces, and said the FBI already has obtained reams of data as a result.
Mr. Sugar declined to describe the computer except to say it was an older desktop machine, a description consistent with a computer workstation. Security experts long have warned that older computers used for less-sensitive work at universities, where high-bandwidth Internet connections are common, are particularly vulnerable to such intrusions.
A hacker also apparently manipulated a Stanford network router -- a computer specially designed to direct Internet traffic -- as part of an attack that overloaded the Web site of eBay, San Jose, Calif. That kind of attack, known as a "smurf" attack after the first software tool designed specifically to conduct it, didn't entail an electronic break-in at Stanford's computers, Mr. Brumley said. Instead, the hacker subverted a router "broadcast" feature used to direct an entire cluster of computers to blast packets at eBay.
Meanwhile, other sleuths continued to probe the extent of the Internet's vulnerability to attacks. Network Associates Inc., a security company in Santa Clara, Calif., said a voluntary-screening program detected three cases of denial-of-service software installed on host servers: one in a university computer in Berlin, another at a university in Iowa and one in a nonuniversity computer in Long Beach, Calif. None of these detections necessarily indicate these computers were employed in last week's attacks, the company said.
As investigators continued their work, the computer industry struggled to reach common ground on security issues in order to present a united front at a White House meeting scheduled for tomorrow.
The dilemma for the computer industry, public-policy advocates say, is how to develop and agree upon standards that the government can support and protect without disrupting the open nature of the Internet. But given the different perspectives of government and industry, that won't be easy. Kim Alexander, head of the nonprofit California Voters Foundation, is one of the few people conversant in both the political and technological worlds. "It's like they speak two different languages," she says.
Many companies hit by last week's attacks continued to lie low. But some appear likely to take a more active stand against government intervention. AT&T Corp. dealt with attacks in the past week against some of its customers but remains opposed to government intervention to protect networks.
"It is important for the government [to take] a role in something that is illegal and affects commerce. Past that point, we clearly believe in self-regulation in this industry," said Rose Klimovich, AT&T's director of global intellectual-property-network services.
Some hackers, meanwhile, continued to toy with security experts over the weekend. Late Saturday or early Sunday morning, a hacker with the handle "Coolio" defaced the rsa.com Web site, which is owned by Internet-security firm RSA Data Security Inc., a unit of RSA Security Inc. of Bedford, Mass. The defaced site bore a picture of two men pictured on RSA's official Web site with the letter "L" branded on their foreheads, and carried the message: "The most trusted name in e-commerce has been owned" by Coolio.
Scott Schnell, a marketing vice president at RSA, said the company doesn't use the rsa.com site, which normally redirects Web surfers to RSA's main page at rsasecurity.com. He said the hacker hijacked the rsa.com Internet address and redirected it to the defaced page. Mr. Schnell said RSA was working with its Internet provider to resolve the situation.
David Cloud and Douglas A. Blackmon contributed to this story.
This PC happens to run windows (Yes. I know. I'm inherently evil and feeding the great satan. Just flame me and moderate me down for admitting it and get on with your lives.)
I installed a firewall (Zonelabs), mostly because it was free, and also because I decided that if I wasn't part of the problem yet, it was only a matter of time.
Results: I was getting probed at an average of once every 20 minutes from a variety of locations. Urk! (Please note, my ip starts with a 24, which tends to indicate an @home or roadrunner cable modem service)
Side note: If you want to test your machine, go to Steve Gibson's SheildsUP!. It's a bit slow at the moment (and posting this ain't gonna make it faster). Personally I wish I had known about this site before this insanity started.
-----
No Zen is good zen