Slashdot Mirror
Crackers Preparing Massive DDoS?
Tairan writes: "Crackers are using two exploits to ready another distributed Denial of Service attack. MSNBC.com is reporting there are at least 560 computers infected. CERT claims it 'poses a significant threat to Internet sites and the Internet infrastructure.'"
CERT seems to be following up on most every lead they can and contacting everyone they believe to have been compromised and urging them to take measures to protect their systems and networks where possible. I am personally aware of a few hosts (which have since been secured as well as possible) which I do not control, but which were involved in a separate incident involving another rather large volume of hosts that CERT followed up on.
So it would seem to me that the folks at CERT, at the very least, are just being careful. As the old saying goes, an ounce of prevention is worth a pound of cure -- and it's no different with computer security.
http://www.rootkit.com
After all, what good is the internet going to be after this?
Tweet, tweet.
There really isn't much to say about this article execpt for good old rampant Slashdot speculation.
So some people found some trojans that could be used for DDoS attacks on a few hundered machines. Does this mean a DDoS is "brewing" or ready to be launched? Hardly.
In order to know if something was coming, we would actually have to talk to whomever put those trojans on the machines to see what their motivation is, and when they plan to use them. Unfortunatly, this will more than likely never happen.
For all we know, this could just be some script kiddies person cache of trojans to take over IRC channels, not DDoS a large site such as Yahoo! or Ebay. Heck, maybe is the BOFH Users Group out for revenge on companies that have had enought of their antics and fired them. Who knows?
So, is a new, massive DDoS brewing? Unless one of the people who planted these trojans tells us, or a DDoS actually happens, we'll never know.
I have to rant a little bit, here - Redhat, is it SO HARD to make the default install be BASICALLY SECURE? Don't turn RPC on by default, for God's sake! The first thing I have to remember to do is to remove the really obvious security holes as soon as I install!
One nice thing about this DDOS activity - now, the script kiddies want my network bandwith. Used to be they didn't know what to do when they got in. The same system was compromised three years ago while I was on vacation, and the script kiddies involved did an "rm -rf /" as root. Ouch. This time was pretty easy to clean up from, by comparison.
But, whomever pointed out that the connections of the hosts are important - absolutely. I'm sure my puny 384kbps upstream didn't cause whoever the victim was any real trouble.
Tips for people who may be having the same experience:
First, I was tipped off by the very large numbers of collisions on my hub, and the massive traffic. I'd installed a bunch of new hardware and software, and, at first, thought something was broken. Additionally, I was running mrtg against my router, and the traffic saturation broke SNMP connections, so cron kept complaining.
Once I figured out the host the traffic was coming from, I started looking around. First of all, a command representing itself as "lpsched" was running with a very low PID (like 120) and had a child process representing itself as in.telne (I believe these were actually the same program). When I killed them, the traffic ended. After some research, I realized that the attackers had installed a trojan in /usr/sbin/init (which was then changing its program name as represented in ps after execution). /usr/sbin/init was being executed by /etc/rc.d/rc.sysinit, at the end of the file (placed here very nicely with a check to make sure /etc/rc.d/rc.sysinit existed).
Interestingly, they did NOT install a rootkit - I used SHA1 hashing and some custom scripts I wrote to compare the compromised host with a clean install of RedHat 6.2. All they did was modify /etc/rc.d/rc.sysinit and install the Trojan (they may also have edited log files at the time of intrusion). rpc.statd did spew a "I'm executing this obvious buffer overflow attack" in /var/log/messages; "grep rcp.statd /var/log/*" should give you some idea if you have a problem. In the rpc buffer overlow, they echoed to /tmp/m:
and then, executed "/usr/sbin/inetd
Good luck, out there...
Would 560 computers with cable modems (capped at 128 Kb/sec upstream) be enough for a DDoS? Probably not.
Lets take a bigger look at this...
(128Kb/s == 16KB/s) * 560 == 8960KB/s or 8 megabytes/s
That will take out a T3 or an OC-1 pretty handily.
560 dialup machines with 56k modems would be enough to flood a few dialup connections, or perhaps a cable modem or DSL line.
Again, a closer look (56k's only get 33.6Kb/s up):
(33.6Kb/s == 4KB/s) * 560 == 2240KB/s or 2 megabytes/s.
Enough to take out 10x T1's.
Don't dismiss the power of 560 machines so easily.
-- iCEBaLM
I agree with him, for a simple reason.
I started with a commodore, using the command-prompt, and moved up to a PC with a prompt, and that's how I learned computers, in elementary school. Probably not uncommon for the people on this site.
Now, my little brother never used anything other than 95. Loves computers, mainly games, but couldn't use a command-prompt to save his life, and can't even setup Master/Salves correctly on an IDE chain. Called me to try and help over the phone...
He's a smart kid, too.
He's a Senior and high-school, and can get into any school in the nation, from his test-scores and grades.So why can't he figure out why the new game he installed whacked windows? Why can't he install a new HD? Because all he's ever used is point-click. He's never actually learned how things work.
One of my proffessors once made a statement about "experts", one I've also heard from a few now-retired computing columnists.
Essentially: A real expert does not know how to do 100 neat things (tweaks) with a piece of software (or other product). Instead, they understand fundamentally how it works. From that, they know how to do the same 100 "neat things", but they also know why those "neat things" do what they do.
Sorry, enough ranting on "kids these days...."
For those of you who don't believe in DDoS attacks or just don't want to believe in them, please check out http://wzc.dhs.org/home/news/index.html and the news post dated 6th September 2000. This is a linux server which I run... it has been DDoSed many times this summer, each time, taking out the ISP on which it is hosted. I managed to log all the networks involved using tcpdump and other such tools. The reason for it being dossed? It runs an eggdrop on IRC hence the hackers DDoS the server to make the bot ping timeout, and take over the channel.... how sad.... So ppl, these attacks are for real.... we better suss them out... this is exactly what I did.... With help from one of my mates, I managed to determine the protocol used by the packetting agents (the agents which actually cause the garbage traffic) and wrote a little C program which makes them packet; if you care to visit wzc.dhs.org's news section, you will see that the server was setup to perform a scan of all the networks which I had logged (the scan was done by sending control packets to each potentially infected host on each network telling it to packet my server for exactly 1 second... if the host packetted my server, I knew it was hacked and running a packetting agent). The list has now been submitted to cyberabuse.org and CERT have also been notified about them (which is, I assume how this posting got onto here in the first place). I don't claim to be "Mr Expert" of DDoS attacks, but I did the scan due to my general anger against the hackers which were orchastrating these attacks against my server during this summer. If anyone would like to know more about how the protocol works, or would even like a copy of the C program which causes these packetting agents to packet, then contact me via the email on wzc.dhs.org's news page..... maybe I should post it publically so everyone can do their own DDoS attacks, and then... the admin of the compromised hosts might fix their hacked systems. Thank you for listening. ----- Mark Hedges (admin of http://wzc.dhs.org)
Well, I had a user at one of my sites today get DDoS'd of the Internet. As a matter of fact, we were receiving so much traffic my firewall at that site choked. I got a couple of packet traces. Basically it was a bunch of tcp syn packets going to random port numbers. I started nmapping the source addresses to determine if they were real or spoofed (spoofed source addresses typically consist of a lot of invalid addresses that don't actually exist on the Internet). It turns out that 80% of the source addresses in question responded to ping. After nmapping a few of them I came to realize that they were all Linux boxes. Here's the results of one:
turmoil# nmap -sS -O 216.17.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on xxx.dsl.frii.net (216.17.xxx.xxx):
(The 1506 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
511/tcp open passgo
514/tcp open shell
515/tcp open printer
1023/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql
TCP Sequence Prediction: Class=random positive increments
Difficulty=1200108 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds
Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:
turmoil# nmap -sS -O 206.173.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds
That's it. Imagine that, a secure Linux box. What a novel concept. The key difference between *nix administrators and NT administrators is that *nix is designed to be remotely accessible thereby making it more subject to remote attacks. It is also possible to secure *nix. NT on the other hand is traditionally not as remotely accessible, which I think prevents it from being more of a platform for this sort of behaviour. However, if there's a security weakness, it's usually in there for a good long while and on top of that, it's difficult as hell to secure.
OH NO! See, the evil cyber-terrorists have attacked and the TLAs must get their funding to stop it.
Suddenly....*POOF* the attacks _END_. No "bad guys {tm}" were caught, but the problem goes away.
Ooops, here come the FUD and scare tactics again! Time to eliminate some more civil rights to protect us from "cyber-terrorists" and make sure those TLAs charged with fighting this dragon are properly funded!
Maybe this time the feds will attack something on the net that really is meaningful instead of ebay and yahoo. Otherwise, I just ain't buying it.
I think the solution to script-kiddy wankerism is a revival of the demo scene. Everyone uses GUIs now, so it's harder to program to the metal to make cool demos that cut the edge of technology. That's what these dumb kids should be doing, actually improving their skills and learning something, rather than being destructive and 31337. I'm gonna wager than many Slashdotters know at least a couple kids that are probably warez dudes or 31337-haxors at night. Be a force for good in their lives; show them how they can create with a computer as well as cause problems.
Can you believe that? Those evil hackers have figured out how to raise the dead and have them fight for them as a zombie army. Man, this is almost as bad as copying DVD's.
I've been scanning the bait logs on my machine (I run a simple tcp listener on port 111, 23 and others to report scans), and over the last four weeks the rate of scans against the machine has gone up orders of magnitude.
...
Probes to port 111 come about twice a day, from a large range of IPs. These boxes could all be compromised, and being used as part of a worm attack, but I dont have time to track down the postmaster of each of the ip addresses and mail him/her.
Does anyone know if there's a service run by CERT or anyone to report possibly compromised hosts that turn up in our logs too?
If not, it would be pretty useful to have