Undernet In Serious Trouble: Any Suggestions?

An Undernet admin writes: "For the past 4 days, many of Undernet's servers have been hit with constant DDoS, massive stuff on the order of 100M/sec that doesn't look like it will clear up anytime soon. The major services with which Undernet is associated, including Uworld and the channel service bots X and W, have been removed because the ISP that hosts them cannot afford to have them online, and even with them offline, the ISP has continued to be hit with the DDoS. Several servers will be forced to delink permanently if this continues. And all of it's happening because a script kiddie in Romania has nothing better to do with his time, and with his head start, many other groups have decided to lend a hand and take out other servers while his main pummelling is going on. We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?" There's a notice on their Web site. Update: 01/08 09:49 PM by michael : The news story we linked to was ancient.

Re:script-kiddy culture is to blame

single men (who aren't getting any sex) seem to be responsible for 99% of bad things that happen.

Good grief

Stupid, stupid, stupid. It's a shame that DDOS hax0r t00l5 are available as binaries. If the lus3rs had to configure;make;make install they'd probably never figure it out. =)))

Re:Honeynet Project

The scary part is that the HoneyPot Project (the one posted to bugtraq+slashhot) caught the same lusers that are launching these attacks. It's a small world I guess.

Solution:

[Wakko+Warner]

Find him. Shoot him in the head.

Problem solved.

- A.P.

--
* CmdrTaco is an idiot.

Re:Solution:

[Cramer]

Unfortunately, you'll never be able to kill enough people to stop this shit for good.

Security Rulesets

[Alan]

The security on the main servers of anything should be tight. Unless you are running a server that allows public access (ssh and/or telnet) your firewall should only allow access via ssh from various servers (ie: your home/work ips) and nothing more!

Something along the lines of:

ipchains -A input -p tcp --dport 22 -s my.home.ip -j ACCEPT
ipchains -A input -p tcp --dport 22 -s my.work.ip -j ACCEPT
ipchains -A input -p tcp --dport 22 -j DENY


Note I used "DENY" rather than "REJECT". Deny will simply drop the packets, making things like portscans very long, whereas reject sends back a message to the originating server, which can be actually used against you as a DOS (ie: flood the victim by getting them to saturate their bandwidth with reject messages).

I know the code above is probably syntactically incorrect, and a tiny, TINY snippet of a good firewall, but it is however, a start. There are a lot of good ipchains/firewall config tools out there folks, use them!

Re:Security Rulesets

[Isomer]

AFAIK All undernet servers have very anal firewalls. Several have them on the box, on the network, on the router, on their upstream, on their upstreams upstream etc. But if your having more data shoved into your network than you have connectivity then by the time it gets to your firewall you've already lost -- there is no bandwidth left for anything else.

Re:Find the people who are doing this...

[Alan]

Maybe leave a severed cable modem in their bed...

Re:Try securing your boxen first

[Alan]

=Don't you realize that it is impossible, impossible to completely secure any box that has a network connection to the outside? Or, for that matter, a box to which anyone is allowed physical access? It's simply not possible.


"Absolute security is a myth" --someone whose name I don't rembember

Absolutely right, however it is possible to *mostly* secure a box. Beyond plausible deniability as you would. Ie: deny telnet access, put in decent ACLs for your admins for ssh access, remove unwanted/used services, etc. In a lot of cases even doing this will prevent your standard script-kiddies from even bothering you. If you have your ports "stealthed" and their port scans take 10 min apiece, they probably won't even bother with you.

Re:Try securing your boxen first

[Alan]

I agree completely.... "best efforts" though. I think that if someone leaves their windows peecee unprotected and it's used somehow, that's not a "chargeable offense". You don't want to see your grandma (who just got cable) hauled off to jail :) However, if you're running a router or server, *especially* a major server like an irc-fscking-network, you should know better.

Posted on slashdot...

[oGMo]

"For the past 4 days, many of Undernet's servers have been hit with constant DDoS..."

[...]

Update: 01/08 09:49 PM by michael: The news story we linked to was ancient.

Not anymore. ;-)

Re:Posted on slashdot...

[Isomer]

They are getting DoS'd, and DoS'd very hard. Just the article that was referenced was talking about a previous attack on undernet - not the current one.

Re:Okay, so... this keeps happening. Now what?

[drsoran]

Who uses IRC anymore? Isn't that what AIM is for?

Somehow I find this amusing...

[InThane]

Someone posts a story to /. about Undernet being dDoS'ed, and the site gets slashdotted.

Is it just me, or is this rather ironic?

@home users maybe the unwitting springboard

[croftj]

I have a friend whose linux machine was broken into on Christmas eve. In the end his login and ps programs were replaced and all of the logs were deleted. A small process was running in the background hooked to an irc server and another @home machine. You could only see this process looking through the /proc directory. The ps command was hacked. It's other clue was the two network connections. Maybe this is related.

...and you're clueless!

[db]

Take a look at some traceroutes.

--
Dave Brooks (db@amorphous.org)
http://www.amorphous.org

Re:...and you're clueless!

[Roofus]

Well, it could make sense. I'm guessing that if I were to bother to do a traceroute, I'd find that the web server is not located on the same network as the irc servers. In that case bombarding the web server doesn't do any damage, except maybe to the effnet admins pride...or something...

Re:...and you're clueless!

[nsane]

except maybe to the effnet admins pride
Bombarding undernets webserver would damage efnet admin's pride? :)
Picky, yes. Funny, hopefully.

Undernet's had it coming.

[Harik]

Mind you, I don't think this is a good thing. DoS skriptkiddies should be put to work in something useful, like medical experimentation. Still, having had to deal with Undernet Opers before, I can see where he's coming from. They are far and away the most arrogant, self-centered assholes I've ever had the displeasure of dealing with. Of course, that seems to be the case with all the big networks. But only undernet had audacity of putting in an O flag to track if someone /whois'd and Oper... for the purpose of G-lining them.

Perhaps if you're borrowing peoples servers and bandwidth, you shouldn't be quite such an ass to everyone around. I know when I'm house-sitting I don't go inviting trouble.

So let's kill the little twerp involved, and not give any sympathy where it's NOT due.

--Dan

Re:Undernet's had it coming.

[Harik]

An O flag to see if someone whois'd an oper? I don't know where you got this idea, but you managed to get a laugh from me.
The source is open, go check it before posting ridiculous assertions like this.

Actually, you're wrong. The code is NOT open, it's a hack. I know it's an undernet hack because I've known undernet Os. I've watched him do precicely that, too. G-line an entire network because someone /whois'd him.

Oh yes. And he got his O status by giving blowjobs to the admins of the server. Gotta love the good job they're doing on filtering admins.

Mind you, efnet's just as bad. Invisible servers with PRIVMSG snooping capability. That always amused me. (Obviously, only things routed through the server they leached off of. But, close enough to the hub...)

How bad is IRCnet these days? Someone on my netblock pissed them off and I've never been bored enough to get around it.

--Dan

Re:Undernet's had it coming.

[gid]

Undernet opers have all sorts of power, they can monitor private channels without being in them, they can do a whois on you and find out all the +s channels you are on etc, but I don't see why any of this would make the Undernet more of a target for a DDoS except that people might get a bit more pissed off when the discover something like this. Deal with it, if you want privacy, look into an SSL irc alternative, it can be done. I've connected to one before, albeit through ssh tunnelling.

---

Re:Undernet's had it coming.

[Alex+Pennace]

But only undernet had audacity of putting in an O flag to track if someone /whois'd and Oper... for the purpose of G-lining them.

A quick glance of the Undernet ircd source (avaiable at the Undernet coder committee site) doesn't show any special flags or other state being set on the client record when the client does a /whois on an oper. Could you provide a citation if I'm mistaken?

So let's kill the little twerp involved, and not give any sympathy where it's NOT due.

Some Undernet officials have serious issues. The #zt help channel bans you if you have the audacity to help people, for example. But even if these attacks are directed at those assholes, other groups (#978) are suffering collateral damage.

Re:Undernet's had it coming.

[FruitCak]

Actually it wouldnt be in the code, cause that sort of thing is set in the conf file and their code distribution only includes a generic one.

and its not that hard to do, i know another network that has it

Re:Undernet's had it coming.

[CaptJay]

An O flag to see if someone whois'd an oper? I don't know where you got this idea, but you managed to get a laugh from me.

The source is open, go check it before posting ridiculous assertions like this.

Re:Undernet's had it coming.

[Zarvox]

AMEN!

Re:Undernet's had it coming.

[MAN1AC]

I have no knowledge of such lame code. However I do know that EFnet's hybrid had such a feature about 2 years ago. I am not sure if it still does. Check your sources first. Chances are you were in the wrong network :P MANIAC

Easier to stop it in retrospect

[Anthony]

ISP terms of service to connect to the Internet should include ingress filtering to stop IP spoofing and a patch management plan. Running vulnerable servers is not acceptable if you are a frontline ISP with oodles of bandwidth. There is a duty of care expected of them that is not being exercised.

Re:Easier to stop it in retrospect

[Cramer]

While ingress/egress filters are a good thing on paper (and I support their use to a large extent), they aren't a magic bullet.

Small ISPs with one or even a half dozen netblocks shouldn't have any trouble with adding these kinds of filters. They do increase processing and delay for every packet coming and going, but for such a small list, it's not going to be measurable. However, for larger ISPs, that list can grow very large and become very measurable.

But processing is not the only constraint. Those filters introduce an additional constraint when adding clients: those that bring their own address space will require the list(s) to be altered. And thus enters "human error" -- I've seen too many people lock themselves out of routers by doing things wrong (both improperly and in the wrong order.)

Additionally, this roadblock can only stop packets that reach it. The traffic still has to travel across your link or traverse part of the ISP network to be blocked by the filters on the borders.

Re:Easier to stop it in retrospect

[trazom28]

I had the same result with a similar technique. I local ISP that I was a member of had *extremely* poor service that went from bad to worse. I even went so far as to conference call with the head of the ISP with a group of users, so we could explain our complaints. Everyone behaved very maturely and the head of the ISP promised changes in very short order. 3 months later - same issues. I started sending followup emails and ccing to various television stations. Amazingly, things started to happen. Never underestimate the power of the media. It's a bit like a sci-fi movie though.. the power can be used for good.. and it can be used for evil.

Re:Easier to stop it in retrospect

[_ganja_]

I think its great that you have a resource like this however, this isn't for everyone. You state: "although it is AMAZING the number of people that absolutely refuse to do it!"

Maybe there is a good reason why people refuse to do it? You are running a very small network, what about ISP that have multiple stm16 lines? This long extended access-list would be a performance hit, netflow switching could help a bit but I would never impliment such a list on border routers. If there was a magic bullet my friend we'd all be using it. However, to refine your point there are many ISPs that don't have the skilled staff or the strong management to think security is a risk. Then I feel they deserve to be put out of business (hint to an old employeer) *cough* Colt *cough*. No decent ISP would refuse to impliment security.

Although giving acces-list advice is nice, I'd be wary about pre-made configs, every network is different, you state on your page: "Finally, don't use this access list as is. Be sure to alter it for your network.". If someone had the knowledge to do this they could very easily build this access list themselves. Cut & pasting configs is never a good idea unless you fully understand them.

Also from your web page: "acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.255 255.255.255.0 acc 101 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.0"

Maybe: "no ip directed-broadcast" on the interfaces would be easier? Its default on IOS 12 and above anyway. Remove ICMP redirects on the interfaces "no ip redirects" plus "ip verify unicast rpf" could very useful for anti-spoof (must be running CEF + doesn't work with symmetric routing).

I think there is one thing any Cisco admin working in an ISP should do and that is read this:

http://www.cisco.com/public/cons/isp/documents/IOS EssentialsPDF.zip.

and also this could be useful: http://www.cisco.com/warp/public/707/21.html

Re:Easier to stop it in retrospect

[cluge]

Most resposible ISP's do that, although it is AMAZING the number of people that absolutely refuse to do it! Cisco filters are easy enough to implement, Look here for examples for those interested Tracing down a problem sounds good but remember Big ISP's like UUnet, sprint etc don't like needing to turn on some sort of logging to try and trace packets, it increases load on their routers/servers (if even for a few minutes). If the source of packets is going through a hugely congested site (MAE east) the likely hood of finding somone willing to do a trace is about .005% to -100%

quick story
I remember getting TONS of spam from a machine a major university. It appeared to be a machine running in the astronomy dept. I sent a nice friendly e-mail about it, as our users were getting 20 to 30 spams a minute through it and wanted to stop being told where to get Viagra (Bob dole already told us thank you). The official response from the sys admin was a none to polite, "Fuck you and mind your own god damn business".

My response was to cc that with a letter asking a bunch of questions to 2 local newspapers and 1 TV station and the president of the alumni association. The open relay got closed *magically*

What the point to my incessant yammering you ask? Sometimes ISP's (especially smurf sites in Japan *ahem*) need to be bullied into doing some of the most obvious, easy things. Some ISPs claim that filters cause problems, increase router load etc, etc, etc. The problem usually is that no one has brought it to their attention, or rather no one has screamed at them loudly enough.

Re:Counterefficient

[gid]

Well the whole idea is that this article is in the "Ask Slashdot" section so hopefully someone would come up with a solution to the problem. But with the internet as chaotic as it is, it's extremely hard to stop. The only viable solutions as I see it are:

1: securing servers
2: have all routers set up anti spoof filters so the attacks are at least easily traceable

Immediate solutions? Find out what connections the massive traffic is comming from and track it back to it's source by making lots and lots of phone calls. The other immediate solution is of course simply delink the server and unplug it's ethernet, what the point of a DDoS if there's nothing to attack? I'm not too fond of this method, because it basically means the script kiddy won.

One thing that really annoys me about this discussion is the massive ammount of "Funny" comments. That annoys the crap out of me when I see that in the "Ask Slashdot" section. These are people that really need he help. I'm on the undernet daily idling while I work. I occassionally help someone with a php/mysql/perl/linux question or whatever, and it's getting ridiculous.

If you ask me, I think "Funny" moderations shouldn't be allowed in "Ask Slashdot". If I was a sysadmin of an isp with an OC12 that's currently pegged because of some retarded script kiddy, risking my oh so loved job because I was the one who thought was a good idea to give back to the community and run an irc server, the last thing I would want to see are suggestions like. "Go to Romania and shoot him, I'm serious!!!!" or even worse, "No castrate him!!! HAHAH ROFL OMGOMGOMGOMG" C'mon... grow up, save those retarded comments for the next article about the latest political blunder.

---

Re:Try securing your boxen first

[greg_barton]

Just because I am free spirited, unworryied, or just plain lazy/dumb/maleducated doesnt mean I share responsibility when someone else breaks the law.

You couldn't be more wrong. Leaving a box with high bandwidth access unprotected is like leaving a loaded gun out when there are kids around. If somebody shoots themself or someone else with that gun, you should be held responsible.

the fish... they do stink

[Psarchasm]

my favorite quote of the year thus far...

"Fortunately, he wasn't too bright because he left a lot of trails," said Bill Benefield, a system administrator with FishNet.

well. kudos bill - you just berated an individual that tore your isp a new asshole, and made you a laughing stock.

seriously people. script kiddies don't just fall out of the sky into massive massive pipes of unlimited bandwidth. they take advantage of lackadaisical system administrators who install "insecure by default" oses and don't keep up with patching them. they take advantage of companies that don't stick their machines behind firewalls. they take advantage of your laziness and the industries general malaise regarding network security.

you want retribution? well bill seems to think they will find the perp's point of origin pretty easily (he left such detailed logs) - so prosecuting the kiddie should be no problem. but if you want to be angry at someone. i suggest being angry at bill.

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[abulafia]

I was intentionally being a jerk. Sue me, I was up too late dealing with morons who think they know how to rebuild a network (conquering hero phenomenon). Maybe you're a BGP god.

What I was getting at was that if you take down a link to a given AS, that router will just send traffic to a different community member. If BGP is doing what it is supposed to, that AS will know how to get to you.
Am I wrong?

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[abulafia]

Um, Bad advice, I think, for mainly business reasons.
Dump That Route and commit an explicit breach of contract, in a lot of cases. People sue over that.

Being a victim of "limitations of the internet" usually means you're not going to be sued, at least when it looks like a serious attack like one "not even Yahoo could handle". Clients may be pissed and make noises at sales reps, but they'll flutter around as much as you do about it instead of talking to lawyers about what they can get because some BOFH at the provider intentionally took them down or degraded routes.

I'm not saying I like this, but it is a fact (at least in the US).* A lot of new contracts I've seen include "we'll slap you down for hosting a hacker, unless you pay us for security services", but a lot of current ones do not.

Plus, it sounds like you may not know BGP as well as you think you do.**

-j

--
*Mandatory Parenthetical Admission of Belonging to a Lawyer Ridden Culture
**Intentional reference to superiority. So mod me down.

Re:Try securing your boxen first

[Maserati]

That'd be "due diligence". Sysadminning can't really be a profession without ethics, standards, practices and all the other trappings of a respected profession.

If someone can get into your system with nothing more than a binary download, then you haven't exercised due diligence. If your system has reasonable precautions against known attacks, and a reasonablesecurity setup, then you have exercised due diligence.

It's another (iirc) common law concept, similar to the apocryphal reasonable man.

Re:A case for Internet Licenses.

[grahamm]

Maybe the exams required before obtaining an Amateur Radio licence would be a better example than tests to obtain a driving licence.

Just a symptom...

[dadams]

Script Kiddies aren't the problem.

Poor admins are.

Not the IRC admins - they've got to put up with more shit than anyone. The lame admins that let script kiddiez root their boxes. Telnetd shouldn't exist - all traces of it's existance should be eliminated from the civilized world. Come on, OpenSSH is free and allows for unrestricted use.

All of the recent DDoS attacks have been from captured boxen. Eliminate capturable boxen and you eliminate the DDoS attacks.

Perhaps we should band together, set up every machine we know of to drop packets headed for port 23. Some slashdotters must have access to big ole backbone routers. We don't let people send flammable material through the mail, why should we allow root passwords to travel as clear text?

Re:Find the people who are doing this...

[AviN]

I really do hope you're not serious.

What makes you think their sole existance is to make people's lives a living hell?

For one thing, a spammer's goal is to make money, not to make people's life a living hell (that's a side effect).

And, the sole existance of both spammers and DoS attackers are rarely to annoy people. That's an exaggeration. The only way *you* know them as, are as spammers and DoS attackers.

I don't like spammers and (unjustified) DoS attackers either, but I don't think they deserve any worse than to pay for the damage they cause (or put them in prison for a short period of time if they can't pay).

Re:Security Rulesets -- a wee hyperbole

[AviN]

iptables

Re:EFNet

[wik]

A quick search of /. stories with the keyword EFnet shows:

A very similar article about EFNet in September

Another article on the death of EFNet.

There are still some decent smaller networks out there which are mostly free of these problems. Unfortunately, it only takes one bad user to make a lot of people (clients, IRCops) mad. A network that I run a server on just had a major split. However, after that, we got back a few servers with friendly admins who were upset by the previous network.

For some reason, whenever you get a bunch of people with H*'s next to their names on an IRC network, tensions are greatly amplified. I think that some of the newer IRC services daemons are helping to ease the administrative load on individual admins by giving some power to the clients and delegating a few dedicated and trustworthy non-IRCops to help run the services/support systems. For at least two networks (unnamed, but if you really want to know, that's what email is for), this system has worked very well.

Re:What's wrong with this reaction?

[GeorgeS]

Ya know...maybe this kid does have a legitimate gripe with Undernet...he is going about it the wrong way but,anyone who has ever had to deal with a Undernet IRCop can tell you all about how they act like GODS on thier net...same with Cservice...perhaps if they acted more like normal people and actually listend and helped out people once in awhile things like this wouldn't happen. I'd almost dare say that SOME Undernet opers and Ccervix Admins deserve this treatment for thier abuse of the users on Undernet....I'll tell ya this too...if I ever find that root kit I'm not gonna be so quick to be humbled by some lame ass Cservice admin that only got his posistion cause he kissed all the right asses at cservice. It's called karma baby and Undernet opers and admins have ALOT of bad karma built up and now it's time to pay thier bills.....can't wait to take over #ZT on a split...without Uworld they are helpless little opers with ZERO power to do anything really...they have come to depend on Uworld and the Cservice bots waaayyy too much.

Re:Find the people who are doing this...

[Lx]

women generally have better things to do. if there were a female involved here, that'd be one hell of a pathetic example of the species. Women aren't known for trying to prove how big their dick is.

-lx

Re:A case for Internet Licenses.

[Sangui5]

and any moron can have his shitty unsecured Linux box hosted at a lousy datacenter with a fat pipe to the Internet

Absolutely not true. The people who run the datacenters do not appreciate it when boxen hosted on them get attacked and then used to attack others. The local network admin has made it abundently clear that if there is *any* problem originating from boxen I administer, they are all going to be yanked at the switch (as such I run tight boxes). I get weekly emails reporting other people who got hit, reminding me that Linux is not his problem, and am I sure I don't want to switch to Solaris?

Now, Dave is a bit nasty about it, but he has every right to be. If I fuck up and my boxes get cracked, I make a big headache for him. And if I do fuck up, he is going to give me an impossible time about reconnecting the machines. So would any other self-respecting network admin. Sure, any fool can run an insecure box, but only until they get caught (either by kiddies or an aggressive admin trying to weed out trouble before it starts).

Eventually I wouldn't be surprised if similar policies crept up with DSL providers

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[Sangui5]

I wholeheartedly approve of yanking the connection of problem machines. Especially if they are a problem because they were insecure

You really can't blame a person for being attacked, but if the reason they are causing trouble is that they've been rooted, go ahead and pull them. It should be a given that if you don't want your ethernet cable pulled, you don't get cracked. I'd give the person who admins the fallen machine a really hard time about letting them go back on. Remind them in a not so gentle manner that their box needs to be secure, or else network cables have a way of becomeing insecure and falling out...

Re:Do we resort to revenge?

[ShinGouki]

instead of wasting more bandwidth, why don't we just track the kid down physically and remove his net access the good ole fashioned way.

in short, let's find him and break his damn fingers.

-dk

Re:What's wrong with this reaction?

[ShinGouki]

if his cause was noble (this is assuming he even has a cause), WHY would he pick such an ignoble method for getting his (as yet nonexistent) message across? you don't communicate anything with [D]DoS attacks, you simply shut stuff down.

-dk

Re:Old school hacking

[Cheeze]

or you can:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

and i'll do the same, 'cept no recompiling, and no rebooting.

dang, why not just atack back?

[Grifter]

Just look up what computers are DDoSing and start attacking back. Hack them back, or hack routers that are like 1 or 2 hops from them,and have them deny forwarding data. That will stop them real quick. I swear somone should do it, I couldn't do it all by my self.

IRCOPS maybe to blame?

[Lord+Kano]

I have joined IRC channels and said as much as "Hey all. What's up?" and been kicked. My clients always auto reconnect, then I get kickbanned for a channel greeting that didn't fit some asshole OP's definition of what is appropriate for his channel.

If I had the time and the bandwidth I'd love to take down a few of there servers in order to steal OPS.

I'm not defending the script kiddie who is doing this, but find out his motive if you want to avoid it in the future.

LK

Re:IRCOPS maybe to blame?

[darkrot]

You have a poor definition of irc ops.

IRC operators run a server. In general, they don't deal with your channel.

What you speak of is channel operators. Now, if you want to take down servers to gain ops in a channel, that's a great sign you need something better to do with your life. On a network like undernet/dalnet, where most channels are freely registered with some sort of services, taking down a server won't even get you a channel.

Re:IRCOPS maybe to blame?

[Thackeri]

Whilst I agree with the idea of finding out the motives of a crimnal it doesn't make what they do any less of a crime.

Sinking to their level makes you one of them, nothing more, nothing less. If you feel that way and choose not to act in an irresponsible manner then good for you!

I think this is one situation where the good of the many should be put before the good of the few - if it means removing IRC servers until the protocol is updated to make it less abuseable then so be it!

Re:IRCOPS maybe to blame?

[wsm2506]

Not IRCOPS, but channel ops. I agree with you totally, except I would not stoop to a DDoS to pay them back, nor do I want to be chanel op. I just hink we nees responsible channel ops, and not some over hyped, prebubesent demi-god. Read the article on "WIRED NEWS." Would not suprise me at all if the DDoS wasn't started because some arrogant channel op kickbanned someone.

Re:Could a Reciprocal DDOS work?

[generic]

The problem is the attacking IP addresses are probably spoofed. The only way to get to the target host is to trace the packets back though each router until your 1 hop away from the attacking host.

Telnet access is mandatory

[mcc]

*COUGH* *COUGH* *COUGH*

Well, a big part of the problem is that the government has made it so difficult, through "export regulations", to distribute ANY heavy-encryption software that ssh is simply not there in almost any real installed user base.

If the government would strop trying to hold back and start trying to encourage encryption among its citizens, and allow the world toward a natural state of widescale encryption regardless of nature of networked data, we would see a great deal less of this kind of problem.

But no, the government is more interested in upholding its "munitions regulations" than it is i n protecting the security and well-being of its own citizens, which is, y'know, technically the governments' job.

The benefit to telnet is that you can wind up at some shitty windows PC anywhere in the world, hit "telnet:" into netscape's Location box, and access your acct.

Thus ISPs have no choice but to allow telnet, as otherwise they will frequently be denying services to their own customers. Stranded at a gas station in pensacola and need to get on irc to talk to someone? Sorry. Even the possibility-- and it is more than possible, it is very likely-- that someone is going to urgently need that telnet access at some point is generally enough to offset the allowing of ssh.

Until CONSUMER INSTALLS of windows containing ssh BY DEFAULT become ubiquitous, isps will not drop their telnet access. Period. As of now, a few linux distributions still exist that don't contain ssh by default!

Note: Mac OS X looks like it will have ssh bundled by default.. the public beta does, anyway...

Anyway, i'm perplexed. I've never ever had an ISP that let you have a shell account. Why the hell was i so unlucky? ^_^

Re:Telnet access is mandatory

[lomion]

this is not 100% true anymore, there are ways to export encryption. Plus ssh itself is not a us product. Also there is openssh which is 100% free. As for clients, you have many clients windows, mac and unix that can work. There is no reason to run ssh internal other than lazyness. For clients telnet is sometime required but you compensate for that,

Re:Telnet access is mandatory

[/dev/kev]

Check out MindTerm. It's a free (GPL) pure Java implementation of an ssh client. Works wonderfully as an applet under the common browsers. So the best way to be sure you can always access your account is to install this on your webserver, then all you need is a web browser with a Java runtime. This even allows you access from things like knee-capped kiosks, where all you get is a browser.

Re:Important: please read!!!

[anomaly]

> It also shows me that your points are biased and thus invalid.
And you suggest that as an atheist, you are unbiased? That is preposterous. We all have some sort of bias. Apparently you are biased against the idea of a creator God.

> "christianity" meme is MUCH more harmful to children than sex could ever be.
Based on what evidence? It's true that much evil has been done in the name of Christianity, but that doesn't make Christianity untrue.

> You're just the basic gay-bashing bible-thumping type, so...
It makes it easier for you to categorize me in a box of hate, doesn't it? That way you can marginalize me - give me no thought whatsoever.

If I hated anyone rejecting God, I mean REALLY hated them, why would I quote scripture to them?

According to the Bible, people who reject God spend an eternity apart from Him. He gives them what they demand!

As a result, they spend an eternity devoid of peace, comfort, and love - exactly what they demanded.

So, if I really hated ANYONE, the LAST thing I would do is tell them that God loves them. If I was motivated out of hate, I'd want them to be separated from God.

It's out of love for people that I tell them what God's word says.

He does love you, and wants relationship with you.

Why are you so angry about that?

Re:Important: please read!!!

[anomaly]

The reason that your 'minority group' is persecuted is that the behavior that you desire is not only distasteful, but also repulsive to most people in our society because it is destructive..

Your assertion that sexual relations are not damaging to children is simply denial.
The APA says "No responsible mental health organization, including the American Psychological Association, endorses pedophilia or denies its negative effects on children. Any statement that suggests otherwise is a serious distortion of the truth. The American Psychiatric Association writes: 'An adult who engages in sexual activity with a child is performing a criminal and immoral act which never can be considered normal or socially acceptable behavior.' "

Children are not simply little adults. They are cognitively and developmentally different from adults. Sexual activity involves us in the most profound physical, intellectual, and emotional risk possible. There is little in human life which is more tender and delicate than our sexual identity, perfomance, and pleasure.

To expose children to that while they are yet incapable of understanding the implications is phenominally damaging to them. Anyone who says otherwise is indescribably wrong.

I have read about, and in fact know, a large number of people who were sexually involved as children. The stories they tell about the damage inflicted on them by selfish adults who used them for sexual pleasure is a demonstration of the worst kind of evil. These adults struggle with worth and identity decades later. Their lives are colored by shame, inadequacy, rage, fear, and confusion.

They are trapped in a bondage of powerlessness, betrayal, and ambivalence.

You say that you do not involve yourself with actual children. That is a good thing. However, I submit to you that you are unlikely to be able to continue in this way. Things that we entertain in our brains become actions. These activities which you fantasize about will eventually fail to bring you the pleasure that you are currently experiencing. You know that this is true, because even today it takes far more to arouse you than it did even a year ago. This is the nature of sexual perversion.

We take no action without previously having thoughts about it. Your fantasies will eventually become actions of one sort or another.

Lust is always demanding, and never satisfied.

You assert that you did not choose your sexual orientation. I will not challenge that. I don't think that science has advanced sufficiently to determine the root cause of our sexual desires. Regardless, sexual relations with someone who is not your spouse is not acceptable. Sexual activity with children is loathsome and damaging to you and to children. A good reference on the damage caused to these children is called "The Wounded Heart" and can be found here:

Romans 1:18-24 says:
The wrath of God is being revealed from heaven against all the godlessness and wickedness of men who suppress the truth by their wickedness, since what may be known about God is plain to them, because God has made it plain to them. For since the creation of the world God's invisible qualities--his eternal power and divine nature--have been clearly seen, being understood from what has been made, so that men are without excuse. "For although they knew God, they neither glorified him as God nor gave thanks to him, but their thinking became futile and their foolish hearts were darkened. Although they claimed to be wise, they became fools and exchanged the glory of the immortal God for images made to look like mortal man and birds and animals and reptiles. Therefore God gave them over in the sinful desires of their hearts to sexual impurity for the degrading of their bodies with one another."

I strongly urge you to get the help that you need before it is too late.

God loves you and wants relationship with you.

If you would like to know how you can avoid God's wrath, please contact me at tom_cooper at bigfoot dot com

FILTERING IS THE SOLUTION

[Medievalist]

As covered by numerous earlier stories, DOS and DDOS attacks can be eradicated by the following simple prescription (espoused by the IETF, BTW).

FILTER YOUR FEEDS. EVERYONE HAS TO DO IT. And that means forcibly disconnecting all the sloppy little ISPs that haven't implemented egress filters - just like we forcibly disconnect every ISP who poisons the global DNS, or steals address space from IANA-registered owners. The net is based on co-operation, and those who subvert the protocols are not co-operating!

Don't allow machines in any net to export address-spoofed packets into the global Internet, and then DOS can be traced easily to the source with simple freeware tools.

--Charlie

Re:This is why I left efnet in the firstplace.

[thefallen]

Obviously, with 'knows how to use computers' I mean 'knows enough to be able to use script kiddie toys'. Your little sister (6), just like my little brother (10), can't, even though they can boot up games and in case of my little brother, install them (and scream for help if a quick link to desktop doesn't appear... sheesh).

When I was 12 I coded demos in qbasic. But I'm talking today.

Re:IRC is in trouble.

[BilldaCat]

Shut up.

Really. I'm tired of this stereotypical slashdot whine.

Blah, this sucks, let's do it ourselves, the only alternatives are by corporations and ALL CORPORATIONS ARE EVIL.

God, I hate this place sometimes.

:( Grow up.

Re:Try securing your boxen first

[NoseyNick]

Hrm. Bad analogy.

More like if you decided to drive an unsafe car on the road. And no, you don't have that right

Another bad analogy.

You need to pass a test to drive a car.

... though I've often said people ought to pass exams before being allowed to use the internet too.

Re:come on now, seriously

[teiz]

Its clearly not just the IRC service that's suffering from these attacks. The companies that host the servers are probably losing a lot of money over this and IMO this makes it serious enough to send in the fbi. And if the FBI are serious about computer crime they really SHOULD look into this.

Re:try a better chat protocol

[Saint+Nobody]

even if the chat itself has a peer-to-peer architecture, you would have to get some info from a server somewhere. You can't talk to someone if you don't know how to conteact them. So you would have to ask the server:

• What conversations can i join? (alalagous to getting a listing of channels in irc.)
• Who's in this conversation? You would need to know where to send the packets to talk to somebody.
• You'd have to get yourself listed/unlisted as being in a conversation

Just look at gnutella. You have to get a list of servers to talk to from somewhere, and with that, you aren't even dealing with separate conversations.

of course, this setup has many advantages and disadvantages over irc.

advantages:

• The server doesn't need to hear your conversation (more privacy, yay!)
• If the server goes down you can continue a conversation already in progress.

disadvantages:

• Well, given the nature of the requests, it sounds like a job for udp instead of tcp. But, udp is simple to spoof, so choosing a transport protocol is a big issue.
• limited bandwidth clients - let's pick a situation such as a celebrity inerview over this protocol, where one person at a time can ask a question. If there are enough people listening to the conversation, sending that many packets over a low-bandwidth line could be painful. (yeah, yeah, multicast, but that can be a pain in the ass for routers, especially if the protocol spreads widely enough)
• back to the spoofing issue:
  • what if you unjoin everybody in a conversation? nobody else could join it.
  • what if you join a whole lot of bogus ip's? it's a ddos.
  • how about waiting for a conversation to die (i.e. everybody unjoins/empty channel) and then create a new one and drop all the chat packets that come to you? depending on the protocol, this could be harmless, or it could render a conversation permanently dead.[1]
• imagine this scenario: two people get in an argument, one DOS's the other to shut him up.

i've thought of a few different quick variations of such a protocol while writing this, and none is anywhere as near as secure as irc. as crappy as it can be to have a big ol' server that handles the conversation, at least you have a trusted server.

[1] If the server trusts that a person is joining when they tell the server, then they can easily create a dos/ddos. If the server requires confirmation from others in the conversation, then you can blackhole a conversation as mentioned above. it's messy.

Re:try a better chat protocol

[Saint+Nobody]

all that and i didn't even think of what a headache NAT could be until after i submitted the comment. oh well, that's life i guess.

Re:This is why I left efnet in the firstplace.

[Ralph+Wiggam]

I think there's a big chunk missing from the psych analysis of IRC script kiddies. The points you hit are pretty true for most of the individuals involved, but things get much worse when you get groups of people together. During the school day, these people are not in the "cool group", they don't get to sit at the good table at lunch and don't get to sit in the back seat of the school bus. They want to, but they can't. After school, they get on IRC and they'll do damn near anything to get the other 5/10/100 people on the channel to think they're cool. Then the second guy has to one up the first guy so everyone will think he's cooler. It's a nasty mob mentality and nobody even notices when things are going too far.

-B

BTW: I want to publicly apologize for all the mean things I did to efnet #startrek in 94 and 95.

DAL-NET

[matth]

Go DALNet! :)

Re:Romania, are you sure?

[figment]

>A firewall would help, some, but not solve the
>problem (FreeBSD ipfw cost $30 486 w/8-16mb ram
>and 500 mb harddrive,).
No. First of all your crap based tulip card or even the 486 is even going to be remotely close to handling the amount of data going through.

And that's assuming it's ethernet i'll bet my lunch it's fddi, which throws the entire cost estimate out the window because now you need fddi cards. Not to mention the 486 would drop packets left and right.

Your 486 may be doing your masquerading for your home network friggen wel, but it's not going to work at mae-east (or whatever).

while a (useable, decent) firewall won't hurt, bgp filtering is probably the way to go.

Re:Talk to someone at MIT

[figment]

> In some places in there, they have bandwidth
>that makes OC48 look like a dialup modem.

No. Try again. Much of MIT's campus network is old repeated 10mbit (repeated/hubbed btw, not even switched - collisions gallore). Having class B subnets doesn't help traffic much either.

They do not have an oc-48. They don't have a terribly lot of bandwidth, hell even their vBNS link is smaller than most. Furthermore their network is largely unregulated so most of the bandwidth is mostly taken up by the fservs and such.

These "network hubs" in academia you talk about do have a bit of bandwidth, but most of that is through abilene/vbns/i2/etc where it's inter-school (and with some gov labs) and certainly not to europe. And it's certainly not an oc-48. Commodity internet is expensive.

And the idea of any school having an oc-48 of commodity bandwidth is preposterous, uunet's backbone is largely oc-48 (and only between hubs, everything else is lower) the idea of mit (or anything in academia) having this kind of link is just stupid.

Re:godammit.

[figment]

hi. who said he couldn't have 'telnetted' in as a normal user, then buffer overflowed to get root?

Though i'm pretty sure this was the one where he got in from a suid httpd (which actaully is probably equally as retarded now, but...) no he did not telnet and login as root like the past 20 people are complaining about.

ok, this is offtopic....

[nyquil]

why do people mistype the word 'think' when they really mean 'thing'? i see it ALL the time here, and am curious why, i mean its not even on the same side of the keyboard....

Re:ok, this is offtopic....

[nyquil]

alright, good point. next question: how many people who take the trouble to learn dvorak post anonymously on slashdot? (i still have tape/marker residue on my keys from when i decided to learn dvorak about 3 years ago. i gave up cuz i suck.)

Re:ok, this is offtopic....

[_ganja_]

Weird, I always tend to do this the other way around or I thing I do anyway.

Re:ok, this is offtopic....

[atrowe]

Not if you're using a dvorak keyboard.

Re:This is why I left efnet in the firstplace

[noims]

This reminds me of something I read some time back:

The Toddler Laws Of Property

If I like it, it's mine.

If it's in my hand, it's mine.

If I can take it from you, it's mine.

If I had it a little while ago, it's mine.

If it's mine, it must never appear to be yours in any way.

If I'm doing or building something, all the pieces are mine.

If it looks just like mine, it's mine.

If I think it's mine, it's mine.

If I . . .Oops! I'm sorry, I goofed! Instead of typing in the Toddler Property Laws, I've been typing in Bill Gates' primary Business Plan.

--------

Offtopic, but hey... this is /.

Noims.

hi guys.

[krog]

hi guys. you. the ones who are doing this and reading this page, and giggling.

FUCK YOU.

you've had your moment in the sun; now let's have our servers back, ok?

Re:hi guys.

[ZachB]

Like any of those guys are smart enough to read Slashdot!

Re:hi guys.

[non-plus]

What a nice sentiment. Well reasoned and insightful. I like it.

To err is human, to really mess things up you need a computer. And we here at M$ make it easier than ever.

Re:Decentralize

[RovingSlug]

But the point being that in the current IRC topology there are specific, designated servers. By decentralized in the sense of GNUtella, every client acts as a relay server. So, there are no specific servers, there's no pressure point to apply a DDoS. To get on the chat network, then, you need to know the addy of any other client on the chat network. Granted, I'm no network, GNUtella, nor IRC guru, so feel free to correct any of those assertions.

Re:Decentralize

[RovingSlug]

Very good. Thank you for the clarification, elaboration, and caveats.

Decentralize

[RovingSlug]

A possible fix: decentralize IRC in the sense of GNUtella. If there aren't any primary server and what "toplevel" server there are aren't static, DDoS brings down at most a small portion of the service. It's time to evolve.

Re:Decentralize

[NtG]

IRC server connectivity is decentralized by design. Any server can connect to any other server in the network which recognises it. In fact, routing changes are often made in IRC networks by delinking servers and connecting them to other servers to increase efficiency.
Some IRC networks have employed a network topology, a structure in which certain servers of certain specifications & locations connect to each other to create the most efficient path across the network. This introduces a centralization but you must remember that IRC networks like this mimic the actual network on which they run, the internet. On the Internet, the backbones branch off to smaller networks, like the networks of servers. There would be no advantage to each server having a connection to each other, as they would still have to take a certain path through the Internet to communicate.

Re:Decentralize

[NtG]

The GNUtella architecture is good for its design (with minor scalability issues of course), however because on IRC each user is nominating discussion channels which they want to participate in, every conversation from every client would have to be broadcast to every client. There would be a lot of traffic flying around. The topology used by Undernet is good because it designates certain servers on fast links as hubs. The hubs are identified as less likely to be attacked and all joined together. Hanging off the hubs are the individual servers, meaning if someone takes one out, the chain is not broken for the rest of the network which functions normally. If a hub goes down there is a problem but because this is less likely, the system is more effective.

Re:To all that believe the ISP's are at fault

[labradore]

Your arguement ivolving the murderous youth is invalid.

You state that some people claim that it is an ISP's fault if someone uses the ISP's weakness to attack another node. From the social perspective an ISP is a single node on the network.

You equate the ISP with society in general in the case of the murderous youth. The society allows the youth to become murderous. A more proper comparison to that situation would be that the network infrastructure as a whole allows for a single node to become malicious. This is true and it is acceptable. To reiterate: the ISP is not the entire network it is a node; The ISP cannot be compared to an entire society but only to a member of society that has not monitored his resourses and has allowed them to be used by another member with malcious intent. Therefore the ISP may be like the owner of a weapon that has left it lying in his open garage for a theif to steal and use to mug an old lady.

It is true that a the culture of a society is the sum of the attitudes and actions of all of it's members just as a network is the sum of all the modes and instaces of connection (including malicious) of the nodes on it.

Societies create govenments to police themselves and relinquish some rights of the members to their government. The society that is the internet (yes the internet is it's own society!)is not yet mature. To mature it must form a govenment that is responsive to and responible for the internet. It is not necessary that this govenement be seperate from the entities of existing governments but I suspect that it aught to be if it is to be effective and relatively free from corruption by the non-internet societies. The internet should be policed by it's own government which it's members choose to form and which is probably relatively autonomous from existing "non-virtual" societies.

What do you think?

Re:Bullsh*t, what about responsibility?

[Alex+Pennace]

If someone walks into this open house, takes the gun you have in there and then kills someone with it, you are responsible for letting them obtain the gun.

Firearm ownership is legal (at least in the United States, per second ammendment). Taking things that do not belong to you isn't legal.

Likewise when someone abuses a site you've left unchecked, the site owner is responsible. You can bet your ass that if this was being directed at a business instead of at Undernet, that they would be suing the pants off everyone whose systems got rooted, for negligence, aiding and abetting, you name it.

Why not include the little old lady down the street? Sounds like you don't want to put in the effort to find who is really responsible, and choose to settle with fault by proxy.

You have the right to do whatever you want with your system, but if something bad happens with them, they are ultimately your responsibility.

So the victim of the original crime can expect to have the judicial system turned on them? Was the rape victim asking for it?

Re:I KNOW WHO HE IS AND HIS INFORMATION

[Alex+Pennace]

THE ROMANIAN HACKER IS SYSOP aka METAL: Valcu Ghita Gheorghe aka Sysop -- 19 years old Str Brandusei nr2 sc.b ap.14 et. 3 Timisoara. cod 1900 Romania Phone: 4093462828 cellular: 4093738043 This is the HACKER CAUSING all the problems on Undernet.

Confirmed. From wallops earlier Thursday (timestamps are EST):

[15:20:53] -Run/Wallops- <-- Knows someone who is going to pay $2000 out of his own pocket for every day he has been attacking servers :)). Its the little things that make life worthwhile don't you think? :)

[15:21:34] -mregit/Wallops- I hope he is going to be paying all the users who lost ops.

[15:27:36] -Run/Wallops- No no no - people, calm down... They don't have him YET. Well, perhaps sysop- (thats his nick) wants to tell you himself what he thinks. Sysop-: msg me, then you'll get ONE free wallops :).

This Sysop- guy is a regular on #madness, which was involved in at least two takeover attempts of #978. Happy days.

Re:Old school hacking

[Alex+Pennace]

Comment out the code between the first set of curly braces, recompile your kernel, and your machine won't answer pings anymore ;-p

Then your host will no longer be compliant with Internet standards, and you have not solved any DoS problem. Whats the point?

Re:Old school hacking

[Alex+Pennace]

disable the standard ping reply, and add a daemon in /etc/inetd that does the same, but with flood controll. like dont answer more than 5 pings per sec

Conventional inetd only works on UDP and TCP sockets, not the raw sockets necessary for its own ICMP support. Besides those rejected inbound pings still take up bandwidth, so you have not thwarted any DoS attack.

Re:TUH

[Jenova]

Isn't DALnet unstable as it is already?

Re:You guys are assholes!

[jellicle]

Yeah, those script kiddies would never have found

www.undernet.org

That's a tough one, real inconspicuous.

It embarasses me that someone moderated your post up. It isn't even funny.

Re:Try securing your boxen first

[Ozric]

Its like Frankenstien, are you responsible for your creations? Some would say yes. Or how about kids under 18. Systems you own are like kids or monsters. You brought them into being and you must take some blame for what they do. Computers will never grow up and only do what you have told them, if you let them be unsecure and damage is caused because of it, you must share the blame. Think of it like a trade secret you must take reasonable steps to insure that your systems are not harming others just by being connected to the net. Its like letting an unlicensed operator drive your car, unless they stole the car it is your fault and you will get a fine.

Re:Try securing your boxen first

[Ozric]

Your rights end where mine begin. If someone roots your box and attacks me. I will hold you as a party in the attack. I hope you enjoy having your computer empounded as evidence(sp). IANAL

Out

Re:Try securing your boxen first

[Henry+Stern]

Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative.

I'm not sure about the region in which you live, but here in Nova Scotia, Canada, you (your insurance) are liable if someone steals your car and destroys something. Consequently, insurance companies reccomend that you disable all uninsured vehicles just in case. Being a computer scientist and not a lawyer, I have no clue whether you/your insurance would or should be liable if someone uses your hardware to destroy something but the two do sound awfully similar.

Re:Not funny. Not one bit.

[Large+Green+Mallard]

Undernet will not remain without channel services for very long. This is not an official statement, but I am one of the co-ordinators of the group which runs X and W on undernet, and we do have a contingency plan which we are currently ramping up for activation. Do not despair, there is a light at the end of the tunnel, and it isn't the lamp of a fast approaching train :)

Re:Choking?

[bertboerland]

> Of course, CICSO will charge an arm and a leg for that "feature"...

in fact CAR has been arround for some time and can help you here. Note however that if one weird protocol wants to talk on ICMP you will filter (or al least dampen) this protcol. The same holds true fro UDP and others. Also note that against a smurf attack you cant easaly protet yourself.

see http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios120/12cgcr/qos_c/qcpart4/qcpolts.htm>cis c o's car

Re:script-kiddy culture is to blame

[dr_strang]

Speaking of irony:

Face it. IRC is the universal home of Those Who Have No Hope Of Ever Having Sex.

and then:

I'm just upset because my home channel, which has existed in one form or another since the previous bush administration, has been moving around from network to network lately trying to find one that doesn't get shut down constantly by angry users, or worse yet, angry ircops who are scriptkiddies themselves.

Now that's funny.

Seriously, don't characterize IRC users so broadly, it's plain dumb. I use IRC less than regularly, but when I do, as an oper, I talk to many people I've become friends with. We talk about bands, administration stuff, all kinds of things. Simply because I'm not in a bar somewhere spending $3.00 for a beer to shout incoherently over the din, doesn't mean I'm some un-laid, pimply kid with a load of narsty scripts.

dr_strang (well past voting age, thank you very much)
fdfnet

Re:What's wrong with this reaction?

[itachi]

If there is a message behind it, wouldn't it make more sense to spam the message, deface webservers with the message, etc? DDoSes are about nobody getting any messages through... If there is a message behind this, this isn't the way to spread the word.

itachi

Re:EFNet

[itachi]

Yeah, but wouldn't it be nice? Don't you think we should try? I mean, netblocks don't just pop into existance on thier own. RIPE, ARIN, etc. could certainly agree to enforce a policy along those lines without too much trouble.

itachi

Re:Try securing your boxen first

[itachi]

Mmmm, revise that thought a bit. A best effort sort of thing would be reasonable - if J. Random Sysadmin ignores 2 years worth of patches and becomes the host to a DoS, J. Random Sysadmin is partially responsible. If J. Random Sysadmin follows up on patches and closes known vulnerabilities, etc, and practices a reasonable amount of care, then chances are the boxes s/he admins will be too protected for kiddies to deal with... There's a legal term for this idea, iirc, although I don't recall what it was.

itachi

Re:A case for Internet Licenses.

[itachi]

A simpler solution is based on the ownership of netblocks. If ownership of netblocks was tied to good behavior, ISPs would have an incentive to make sure that they were not hosting bad behavior, and egress filtering would become much more widespread. Where egress filtering is in place, spoofing does not happen (ie - packets must be addressed with a valid address or they are blocked outbound from the ISP), and so you know what admin to call. As long as you can track the packets back to an ISP, you can track back to the machine responsible. If the ISP doesn't like getting pages at 3am about kiddie behavior, they'll mention attacks in the AUP, and kiddies will lose their accounts. There's no need to do anything further than encourage egress filters and make sure that people are aware of AUPs.

itachi

Re:EFNet

[itachi]

egress filtering. Sure, you can get hit from 30 or 40 netblocks, but you know that the netblocks are valid if egress filtering is in place at every AS border.

itachi

Re:Try securing your boxen first

[Gen-GNU]

Right...and while we're at it, sue the gun manufacuters! They produced the gun, which you left ungaurded...

The responsibility should be placed on the person commiting the crime. Frankly, I don't want the government with reigns tight enough to tell me how I must lock my house, where I must store Anything Which Could Be Used As A Weapon, etc.

If a gun, or computer, is taken from me, and used for harm, then the person who took it and used it should be punished.

Look at it another way...If someone steals your car, then hits someone with it, should you be punished because you didn't have the newest/best alarm system in it? No, the thief should be.

Are you kidding?!

[macdaddy]

These people have no balls. They're too young! I mean come on now, how big were your balls when you were 12? I'm an exception, needing a sling to carry them while my back muscles got stronger, but still...

--

Re:Bullsh*t, what about responsibility?

[ctimes2]

Fross, what the hell are you talking about? If you left the keys in your car, and someone stole your car and killed someone with it, is it still partly your fault? Don't think so. - Alex is right on the nose with his reply, I'm going to expand.
The gun argument is not only bad, it's flamebait. Your bias against guns and your pleas for shared responsiblity and fault are misguided and ill informed.
If someone breaks into a gun store, steals a gun and ammo, and kills someone, do we hold the gun store liable? How about the glass company that installed the front window the killer climbed through? How about the lock manufacturer that made the lock that was supposed to secure the guns in the cabinet? How about the ammo company? Gun company? Gun powder company? Hell, why not hold the mineral company that mined the ore that Smith and Wesson bought to make the gun that the gun store lost in a robbery that was used to kill someone responsible? After all, if it weren't for them, the murder never would have happened! OR... OR... I know! We could hold the murderer responsible for murder.
Good thinking Fross - Let's not have a whole world full of people who might be held responsible for committing a crime. That would be scary.

Ctimes2

Re:Do we resort to revenge?

[queef]

Nah, we'd be snooping down to his level. Unfortunately, he's getting what he wanted in the first place with these attacks....attention.

Sad...

[ThePixel]

one simple comment. I find it quite sad tat the majority of the posts have absolutely nothing to do with solving the security problem that Undernet is facing. An even worse reflection on the moderation system at slashdot is that fact the the few posts about the issue were not moderated up, and the others down.

Ahh for some moderation points today.
.e.
www.perceive.net

Re:A case for Internet Licenses.

[greenrd]

More realistically, it would probably help a great deal to have contractual security requirements in the standard contracts that upstream providers, in the same way that they currently have anti-spam clauses. If the little guys can't afford to employ people knowledgeable about security - big deal - they should just rent secure boxes or virtual hosts from their upstream provider instead! Sure it will raise initial costs, but it's in the companies' own interests because it makes them less likely to be bankrupted by getting rooted!

Re:Explanation

[Isomer]

This article is from 1997 when the *same guy* did more or less the same. But it's not whats happening this time. No undernet/isp mahcines have been compromised, just DoS'd into oblivion.

Re:Counterefficient

[Isomer]

Most DoS doesn't occur for 5 days straight - usually the first thing undernet does is ignore it - it'll go away eventually. Undernet's come to the realisation that this one *isn't* going away. They are systematically crippling the network by attacking anything resembling a service. If this goes on for much longer Undernet will be forced to close down. There isn't much you can do at all against a DoS. If you have *any* idea's of what *can* be done Undernet would sure LOVE to know.

Re:You guys are assholes!

[Isomer]

The website is hosted well and truely away from the rest of the network AFAIK. It was also an 'Undernet Admin' that requested the post. Undernet can hold up to a little /. - it's about the equiv of DoS on a good day, but on a bad day things get *Real* bad.

Re:Try securing your boxen first

[Isomer]

I think it's too harsh to make them completely accountable, but a stiff fine would certainly mean that people would at least concider security to be a worthy use of their time. Just like a speeding ticket.

Re:IRC is in trouble anyway

[Isomer]

Very Very True. The Undernet coders are trying to move away from the IRC protocol - but it's hard. the clients all speak that protocol and they all need to be changed. Undernet isn't the only network there are several others. Undernet don't write the IRC Client's either which would all need to be upgraded. What would happen if we decided that SMTP sucked and we wanted to change to something else?

Re:Contact the meatspace authorities

[Isomer]

Undernet maintain good relationship with any law enforcement organisation that will listen. Most of them see DoS as being a mosquito bite compared to other crimes they have to handle. Not only that, but tracking it back to the source with dDos tools and spoofing is near impossible. They see it as a lot of time and effort for little return. Maybe with enough of these attacks on large places (AOL hosts an undernet server and were DoS'd and they're not happy about it...) will get their attention.

Re:Try securing your boxen first

[Isomer]

Sure after trying everything I can think of to keep undernet up in the last few days, I'm at the point where I'm ready to scream for the death penalty for DoS'ers. Leaving an unsecured box on a network is like leaving a gun in full view through an open window. If people locked their guns away that would be fine. Leave your computer insecured if you want - but don't leave it in a position where it can be used to further the attacks. And that basically means don't connect it to any network where other people might be attacked from your box. A million hosts isn't an unachievable goal to crack with automated scripts. 1 million x 14k4 is one hell of a lot of bandwidth.

Re:Bullsh*t, what about responsibility?

[Isomer]

It *IS* hitting businesses. One ISP is effectively 'closed' as they nolonger have any bandwidth left after the DoS. The company can't do anything. You can't easily sue someone in another country where that country doesn't have any laws about whats going on.

Re:A case for Internet Licenses.

[ftobin]

There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.

This sort of approach does not if you take the position that one's computer is merely an extension of one's self onto the Internet, a global community. Just because others can affect parts your behaviour without your knowing doesn't mean you are incompetent and should not allowed to exist within the community. You are responsible for what you do, but you shouldn't need to pre-prove yourself.

Take for instance marketting. Marketting is about getting people to change their behaviour in some manner, with or without their knowledge. However, one wouldn't expect to enforce a sort of compentency test for being exposed to marketting.

An analogy of driving licenses does not really hold, since in a car, each person has a tremendous amount of power to destroy property and life. However, though, with computers on the internet, each single person is not that powerful; it is only collective (distributed) power that is massive (just like with marketting).

There are solutions to this sort of problem, but your solution is not a good one.

Re:Try securing your boxen first

[ftobin]

More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).

This is a bad analogy because the degree of harm an unsafe car can do is much greater than that of an unsecured house or computer system.

Re:Try securing your boxen first

[ftobin]

You couldn't be more wrong. Leaving a box with high bandwidth access unprotected is like leaving a loaded gun out when there are kids around. If somebody shoots themself or someone else with that gun, you should be held responsible.

Leaving a loaded gun about is not like leaving an unsecured machine about because the level of harm the gun can do is immensely greater than that of the machine.

One box alone does not have that much power to disrupt things. That's why we have distributed denial of service attacks.

Re:Try securing your boxen first

[ftobin]

To a corporate chairman or major investor, a few people dead on the highways due to unsafe vehicles would seem insignificant next to the death of their web site.

Sounds like a good reason to me to not allow corporations determine our laws.

Stealth Kernel patch

[AnalogBoy]

Something i've found pretty useful.. The stealth kernel patch.. It's not a panacea, it certainly has its problems... but, it is a nice utility, and can be tweaked on the fly. Slows portscans down quite a bit, and prevents other nifty things from happening.. There are other ways to do this, of course, but.. Judge for yourself.

Re:You guys are assholes!

[MustardMan]

YHBT. (Stands for you have been trolled, in case you didn't know)

That's not really the /. Michael, just a cheap imposter.

Re:IPv4 has to go!

[noweb4u]

Are you proposing IPv6, which is actually beginning a slow implementation? IIRC that won't help against a DDOS.

What network protocol do you propose that would protect against Denial of service attacks? I would like to hear one that would actually stop DoS or DDOS. Anyone? Hello?

JIC someone thinks I am talking out my ass about IPv6, I administer the 3ffe:2900:1100::/48 block on the 6BONE :-) See Here

Maybe...

[eric17]

it's time for some new UnderWear!

Sorry. Back to coding.

Re:Try securing your boxen first

[Myrrh]

True. The thing to remember is that, the more secure your box is, obviously, the harder it is for someone to get in. And script kiddies are, by definition, not the most skilled of hackers. They will go for the easiest solution, which is a wide-open box.

I'm not saying that I don't secure my boxes. I do. But being held responsible for the actions of someone on my box despite my best efforts to prevent my box being used maliciously is, to me, a very scary proposition. It almost, almost, makes me think I'm in the wrong profession...

But no. I love computers too much. =)

Re:Try securing your boxen first

[Myrrh]

As to your first case, I highly doubt that you would be held liable if someone were to steal your car from an effectively locked garage and then crash it. Even if you had modified the car, the modifications were (as far as we know for the purposes of this example) perfectly legal, and most likely your insurance company knew about the modifications anyway, since technically you should tell them. What makes you think that you would be held liable if someone were to steal your car and get in an accident?

Whether or not your car has been modified, I think, doesn't matter. Are people held responsible if their cars are stolen and then used by the car thief to commit an act of vehicular homicide? I can't think of a case where that's true. I doubt whether the vehicle being modified would make any difference. Higher fuel capacity doesn't really have a bearing on the safety of the car, as long as a proven gas tank design is used.

I think my counterexamples also apply to your examples 2 and 3. I don't really understand why or how you could be held liable unless it could be demonstrated that the modifications you made were unsafe.

I guess I don't think this is a very effective analogy. Can you explain this further?

Re:script-kiddy culture is to blame

[Myrrh]

Just an observation, but, uh ... if IRC is a place that magically makes scriptkiddies' penises "extend two or three whole inches," and yet as you say the same people "Have No Hope Of Ever Having Sex," then what's the point? Kinda paradoxical, don't you think?

Female scriptkiddies notwithstanding, of course.

Stupid Question

[zentropy]

I don't understand the TECHNICAL aspects very well, but could multiple servers form a sort of alliance where if one is attacked, the others respond automatically to form a mutual defense or neutralize the threat with counter attacks? What about those software agents based on hive insects?

Re:Stupid Question

[dennisp]

Regarding defense:

The concept of a reactive firewall is fine - though you're usually better off just doing rate limiting on protocols you must have (preferably by just ignoring all packets past a certain threshold - like 1000 SYN's per second or something), and blocking everything else.

However, the sheer amount of bandwidth involved in most of these attacks makes the firewall irrelevant.

Regarding neutralization:

1) illegal to "strike back"
2) servers that are DoS attacking are probably hacked so you aren't doing the attacker any damage by atacking their hacked shell
3) attacking back isn't going to neutralize anything; it will just distribute the bw a little better if you can do things like get an echo response back
4) Distributed DoS attacks are just that - thousands of ip addresses sending packets to site(s); try neutralizing 100, let alone 5000 ip addresses is impossible
5) on many DDoS attacks the packets are spoofed, so you will have no luck tracing them unless you had the cooperation of one or more backbones during the time of attack (which is basically impossible unless it was extremely high profile)

Re:Upstream provider

[Mestizo]

Even so, the Upstream provider should be take a sample of those IP addresses, examine traffic destined towards those "zombies", and corelate those resultes to determine a single "master/ controlling" IP address.

Re:A case for Internet Licenses.

[fusiongyro]

my best objection to this is simply that the people who would be handing out the licenses are the people we trust the least with technology - the government.

Consider this: who is purchasing the lion's share of the internet censorship software? Morons in the government who want to lock down libraries and public schools, the two places where free flow of information is the most important.

Who are the people backing ridiculous technology patents? Why, the people with the least understanding of the technology involved: the patent office. One-click, anyone?

Sure, let's let the most technologically incompetant people in the country with their own line to push decide who is and who isn't worthy of being online. Goodbye everything interesting and different, hello network TV.

Daniel

Re:Do we resort to revenge?

[dr00p]

why crash romania when U can cooperate with the romanian ISP's and track down the attacker ?

Re:Find the people who are doing this...

[Arkaengel]

I second that. Maybe not killing them, but kicking the crap out of them is definitely warranted. I *hate* people whose only way to interact with the world is to fuck things up for everybody else. I think the gene pool would be much improved by having algae like that removed from it.

IPv4 has to go!

[cfish]

It's not just an issue with IRC servers. Just about every important server on the net has been DoS'ed one time or another. Today, you can say that all IRC servers deserve to go away, but tomorrow the same script kiddie will attack your favorate news site. We must admit that DoS is a global problem, a problem that every single one of us must take action to help solve.

If we think about how much labor and equipment is wasted on Dos attacks, it's clear that we need to take pains to find a permanent solution.

It's time to migrate to another networking protocol. Not just IRC protocols, but the entire internetworking protocol. We know it means pain. it costs a lot. it means old admins have to learn new tricks. But it's the only way to permanently solve the problem. (along the way, we can solve the problem with IP address shortages, too.)

Re:IRC is in trouble anyway

[NtG]

It is not the responsibility of IRC networks to hide a user's identity. These values are used to identify anonymous users on IRC to stop much wider abuse that would come with masking these.

There is nothing wrong with the IRC protocol, which is no more or less susceptable to DoS attacks than any other service. If it aint broke, there is no reason to fix it.

Re:Defensive measures

[NtG]

Never heard of that scheme before but it is definately a good idea. It would also be great if large ISPs were able to set up systems to exchange packet routing information on a private connection medium (ie not taking up valuable internet bandwidth).

Re:EFNet

[NtG]

This is his ISPs (and their ISPs.. etc etc) responsibility and as they are in Romania, I doubt they would be under much pressure to implement this

Re:Am I Missing Something here?

[NtG]

Blocking the incoming traffic would only avoid the server it was directed at from having to process/respond to the packets, it would not stop the link being saturated, which is the real DoS.

Re:IRC is in trouble anyway

[NtG]

It is their responsibility? Is it also the responsibility of your ISP to mask your identity when sending email? I am sure that would be a handy feature for spammers.
It is NOT the network's responsibility. Most implementations where the IP is hidden force channel ops to ban entire hostnames. Not to mention the fact that they are revealed in direct client connections. If you really want to mask your IP, find a socks server to connect to, but for most people a person's IP is of no value (assuming they don't just IRC, there are plenty of other ways to get it) and the current IRC protocol has lasted so many years as it is, I don't believe that DoS attacks on servers (TOTALLY unrelated to clients) should affect anything.

Re:IRC is in trouble.

[NtG]

How is this situation any different to the web servers (and associated networks) that were DOSed last year? Is the web in trouble? The only thing this has to do with IRC is that the servers targetted are IRC servers.
The IRC protocol(s) are being actively developed by different groups every day. Why reinvent the wheel?

yup

[operagost]

They're usually more interested in self-destructive behavior.

Re:This is why I left efnet in the firstplace.

[greysoul]

Naw, it was all about MUD's and usenet on the 9600 baud dialup university shell YEET! -Doug

Re:This is why I left efnet in the firstplace.

[HerbieStone]

Well, here we got someone with a clue. Nice post.

Re:Find the people who are doing this...

[aonifer]

...and kill them.

Snip!
Maybe this is a bit extreme... but fuck 'em.


Before or after they're dead?

Re:Eliminating DOS Attacks

[Aigeanta]

For some reason my GENESIS comment was posted as AC. I am the author.

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[DoXaVG]

Hmmm...this works if and only if they are attacking an IP address you own. What if then endpoint for the DDoS isn't a host, but the serial interface of your router? You can't stop advertising it, you don't have a choice, the data _still_ comes across the wire and you are _still_ DoS'd. Multiple routers only helps, but doesn't solve the problem.

Re:Find the people who are doing this...

[dennisp]

My cable modem range gets scanned daily by > 10 people. Don't assume it's one person. there are people scanning the internet all the time looking for unsecured boxes that they can attack from, hide behind, or upload 31337 warez to.

Gee whiz

[Chris+Brewer]

The last modified date and time on their main page is a bit of script that displays the time on loading.

Winner.
--

Re:Jesus Christ!

[darkrot]

Obviously you have had no prior experience with attacks of such magnitude. I ran a server on DALnet for almost 4 years. The server was most recently pulled due to a sustained packet attack.

In many situations, the upstream ISP would much rather put in a null route for your IP and have you deal with it. Not every upstream is cooperative. I've had a non-IRC DoS attack on one of my machines (because of my client on IRC) -- and sprint flat out refused to give me any information whatsoever unless they had an order from a judge.

On top of that, most IRC servers aren't seen as a very important service (they really aren't), and since they make the ISP hosting them no money, the ISP will simply pull the plug on the IRC server after too many packet attacks, rather than pay their network administrators overtime to work on the phone with your upstream. Since the upstream will only talk to the network administrator of the ISP, and not you, the administrator of the machine, you're out of luck.

This is most certainly _not_ a hoax. This is a real problem. When people use bouncers to hide their real IP address, the script kiddies will attack (and take down for hours) the server which houses the offender they wish to remove (usually an irc operator on that server).

Re:Try securing your boxen first

[RTMFD]

Yep, but in the case of the intruder in my house, I reserve the right to kill the cocksucker. Just another 2 cents.

Re:Try securing your boxen first

[SpamapS]

Well, there can be an argument made that your house could then easily be used by criminals fleeing the police as a place to hide, or blockade themselves, but its a weak one.

A better idea is that a machine on the internet is like a car. It can move around(or at least project packets, like moving) at a certain speed. Well, your box at home on a DSL line is like a Corvette. Its fast, and somewhat dangerous, but nobody cares. Now, imagine 600 corvettes, all under the control of one moron... driving straight at a school.

And, a machine sitting on a 100Mbit link with the power to move packets out at that speed... well, have you seen the videos of that M60 tank that some looney took for a joy ride around San Diego a few years back?

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[alprazolam]

after the contract is signed?
apparently slashdot is predicting the future-"It's been -2756 seconds since your last submission!"

Re:Telnet access is pretty dumb

[gilign2b]

For a lot of smaller ISP's, root access through telnet is the easiest way to monitor their system and to manage accounts. That's the way it is at the ISP I work, (no you can't figure out who that is by this e-mail so don't bother trying). It's easy for you to complain about how "incompetent" the server operators are when your not the one, being DDoS'ed right now. Maybe some helpful replies would be nice instead of a bunch of comments about how the server owner is "fucking" moron. Price pmrials@olemiss.edu

IRC Needs to die

[bruns]

IRC is a haven for script kiddies, packet monkies, and general lamers. The less large networks exist, the better. Keeps the kiddies bouncing around looking rather then plopping down and causing havoc. Now if only EFNet would follow suit...

Note, to all you people who are going to say this is a troll - I AM NOT AGREEING WITH WHAT THIS KIDDIE IS DOING.

I'm not saying its right, I am not on his side. What I am saying is that hopefully this will bring light to the fact that big networks dont work anymore.

heh

[Zulu]

undernet? What about openprojects or the *.linux.com domain?

IRC is in trouble.

[scumm]

I know it's been said many times before, but I think this is just another indication that IRC, as much as I've loved it in the past, has grown stale. It was never designed for the number of users it's now forced to deal with, nor the level of abuse.
It really saddens me to see something that I used to glean so much enjoyment from withering away because of a few script-kiddie jerks with nothing better to do than annoy people.

Are there any major non-commercial (as in, non "Yahoo Chat" web-based style) projects underway to replace IRC, and if not, should one of us get around to starting one?


Mike Thacker

Re:IRC is in trouble.

[gengee]

This may be true if we still only had EFnet, Undernet and Dalnet. But we don't. There are 10's of large servers, and hundreds of smaller. People find their niche, and become loyal to certain networks.

IRC as a whole can continue to grow - The individual networks cannot. It simply isn't fun anymore to see "/me whacks yourmom about with a big trout" scrolling by 10-lines a second.
signature smigmature

Re:IRC is in trouble.

[Calyth]

I do not see IRC as being stale or it was IRC's fault (by being IRC) that lead to this attack.
As noted by the post, it was a DDos attack, which the cracker took over an ISP using telnet and rooted it, then took control over more computers.
Anyone who've read a security computer book (or even just a couple of related articles) would know that telnet is just a big freaking can of worm, and any ISP that got rooted by it should be also held responsible. I don't see there's any need to use telnet myself, even if it's needed there are better alternatives (ie SSH). Although not without its exploits, I believe its better built against such attacks.
I don't run a true full time server with linux, but I have block out such vulnerable services, at least all but local access.
It's sad that IRC is in trouble dued to a bunch of stupid sysadmin in an ISP that allow crackers to root them.

Re:IRC is in trouble.

[Todd+Bradley]

It's not really a project to "replace IRC", but Jabber is a major non-commercial project to do distributed messaging. It does one-to-one instant messaging and many-to-many conferencing (kinda like IRC), and it's open source.

See www.jabber.org.

Re:IRC is in trouble.

[MuulHead]

I seem to recall a project called "Corridors" being developed as a replacement for IRC. I'm not sure what the current status of this is, or even if it the project is still alive. ( IRIC, there was a post on /. regarding this. )

Re:IRC is in trouble.

[Grumpy_Cloud]

It's not a question of "Is IRC in trouble?" more like "Is Undernet in trouble?" IRC will probably live on through Dalnet and EFNet, but it seems that Undernet will unfortunately die off because of some stupid script kiddies. My guess is that someone banned them from #neetoleetobanditohackers and they got mad and decided to take down all of Undernet.

Yo Dude! Can we get you to run for prez?

[Grog6]

This shit about personal responsibility just might work. Kill some assholes, everyone is more polite.
Of course this particular asshole is from romania, likely a bullet is all he understands.

Jesus Christ!

[Greyfox]

What the fuck is wrong with these people? If someone's pumping 100mpbs of crap down your pipe for *4* days, you've got plenty of time to call your backbone provider and get them to start tracing it. MCI has a perl script that follows packets from router to router on their network. It's a massive amount of work, but for that scale of attack, it's very feasible.

Of course, a more immediate solution I can think of would be to cut the routers to Romania off. There can't be many of them. Two, three, something like that? If you know about what part of the world the attack came from, you can damn well turn it down until the authorities there choose to cooperate.

I'd be more inclined to think the whole thing was a hoax. Sure a home user on dialup or cable or DSL might get smurfed and have to roll over and take it up the ass for half an hour or so until the script kiddie got tired, but when you start talking about businesses, the backbone provider's a HELL of a lot more willing to solve the problem. After all, their network is also getting slammed.

Re:Jesus Christ!

[Greyfox]

Nah, I just worked for MCI Internet Provisioning for a while. Our level of service was pretty piss poor but apparently we were one of the more together providers out there. Of course, Sprint's always sucked donkey balls anyway and I used to say that before I worked for their competition, so it must be true.

It really doesn't matter how important the service is. What you have here is terrorists from a third world country doing major damage to our infrastructure. So today it was the undernet. What if tomorrow it's a newspaper or a dot-com business that may perhaps already be struggling. The script kiddies will become bolder as they discover that they can get a company to roll over with relatively little effort. No doubt we'll start seeing some blackmail cases; pay us $100,000 or your link will never come back up. That sort of shit. Or maybe someone out there who doesn't like AOL will just decide to take them down for good. The attacks we're seeing now are just the tip of the iceberg.

Re:Jesus Christ!

[Greyfox]

True. What that does is shows Romanian Authorities that the problem is somewhat more severe than they originally thought. I guarantee you that if you shut a country out of the net, you'll find a lot of resources in that country will suddenly be turned toward finding the culprits. In theory anyway. It's worked great on Iraq and Cuba, hasn't it?

Re:Jesus Christ!

[roman_mir]

Even if you turn all of Romania's ISPs off, it does not stop your smart kiddie from using another country as a proxy, just make an international phone call. This gives me an IDEA. What if this is not even done by anyone in Romania? What if it is one of MS's and RIAA's elaborate schemes to stop IRC communications (everybody knows IRC is a software and digital media pirates' heaven.) Romania could be used by a BIG player as a tool for destroying IRC

Re:This is why I left efnet in the firstplace.

[Geekboy(Wizard)]

and I've never seen a 12-year-old who could use a computer (strange, isn't it?).

My little sister (6) can turn on my parents computer, take out the cd, that's in the cdrom (properly, fingers on the edges and all that) find her favorite game, put it in the cd, and play the game (not autostart) I also know lots of 11-12 year olds (cousins) who can use computers, granted they aren't experts, but they can install and configure games and some software. I myself have been using computers since I was 3. When I was 12, I was using ResEdit to hack my macintosh, and scooting around the internet. I remember EFNet back then. There were script kiddies back then, (not nearly as many as there are today) but they could be avoided. I mostly stuck to MUD's, and email, IRC was boring to me, but that is just personal preferance.

Re:A case for Internet Licenses.

[Sorklin]

Thank you folks, but the Nazi card has now been played. You can all go home.

Re:Try securing your boxen first

[AndroSyn]

Not to mention a really dumb idea. Sure leave your door open, but don't expect anything left in the morning. Sure you *should* be able to do this, and you *should* be able to trust people. And most people can be trusted, but not everyone can.

There should be some sort of social responsiblity to keep computing equipment on the internet in a maintained, orderly fashion. If you do not want to do that, do not place it on the internet.

How about this one, sign a contract with your ISP that you either:

A. Agree to keep your equipment orderly, secure and maintained and that you agree to pay punitive damages(based on income) in a failure to do so that becomes exploited, unless you can prove that you acted in good faith maintain your equipment.

or

B. Agree to allow the ISP to filter certain types of outgoing traffic from your equipment. (Oversized or excessive ICMP packets, TCP packets with bad flags or excessive SYN packets, basically any type of data that is not normal).

These all seem reasonable to protect both the ISPs networks and the users.

Aaron

Re:Try securing your boxen first

[FlightTest]

True, but if they stole your car after you left the windows down and the keys in the ignition then you're still a moron. No, you shouldn't be held accountable for a crime committed with the vehicle. Or should you?

Do it more than once or twice, and you will be held accountable, after a fashion. As in, it will cost you more because your theft insurance (presuming you did insure the car) will go up considerably.

But no, you should not be held legaly accountable for some shmuck stealing your car and running someone down with it, no matter if you left the thing running while you ran into the Stop-n-Go to get a six-pack. Maybe your theft insurance shouldn't pay off in that case.

Find the people who are doing this...

[Dirtside]

...and kill them.

I'm serious. Some peoples' entire goal in life is to piss in every still-crispy bowl of corn flakes they can find; all they want to do is ruin the fun for everyone else.

These people cannot be reasoned with, because given the opportunity, they will do it again.

They can be imprisoned for life, sure. But we're better off if they're dead.

Maybe this is a bit extreme... but fuck 'em.

Re:Find the people who are doing this...

[fracus]

Good Point! But let's not just kill them, can we make it really painful too???

Castration would be a fun way to start the process or maybe that would just be enough redemption!

Re:Find the people who are doing this...

[jayemdaet]

Interestingly enough.. My server was just hacked into today my a Romanian IP/Hostname. They installed some weird software into /root and I caught them before another more could be done. I deleted the software, but I found it odd that he didn't mess with my system other than to install this weird software. Then, after putting up some needed security and checking around for anything else, I read this article. Is it known how the script punk from Europe is entering into machines, or is it that, he is using another method of propagating scripts?

Re:Find the people who are doing this...

[jayemdaet]

The installation that was installed was called emech-2.8. At least in my machine.

Re:Find the people who are doing this...

[-brazil-]

Yeah, but some go to great lengths to prove how big their tits are...

Re:Find the people who are doing this...

[delong]

Wouldn't it be hilarious if it was this:

http://wwwdo.tn.tudelft.nl/bbs/softpack/emech.ht m

Har, a $5000 piece of software. The warez d00dz would love ya.

Derek

Re:Find the people who are doing this...

[Insanik]

How do we know the person/people are all male?

Re:Find the people who are doing this...

[jrcamp]

Or better yet, why don't we get them a nice job at the AOL 'Technical' Support.

Re:Find the people who are doing this...

[YetAnotherDave]

I think the Geneva Convention prevents this.
We'll have to just kill them.

Re:Find the people who are doing this...

[fatphil]

Remind me about Lolo Ferrari's tits.

Having said that - I've just discoved the solution to the Undernet DDoS problem - drive the tosser to commit suicide...

FP.
-- Real Men Don't Use Porn. -- Morality In Media Billboards

Re:Find the people who are doing this...

[ZeroConcept]

Lets submege them in boling oil during prime time television...we could get sponsors like...Crisco?

Re:Find the people who are doing this...

[Fortyseven]

I often feel the same way. That the only way to get to these people is through some potentially life-altering step, if not termination. I idle on GamesNet a lot, and we've got this one guy who's got like a billion IP's and constantly tries to bring the network to it's knees for fun. It's like these spam mail assholes -- there is no reasoning with them. They can't comprehend that WE DON'T WANT THEIR SHIT, but they keep doing it because of the 2 to 3 percent of the millions they deficate their ads to actually respond. If you ask them to stop, they'll tell you to go to hell, and that it's their right to be able to do it. The DoS kids seem to just find it hillarious or something. When diplomacy and fair play don't work, it's time to take it to the next level, otherwise these bastards will trample all over us. Christ I hate humans...

Re:Find the people who are doing this...

[suwain_2]

Hmm... Sounds like you could have become one more server pounding Undernet!

Actually, maybe someone can help me out. A few weeks ago, I stopped being able to telnet into my system. This didn't bug me at all; I never do anyway. But I wanted to check something, I don't even remember what, and I was refused access. I just figured that it was yet another thing I munged while trying to fix it.

Do you recall the filename of whatever was installed in your /root partition? I don't know why a cracker would disable telnet; it would keep them from regaining entry (unless they created some other backdoor), and it would tip people off more quickly, but, well... Does anyone know of anything like this happening?

Re:Find the people who are doing this...

[Puzzlebox]

It's an IRC bot.

Re:Find the people who are doing this...

[mrcutrer]

Last time I checked the spammers were spamming as to make a lucrative amount of money. Not to fuck with people.

Saying that they are as bad as rapists and murderers is just plain retarded. I think the fault lies with the sys admins at Under-whatever! give me a break I have had blocked sendmail sessions after 30 minutes of use, I even spoofed before hand, give me a fuckin break. Here is a clue. Hire ppl that know what the hell is going on. End Of Story.

This kid however is doing just that, fucking with people. Should he die...NO maybe just beat the shit outta him with a mouse and other peripherals as punishment.

It said he took down some AOL servers too...bahahahahaha hats off for that one...go get em tiger.

ignorance is bliss

Re:Find the people who are doing this...

[Radiantal]

I agree wholeheartedly! Get all of these types of people, round em up, place them on a small island and have the US Armed Forces drop a small 10Kt Nuclear Weapon on the island!

Fuck em' all!

Re:Find the people who are doing this...

[Zachary+Kessin]

>Castration probably won't be effective. We've >already proven without a doubt that the losers >involved here have no balls.

And probably will never reproduce anyway. Just as well. What is it that drives people to wreck shared resources that other people are enjoying for no good reason? Can they find this gonnif and get rid of him please.

The cure of the ills of Democracy is more Democracy.

Re:Find the people who are doing this...

[Delirium+Tremens]

> > Castration probably won't be effective. We've
> > already proven without a doubt that the losers
> > involved here have no balls.
> And probably will never reproduce anyway.

Maybe they will clown, hu I mean clone, themselves?

Re:Find the people who are doing this...

[Restil]

Castration probably won't be effective. We've already proven without a doubt that the losers involved here have no balls.

-Restil

Assembly Of Death now forming...

[Ikari+Gendou]

Whoever DDoS'd Undernet needs a coming of age ceremony, KLINGON STYLE!
*picks up a 300baud Modem*

Imaginos: Move out of the way, I want to break his little toes.
Admiral Asshole: Wait a minute, I saw him first Let me burn his dick off!
Gelbarion: Let me crush him, like Arnold would!
Wostgheel:
Leeeeeeeeeeeeeeeeeeeeeet'sssssssssss
Juuuuuuuuuuuuuuuuuuuuusssssssssssssssssssssst
SHOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOT
Hiiiiiiiiiiiiiiiiiiiimmmmmmmmmmmmmmmmmmmmmmmm!

Re:Point number 1

[grarg]

No, no, that's different because that's about, er, freedom and art gratia artis and stuff.

Just look at the thousands of artists that Napster has helped into the big time...

Re:script-kiddy culture is to blame

[rweir]

go to IRC because it's somewhere that magically makes their penis extend two or three whole inches
Why do that when there's an even easier way!

Re:try a better chat protocol

[MattW]

Actually, you do need servers, but you can have a big list, like a DNS cache file, and start from there. The advantages are a bit stronger than you think -- its not just 'the server', its 'all the servers'. And it shouldn't be too tough to have subdelegation, as well, with caching on the client side, to allow entire "chat" spaces to be moved off.

Disadvantages:

UDP is easier to spoof, because you don't need to predict sequence numbers. But random spoofing would require you KNOW when someone else was starting up a request -- ie, you'd have to be sniffing. If you were, it would be easy to hijack the tcp connection. This is why you don't hear complaints about spoofing of DNS very often. (The DNS exploits that involve cache poisoning are NOT examples of UDP spoofing)

limited bandwidth clients -- I'm asking about this. good question

Spoofing: not an issue, again. All you have to do is send a cookie back, and wait for a response before passing it on. Some sort of exchange is required anyhow, to confirm their join. The dead conversation thing isn't really an issue -- it would render YOU unable to hear, but anyone else talking would still be functional. Your final scenario can't be helped -- you can always DOS someone else, short of not knowing who they are -- but most people unleash DOS now trying to disrupt a channel, hack ops on it, etc. -- and that won't be effective in this scenario, so there's a diminished motivation.

Re:script-kiddy culture is to blame

[Fjord]

This makes sense when you relate it to pro-lifers that kill physicians who aid in abortin. It is their belief that they are executing the capital punishment the physicians "deserve". In this way, capital punishment may have made things worse.

Re:script-kiddy culture is to blame

[Fjord]

I fail to see how the statement

if a society as a whole gets used to killing everyone who's a criminal, then the individuals in that society will be comfortable with killing as a solution to problems.

doesn't make sense given the example of pro-lifers killing physicians. Why do you feel that the above statement doesn't make sense?

Not funny?

[bill_kress]

I'm sorry but I stopped using IRC years ago because it was so obvious that it was just a big game platform.

"Bots?" "Channel Admins?" All just roles in the game. If you wish to play the game, fine, be prepared to take whatever comes without whining. If you don't want to play, move on and find another corner of this huge net to fool around in.

The people I feel sorry for are the companies that had someone dupe them into believing that running an IRC server is a "Good Thing". Any manger who can't see that an IRC server is just a trouble magnet is seriously out of touch--and is certianly trusting someone they shouldn't!

But why on earth wouldn't it amuse those who saw it coming and moved on? Taking it seriously is certianly a lot to ask of us...

OTOH, Kids with the hacker mentality are always going to need some place to go to develop some skills, do something a little "bad", and eventually get over it. Make it a little harder and continue the game.

Re:Important: please read!!!

[}{@wkmooN]

You are a fsckin' idiot... That's all I got to say...(and don't ever touch a kid again or I'll kid the crap out of ya...)

Re:come on now, seriously

[jedigeek]

The problem with the FBI is that they will only investigate when there's more than a million dollars in damages. The Undernet attacks alone are clearly less than this, but how much are the damages to those ISPs...? Attacks on IRC networks alone don't recieve help from the FBI, so networks are free to get bullied around by moronic children.

Re:Try securing your boxen first

[dsginter]

If someone leaves a GUN unsecured in their house, then they should be charged for murder if someone breaks in, takes the weapon and then uses it for murder.

If the gun is secure - i.e. reasonable security - then there should be no murder charges.

We are talking about rooting a *nix box here... This isn't a hole or anything minor. This is a blatant lack of securing a weapon!

Re:Slashdot's evolving hypocracy, double-standards

[Vulture_]

There are those who have a fscking clue, and then there is drougie. Sigh.

The difference between defacing a web page and DDoSing Undernet is NOT the fact that it's the 'innocent Undernet', but that DDoS is trivial, next to unstoppable, and doesn't expose anything that hasn't been known for a good decade. Defacing the US government's web sites exposes security holes in their httpd or whatever.

Give Credit.

[Mateorabi]

If you're gonna use that joke, say it's from George Carlin.

Re:EFNet

[Rakarra]

Yes, there are solutions now, but they require admins of netblocks to be proactive and responsible. I don't think we can really rely on that. :(

Re:EFNet

[Rakarra]

This has been happening to EfNET for damn near a year now and no one has said anything.

Actually, Slashdot has run a few stories about this before.

A big problem is that "a new network with an improved ircd" will solve nothing. It will still have the same problems: people will attack client servers because they will always have a valid IP address for the client server. That's how TCP/IP works. Ok, they have to go through some type of gateway? Then the script kiddies will attack the gateway.

The only solution I can see that could solve this is to make it impossible to perform these huge DDOS attacks. IPv4 was designed 20 years ago for a world where idiots did not have access to tools like smurf. IPv6 holds promise, but that's a very long-term solution.

Re:script-kiddy culture is to blame

[Tonttoro]

How do you think that [anyone] getting gang-raped is going to help anyone else, or even the person getting gang-raped? Shame on you. Making people go to jail doesn't make the problem go away. Death penalties don't actually make less people murderers, they do infact make the problem worse in a way.
--
when everyone gives everything,

Re:Try securing your boxen first

[Tonttoro]

Now that is an concept I really am not able to grasp. How on earth someone is responsible for anothers actions, if the another [person] has decided he will do something illegal?

Now if someone decides that he will do something illegal, there might be no stopping him from doing it.
--
when everyone gives everything,

EFNet

[fliplap]

This has been happening to EfNET for damn near a year now and no one has said anything. Efnet is losing servers left and right and there's talks of the major hubs dropping and forming a new network with an improved ircd. A major problem is that irc.home.com dropped because they were getting packeted, which left all the @home users to emory, primenet, mcs and prison. Well if someone wants to IRC war (stupid) its a lot easier to bring down all four of those servers than it is to take down every @home user on them. All you stupid packet kiddies need to grow up, get jobs and move out of your parents house, idiots.

Could this be the canary in the mine?

[Kwelstr]

I have noticed a lot of trouble lately in all of the IRC networks. The latest came when the Undernet bots dissapeared. If you go to their webpage at Http://www.undernet.org/ they have a short statement of what is going on.

As more and more users get faster connections maybe this will become the norm for the internet, and the IRC servers could be just the proverbial canary in the mine.

This is really sad.

punishment

[Stalcair]

sit that boy down and tape headphones to him looping Yoko Ono's greatest hits.

Traffic Management

[techiemac]

A feature that allows throttling of traffic has existed for many years now and is actually a pretty hot topic in networking circles. Cicso does have one of these features implemented in their routers. Keep in mind though that there are many other companies which have traffic management algorithms out there (such as Class Based Queueing) which I feel are far more effective (and more open) than Cicso's scheme. Of course I am a little biased since I write code for the Class Based Queueing feature of a competing router ;). But there are solutions which prevent a network from getting flooded with ICMP requests while still allowing ICMP traffic. The actual paper that explains Class Based Queueing is at http://www.aciri.org/floyd/papers/link.pdf

Re:Try securing your boxen first

[pi_rules]

I'm one that feels as a system admin it's your responsibility to secure your machines to prevent them from being used in an attack against somebody else. I try to make sure that I don't allow anything out of my network that didn't come from my network -- but that isn't the point of my message here.

On my first read through your post, I agreed... then I realized that I do try and keep people from abusing my servers. Why?

Well, take your analogy... and I'm going to corrupt it entirely here -- analogies are bad but you used one so I shall also.

No, somebody is not liable if a person breaks into their house, steals a weapon and then uses it against another in an illegal manner. Or are they?

How secure was the weapon? Was it unloaded in a safe, with the bullets in another safe? You have taken great measures to make sure your gun is not used by unauthorized people, you are not in the wrong here.

What if your gun is loaded in your sock drawer?

What if your gun is loaded sitting on the counter of your kitchen for "safe keeping?"

What if it's loaded sitting at your doorstep for anybody to find?

I've grossly perverted the example -- for good reason. Computer security is a very unmeasurable thing right now, or at least it is in the eyes of the court. It's much easier for the common man to decided whether or not somebody is properly protecting their fireams for misuse, but not so with technology.

I'm not saying a Sysadmin should be thrown in jail for not protecting his servers... but perhaps they should be held accountable to some level here.

Re:Try securing your boxen first

[hyperizer]

More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).

Sure you do! I see people driving SUVs all the time.

Re:You guys are assholes!

[0siris]

I don't agree with the assholes bit, but it is true that many a DoS attack is in reality just a slashdotted site ;-)

probable cause

[oliphaunt]

the "wired" article says this l33t h4X0r hit his ex-isp first. Any word as to why he might have been disgruntled? And does Romaina extradite crackers, or have they not yet bowed down to the jack-booted thugs of George the Younger?

READ: do we get to watch this kid get raked over the coals on local TV, or will he get away with it?

"He's not too bright"

[MotorMachineMercenar]

From the "news" article:

"Fortunately, he wasn't too bright because he left a lot of trails"

Then this mentally challenged kid went on to obliterate Undernet, brought down ISPs in Oslo and the UK and obtained root access to (several?) servers.

We are so lucky he's not too bright!

--
MotorMachineMercenary
"I think TRUE happiness can only be found in the wanton indulgence of animals."
- Hobbes from Calvin & Hobbes by Bill Watterson

Re:Try securing your boxen first

[Lord+Omlette]

I believe the businesses that had their b0x3n r00t3d have an obligation to their customers to secure the bloody things so that no 1337 haxx04 dud3z can 0wn them.

If you want to run your own insecure crappy box, that's your perogative. And if someone uses your insecure crappy box to hurt someone else, well then there's going to be people coming around asking questions, and you'd better have some damn good answers. Your analogy, sir, is shite. Yes, the person breaking the law is responsible, but you gave him the opportunity he needed to break it.
--
Peace,
Lord Omlette
ICQ# 77863057

come on now, seriously

[Lord+Omlette]

What part of F B I do you not understand? Look at how seriously everyone took the DDOSing of some silly dot comes... Call in the FBI to investigate. Guy's in Romania? No problem, the FBI will talk to their European friends who will talk to Romanian authorities. No treaties necessary folks, this involves computers, therefore, we break out the big guns.
--
Peace,
Lord Omlette
ICQ# 77863057

Re:Try securing your boxen first

[jgarry]

If you break the law, then YOU have the full responsibility - not me, not some ISP, not some guy with a cable modem or DSL line.

Care to quote the Romanian law the fellow has broken?

Re:A serious proposal for a more secure irc networ

[CaptJay]

Good proposals in general, all of which are approaches we've been looking into.

However, as bad as it may seem, not hiding user's IP probably actually _saves_ DoS against servers, since script kids target the user, not the server.

Had it been a couple of years ago where one could actually have enough bandwith to hold attacks, I would have agreed with you that hiding user's IP is a good idea. Nowadays, I think it raises quite a debate, especially since it complicates channel ops' life quite a bit.

Attacks cannot be stopped altogether, since client servers will always have to be shown. Just so you know, Undernet already hides the IP adresses of its hub servers. But even this is not perfect, because it's still vulnerable to disclosure from the inside (either voluntary or accidental), and it's generally know which company hosts the hub anyway. So if the script kiddie wants a hub out, he'll probably DDoS every company netblock until the hub happens to drop. Wonderful, isn't it?

DOS the DOSer's isp

[ralian]

Wonderful idea. Unfortunately, that's just as wrong as what he's doing. Consider all the other users on the ISP, and consider whether they ought to be punished for one lamer's way of expressing his total lack of testicles. The best way would probably be to contact his ISP to cancel his account, even if it might take a while. Undernet could always sue the loser for damages.

Re:Mask the flooder from clients

[ralian]

The server would still be just as smashed. Clients need a server, right :)

We already saw this loser...

[ralian]

He posted the same piece of crap several times already, word for word. If only I could remember where :\

Sure...

[ralian]

..nothing like netsplits by the quadrillion...

Ahem, sir?

[ralian]

You are lower than shit.

hah!

[crashnbur]

It's just Romania... nuke the bastard. (kidding... for those that can't tell)

Do we resort to revenge?

[x-empt]

Lets get some backbone providers to cooperate and track the true origins of the attacks (they probably spoof). Once we get the true origins, post the IP#s of systems on those networks to slashdot and we will give them the /. effect ... times two :)

Re:Do we resort to revenge?

[Decimal]

why crash romania when U can cooperate with the romanian ISP's and track down the attacker ?

U can't do that. U is out of commision, just like X and W. Pay attention!

Re:Do we resort to revenge?

[DarkrhaveN]

Hell yes, i agree, the power and bandwidth of all of the /. users combined could crash Romania for the next two years and they'd never come back online.

Re:Do we resort to revenge?

[atrowe]

Only now, half those IP's will be from Slashdot users trying to read the article.

Re:Do we resort to revenge?

[Luti]

We could collect between the hold /. community, more bandiwth than probably any place in the world. Now I'm not particularly big Underworld fan, I stay ith EFnet but I never like to see shit like this. I say since there is not real agency with power doing anything about this we "take it to the streets" and fight back by all means we can. Knowing my own capabilities and those of other /.'ers plus the level of intelect of many others we would shurely come out on top. And think about it, there are so many of us that them retaliating would be impossible we must outnumber them by tremendous odds!!

Re:Do we resort to revenge?

[Gozz_IRC]

Well, I would agree that giving them the what for would be resorting to their level of "lameness", but, there should be some form of action taken against them...

its efnet dumbass

[ArchieBunker]

undernet is quite conservative, not allowing warez or mp3 channels on their network. That keeps out 95% of the script kiddies right there.

Re:its efnet dumbass

[Mojojojo+Monkey+Inc.]

Not true, Undernet officials won't do anything to shut down existing warez/hax0r channels, they simply deny them the use of the X/W service bots. This doesn't really matter since any large warez/mp3/hax0r channel tends to already have large amounts of their own bots anyways, to prevent takeovers.

Re:Bullsh*t, what about responsibility?

[rgmoore]

The question is whether you want to take a legal, blame applying attitude or an engineering, failure analysis attitude. While it's true that the murderer is morally and legally responsible for his own actions, from a causitive standpoint everyone else did play a role. No action has a single, perfectly isolatable cause, as your chain of people involved in the manufacture of a gun points out. In most cases, it's possible to cut off a possible event at many of those stages, not just the final one, so it makes sense from a prevention standpoint to close off as many possible causes as possible. Just because a murderer is legally responsible for killing you, that doesn't make it smart to piss off a person with a short temper and a loaded gun.

The point is that we need to take two different tacks to solve the problem. I would certainly never suggest letting the perp off; if you can track him down you should definitely lock him up and throw away the key. But that doesn't help now, and it won't necessarily help against the next bozo who thinks he's clever enough to get away with it. That's certainly also true because he's probably right- you can check out and see how badly we've actually done at nabbing the vandals who do this kind of thing. To solve the problem and keep attacks from continuing or starting in the first place you have to lock down the boxes that script kiddies are taking advantage of to launch their attacks.

As long as people have the attitude that it's just fine to leave an insecure box out on the net, and that attacks that take advantage of their wide open box are not their fault, the attacks will continue. To solve the problem of kiddies launching these attacks, we need to hold the people who facilitate the attacks responsible somehow. I'm not saying "get rooted, go to jail" or even "get rooted, pay a big fine", but maybe if there were a policy of "get rooted, lose your connection for a year" then people would take security seriously and script kiddies wouldn't be able to run wild.

When is DoS okay?

[soygreen]

You know, I remember when Slashdot posted a bunch of anti-eToys articles, and everyone was rushing to post their code for DoS attacks and trying to rally people to run it. That time it was "a protest." Now some guy does exactly the same thing, but to a resource that Slashdot readers like, and everyone here is calling for his head on a stick.

A DoS attack is never okay. It's a crime and should be treated as such. Don't encourage these people the next time a "noble" cause comes around.

TUH

[Dungeon+Dweller]

When are these kids going to learn? They should be taking down DALnet, not Undernet.

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[CurtisLeeFulton]

It could be with the Undernet attacks that there is an underlying agenda besides idle vandalism. Are these attacks really coming from one country? If so, that fact alone connotes at least some sort of nationalistic fervor behind the attacks. Diplomacy may be an option.

Re:Try securing your boxen first

[h0mi]

I think it depends on your box. If you're a home user on a cable modem, that's 1 thing. If you're a business with an T3 or better connection, thats a little different. But if your car is stolen & used to kill someone, you shouldn't be liable for it; neither should a victim of a hacker be held liable for those actions.

My theory (strictly OT)

[CptnHarlock]

http://www.google.com/search?q=think -- Results 1 - 10 of about 33,200,000. Search took 0.08 seconds.
http://www.google.com/search?q=thing -- Results 1 - 10 of about 17,400,000. Search took 0.04 seconds.

The word "think" is more common than the word "thing". Many times some common words get stuck in our "typing memory". Sometimes when you are about to write someting and you are for example talking you endup writing something else. Normaly a common-word-memorized-in-your-finger-movements" to say it shortly.. :) ... I think that this is partially (some of it is ignorance) the problem with "than" vs "than".

It's an interesting phenomena than I also have been pondering about from time to time...
--
"No se rinde el gallo rojo, sólo cuando ya está muerto."

Re:Solution

[sik+puppy]

A lot of people have posted this solution - be careful. I don't know what the cost in romania would be, probably not a lot (in russia and the baltics, a pro can be hired for under $1000. (Here in the US its more like $10k + first class round trip airfare, another $10k+). The problem is as soon as your hire pulls the trigger, you are on the hook too. I forget who said it, but "The reason some people are alive is that its illegal to kill them". Unfortunately, hiring someone to kill is legally the same as killing them, and in most countries punishable either by life sentence or death penalty.

Just soliciting for a contract is often a crime.

All of the above doesn't mean that the solution isn't accurate. The only positive is that he allegedly attacked a uu.net server - is that why i'm only getting 1 or 2 spams a day from them instead of 5 or 6?

and no, i'm not trying to flamebait, but having investigated making sure that one is aware of the consequences of pursing this line of thought (however justified)

Re:Explanation

[Rev.LoveJoy]

FishNet -- hahaha, I'm from Ventura, I used to know these people. Judging from the way they used to run their business, I'm not shocked they got rooted by Evil Romain Script Kiddie (tm).

Still laughing (hi stan!),
-- RJL

How I've dealt w/30mb/sec+ DDoS attacks.

[Mordant]

Firstly, all the comments about securing boxes are sound.

Secondly, you really need to get your network infrastructure configured to withstand this sort of stuff. Putting up ACLs on a normal router, even a Cisco 7500-series, isn't going to do much good - all the denys will drive your CPU utilization up to 100%, and the router will stop routing.

Instead, you need to implement layer-3 switching with Cisco Catalyst 5500s or 6000/6500s, with the NFFC II (in the 5500 series) or the PFC2 (in the 6000/6500 series) at key points in your network. This allows you to offload ACL processing from the routing engine (either a dedicated route processor or an external router like a 7206 used as the layer-3 brains of the switch) to the ASICs on the switch. This will allow the layer-3 route processor to keep handling packets whilst the rest of the traffic is denied.

Setting up a QoS scheme to rate-limit certain types of traffic, like ICMP, is also another effective measure. While these aren't perfect defenses, they've allowed me to set up networks which have continued delivering services on the public Internet even whilst being DDoSed at 30mb/sec.

I hope this information is useful to someone.

I'm not Networking pro...

[Rew190]

But I know a lot of you guys are, so why don't ya'all throw them some advice? Undernet's a cool place that we should support, I know I would if I had the expertise but some of you in here probably just absolutely blow me away. Let's see some insightul posts about how to remedy the problem instead of saying "Shit, that sucks."

Rally!

Re:How hard can it be?

[Lozzer]

That may be a small part of the solution, but it doesn't help much if you get rooted and then have the changes disabled.

Re:A case for Internet Licenses.

[egburr]

Take for instance marketting. Marketting is about getting people to change their behaviour in some manner, with or without their knowledge. However, one wouldn't expect to enforce a sort of compentency test for being exposed to marketting.

Bring it on. I'll take the test right now. Hmm, I failed? It's illegal to market to me? No one is allowed to let me see spam, advertising, tv commercials, telemarketers, etc.? You mean I might actually get to enjoy my life free of all the interruptions all you marketing-competent people have to deal with? I can't wait.

Edward Burr

can somebody just -do- something?

[Com2Kid]

I'm getting sick and tired of all these people whining and complaining about how -they- are sys admins and how -they- would *never* let anything like this happen to them.

If your such a friggin Genius (this being slashdot though, I bet a fair amount of you out there are, heh) then go and actualy DO SOMETHING.

For crying out loud, we are part of the high-friggin-tech community. One of the lowest members in this community, the Phreakers, managed to make Ma Bell change her whole entire infostructure, shit, some of you /.'ers helped to invent the friggin internet, can't you do anything but argue over analogies and who's responsable.

If a volcano is going to blow, you wouldn't argue over who's in charge of evacuation would you? Hell no, you'd go out and do something (namely in that case, run away).

So go and actualy -do- something, fix the friggin problem. Someone could easily post all known info about this ahole as an Anon Coward, and from their its a simple matter of securing an anonamious internet connection (not exactly difficult, even *I* can do that, and I don't admin ISP's, setup backbones, or do any other such items which varius posters have bragged about all throughout this topic) and fragging the bastard. Crap, if these ISP's where so easy to break into in the first place, and install a trojin/backdoor/dDOS host on, why can't you break into them again and REMOVE the damn thing. Your all bragging about how your smarter then the ISP's, well, PROVE IT.

At very least, trace down the a-holes personal info (not exactly hard to do either) and send the guy something he won't forget. I'm sure that a few hundred pounds of dog shit (I forget the site that sells it but I'm sure somebody out there on /. knows it) arriving at his doorstep would alert him to the fact that he had been found, and that he had better stop his attack before something a bit more dangerius showed up.

Crap, how many Anarchists can we round up? Can SOMEBODY please call one of the old Anarchist groups and get them to make one of those high explosive bombs they where always bragging about. Hell, go to www.textfiles.com and get the recipe yourself. That's only if your PHD education didn't teach you any chemistry though.

Oh yah, and if your not going to actualy do something about the problem, THEN STOP BITCHING.

Nuff said, bye now.

Re:can somebody just -do- something?

[buss_error]

I think the point is that they are out of ideas. Ddos attacks are hell to find, almost impossible to stop, and rarely, if ever, do the phreaks go to jail. There are some exceptions.

IPv6, where are you?

Re:Security Rulesets -- a wee hyperbole

[Quintus]

Except it's not ipchains anymore!

2.4.0 (BTW, it's great, tho' LVM won't compile as a module)!

ipfilters (?) -- unless you compile in ipchains support...

Shame school's just restarted, I could do with some time to set up the new firewall system...

Re:Security Rulesets -- a wee hyperbole

[Quintus]

:-) You're right -- ipfilters is something imported from BSD-land I got into my head doing the config...

Vive le BOFH! :-)

[Quintus]

No. A BOFH is the hero of the technological class, reminding everyone that it is, indeed, the ruling class.

He makes life a living hell for everyone who makes his life (and his life style of IT competency/discipline) a living hell. It's really a rehash of the hero myth, in a way, the outlaw figure who does what we all secretly think about. (usually to some lesser degree, but still...) He is a hero of those people who are really technically competent (and oppressed by both the ignorant who pester and the wannabes who irritate -- obviously the latter is not all of the former, in both cases...)

I volounteer-managed a lab (alas! they have since returned to their dark MS ways) for a year, and I defy anyone to claim that some "users" have never irritated them.

Besides, the BOFH only hurts 'users', with the implicit premise that users aren't people :-) Honour among theives...

Re:Try securing your boxen first

[Quintus]

Well, yes, generally, you do have the right to do what you like... Where things get complicated (as usual) is when other people get involved. For example, it's alright to leave the door open, the yard unfenced, etc.; but it has to be clear to other people what you expect of them. If you leave your yard unfenced and unsignposted, and it's in an open area, you can't complain if someone wanders into it. Further, you can be charged with negligence of varying degrees if you help another come to harm, for example, by leaving firearms (barbaric devices! Leave'em to the Army/on the range) lying about or (to borrow a famous example, which I can't remember clearly) build a large pile/pyre of dry hay in hot weather next to someone's house and douse it in paraffin.

Of course, there is obviously some middle ground -- for example, leaving your door open does not prevent the theif from being charged with unlawful entry. Generally (at least in systems derived from Common Law), the test is that of a "reasonable person" -- which is, of course, a tad fuzzy, but it does simplify matters by stating clearly that *everyone* is expected to take "reasonable care", even if they don't happen to be reasonable. (At least, this is the test for negligence -- I think it's also used for things like trespass, and general issues of following the law...)

Anyways, there's my undesrtanding. I, for one, think this is a reasonable test; particularly when extended, as it is, with "common practice", etc. I think the netadmin at a high bandwidth establishment clearly does have a "duty of care" to the public, and should be accountable, and equally, I think if she or he has taken reasonable precautions, they should not be faulted for flaws they could not or did not anticipate. Just as I feel the fool who leaves a gun lying about in the open is somewhat accountable for a murder or accident involving that weapon.

Hmm, I'm getting that -2250 secs. thing, too...

Re:Important: please read!!!

[chrispgh]

IANAL or a priest but take for a moment the the idea that everything illeagle is not moraly wrong. Add that to the idea that religon was set up as a set of guidelines to keep people in line and give the power and money of it's followers to the leader. Then divide that idea by the thought that as we come of age we realize that hurting people comes with the direct concequence of loosing allies and you look like the fool and not the person who says I've never done anything illegal with a child, mainly because I know the consequences for both the child and for myself if caught.

What's wrong with this reaction?

[chrispgh]

I haven't seen one intelegent and positive post on this entire article yet. Yes you may say that majority of the people are aginst what the [Romainian?] is doing because it is another hassel of your job that you do not like to deal with(security). You have to look at the other side, this person(or group of people) has declared war on undernet for what reasons have not been stated but you have to wonder. I guess in all of our(americas) minds Iraq was a threat to our oil therefore he should be shot down but you must hear the other side of the story first. Maybe, just maybe it is not our oil to kill for.

I may be 150% wrong about this person by even defending thier right to fight but when EVERYBODY that could help a cause like his is crying wolf to babylon it leaves big brother no choice but to 1)Put someone who may have a noble cause in prison forever then 2)Make sure nobody ever has another chance to act anonymously online EVER AGAIN!

Re:This is why I left efnet in the firstplace.

[xiitone]

I've always felt that the punishment for such behavior should be 2 yrs tech support at a poorly
secured ISP.

Re:script-kiddy culture is to blame

[drinkypoo]

some of them over 20 these days (get a life, folks)

Um. Have you considered the irony of posting something like this to slashdot?

I'm sure they put as much thought into that as you did the irony of responding to it.

And before you ask, yes, I examined my place in the chain while posting. But since I don't really have much of a life by traditional TV sitcom standards, I suppose I belong here myself.

"When will you be home tonight, Dear? I baked an apple pie!"
"I'll be home pretty late, mom, I have to drive to the dealer and pick up some parts for the Ferrari before I take buffy to the sock hop!"

Script Kiddies

[ende]

My question is, where did all these script kiddies come from? I remember in the early 90s we did have our "irc warriors" .. but the most we'd do is throw up a link looker, find a split server, and take advantage of a bug to collide someone off.. or use a packet program like pepsi or smurf to kill off a person or two.. is there any real point to what these kids are doing? They arent doing this to gain control of a channel or get back at someone, they are just doing it because they feel like it? It was pretty sad a couple weeks ago when I saw some kid who was probably still in junior high, boasting the fact that he has over 400 rooted shells.. is there no security anymore that these kids can go around trading shells to run floodnets and packetnets off of? Down with script kiddies, we need to take EFNet (and other servers) back. nd [DeSynK/Havok]

Re:seriously....

[shepd]

>I want power.

It seems they do too.

Re:Try securing your boxen first

[rmst]

No, actually yours, sir, is the bad analogy.

Having an insecure machine is not going to cause problems as that is its nature. It will sit doing nothing wrong until someone makes a conscious effort to exploit it. An unsanfe vehicle, however, will cause problems without someone exploiting it for the purpose of causing problems.

It's kinda like how a knife is an OK thing, except when someone breaks into your home and cuts up your children with it. You certainly wouldn't liken 'someone coming into your hose and stabbing you with a knife' with 'driving an unsafe car,', would you? To sum up, an insecure machine poses no intrinsic threat to the world unless someone decides to exploit it, just the same as my house poses no intrinsic threat if I leave the door open, but then if someone runs in and start shooting from my second floor window because it has a nice view of the park, then would you be so quick to blame me? Let the attacker take responsibility for his actions, please.

Re:Try securing your boxen first

[rmst]

And your analogy fails to draw a correct parallel. There IS something intrinsically dangerous about an unsafe automobile, there is NOT with an insecure computer.

Link to DALNet story...

[suss]

Maybe they should try this?

Re:Survival of the Fittest (huh?)

[AndyChrist]

I'm afraid it doesn't.

Telnet access is pretty dumb

[Calyth]

I don't see there's any reason that an ISP should allow telnet access, even if it's needed, there's a better alternative (ie SSH). Any computer enthusiast who have read a couple of security articles would know that telnet access is a huge can of worms, and frankly, the ISP who got rooted by telnet should be also partly responsible. I don't know if the sysadmins are incompetent, but they're sure stupid not to lock down such a big security hole.

Re:Telnet access is pretty dumb

[Calyth]

Note: I'm not blaming owners, but I'm blaming the sysadmins. They're the guys who maintains the servers and should not have allowed root access over telnet whatsoever. It may be the easiest way to maintain the server with root access with telnet, but that's the easiest way for some script kiddie to get in and f^&* around with the computers, and launch DDoS around and think they're the top of the world.
If the server owners are the sysadmins, then yes I would say they're f&(*ing morons because if they don't know how to maintain a server properly, then don't start a freaking ISP.
When my dualbooter is in linux, I could maintain it basically anywhere around the world, but would you think I would be that stupid to use telnet? At least use something that actually puts a better fight against those script kiddies and use SSH. Afterall some ISP do use *nix and could have assign certain users with more permissions than others (like sudo), at least it would not be that obvious to some script kiddie to say, hey this box is wide open and let f&(* around.

Re:Telnet access is pretty dumb

[Primer+55]

I'm sorry, but there is NO FUCKING EXCUSE to allow telnet access, no matter how big/small/secure you are. Your server need not run more than SSH for shells and have sudo for useradd, etc.

Of course, both the ISP I used to work for and the ISP I use now have open telnet access, despite having SSH also...

Dalnet DDoS'd also

[wpc4]

How interesting, Dalnet has been being DDoS'd for about 2 weeks now, at times they are hitting almost every single server, while the ones that are left alone have to take up the slack of the other servers. "Too many users" is what you'll see a lot of the time. Perhaps it's kill all irc servers month?

Hunt 'em Down!!

[Aloekak]

Didn't anyone read this Slashdot Article? According to it, we can hunt the guy down.

I propose we cram 10 pounds of spam up his ass and close it off with a cork. Make him jog 5 miles, and then turn him over to the authorities.

Have fun,
Justin

This is NOT a solution

[Tolomak]

Remember last year when Yahoo, CNN and a dozen other high-profile sites werw DoSed?
The kid was Canadian, the computer crimes law was enforced and he's in jail for 1 year, but the damage was done and I bet you it'll not prevent another kid to repeat the deed.

Maybe the next kid will be American, do you really think the solution would be to talk the CERT guy into shutting down the US backbones?
That'll stop the attack, that's for sure! :)

There are more sensible approaches (already posted) let's not behave like nazis here!...

Re:Not funny. Not one bit.

[DRACO-]

I too op on some close knit channels including #Irc4kids, the first day X started acting up our admin (the older ops) all agreed it was time to reissue the "dont op anyone that you dont know as an op or isnt on the bots" statement. We also got together and pooled our resources to get some bots thrown together because our usual standby bots have also been knocked out somewhere in the netsplits. We also stated to other ops and regular users that if the undernet were to break up, to check our website or efnet to find out where we may go.

I have to begin doing the same for my hideout channel and also talk to the manager of #dmsetup to see what we are going to do about these issues (we are always just too busy with removals to do any managing work).

I have also hardened the settings on my BitchX client to reop bots, lock the chanmode and watch for flood attempts. I might compile an eggy on my box to write a script to route channel activity from one network to another if we end up moving (I know it's been done.. but it's more fun reinventing and improving the wheel using rubber instead of stone)

Re:godammit.

[j-pimp]

I'd like to see the output of a nessus run on your machine. And Don't forget ISPs don't have the liberty of locking down every damn service on every damn server. When your got hundreds of servers/touter,etc sometimes you gotta use NFS for backups and its hard to keep up to date with every security update. Most boxes are rootable if you have the skill,etc. Even OpenBSD is not perfect. There was the problem that the dhcp client could be taken advantage by a malacious dhcp server. Not with the mass od this DDoS attack, whoever's behind it has to be releatively knowledgable. Any script kiddie that tried to root enough boxes to pull that off with prepackaged root kits would probally have been caught by now.

Re:Slashdot's evolving hypocracy, double-standards

[Kiryat+Malachi]

It's different.

Usually, when a /.er says "They're helping expose security flaws" etc. they're doing just that - taking advantage of a *flaw* in that ISP or server's configuration. In general, this comment is restricted to the following situation.

1 - The flaw is relatively unpublicized. And:
2 - The flaw isn't a brute force flaw.

This situation doesn't meet these standards - this is, essentially, a brute force flaw. DoS is the equivalent of trying every single password out for a login ID - given sufficient time, it will eventually break the protection without *any* fault from the server.

Yes, this is a simplified argument (there are ways to prevent brute-forcing passwords at the login prompt) but it does discern the essential difference between destruction for the sake of destruction (DoS) and defacement. It's the difference between vandalism and arson - I mean, yes, Janet Reno had a Hitler mustache, but so what? She does normally, too, it just isn't as obvious. =)

Re:Talk to someone at MIT

[Kiryat+Malachi]

Check out some of the research being done at MIT's Lincoln Labs on automated electronic attack countermeasures.

Bottleneck Verification to find novel attacks, a method that can seriously reduce new root-attacks, including un-identified ones.
Dynamic reconfiguration for survivability, a technique for surviving DDoS attacks.
Development of intrusion detection methods, another abstract on techniques for automatic detection/reaction.

Actually, automated IC bears a surprisingly high resemblance to speech-recognition problems, another high-point of Lincoln Labs.

Lincoln Labs, in conjunction with DARPA, is also doing real-world evaluations of actual ICE. This is the sort of thing ISPs need to be paying attention to, as the research being done here is what's going to be protecting their networks, soon.

Re:Try securing your boxen first

[nullnvoid]

I would even suggest that an insecure box is the equivalent of an "attractive nuisance," like a swimming pool in a backyard that has an open gate.

If a bunch of kiddies trespass through the open gate and one of them drowns, the owner may be found liable in a civil suit. Why? a swimming pool is an "attractive nuisance" and a reasonable person would judge that some kiddies might be drawn to it. Therefore, it is up to the owner to take precautions to minimize the risk to others.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[_ganja_]

Plus, it sounds like you may not know BGP as well as you think you do.

Specifically what makes you think that? If you make comments like that you need to back them up and I'll tell you where you are wrong. All you complain about is contracts. However, your comment provided a good laugh for everyone else here, if only you knew. :-)

Re:Defensive measures

[_ganja_]

Weighted fair queueing (correct spelling) is only suitable for links of 2mb/s or below. Regardless queuing will not help this situation.

Some Thoughts to Throw on the Fire

[tthomas48]

I wonder if this is perhaps our fault. All of this destruction is our fault.

• Most of us learned in an environment where there was very little information to start with. We hacked to use our computers, not to play with out computers.
• Most of us are not social about computers. While we were learning how to use computers, the rest of society was making fun of us.
• We improved computers so that anyone could use them, just to prove to others how cool they really are.
• And there's the problem. Now that anyone can do anything, there's no morals.

So I guess my question to the SlashDot community is - "Is there a mentoring program for these script kiddies?" If not, why not? Why are we not teaching them why computers are they way they are. Why we treat each other the way we do? Why the heck some of us read slash dot even though we don't have a clue what's going on half the time (:>). I personally would like to help teach the morals of computing. I don't have a clue where to begin. So that's my question. Where do we begin?

Much Ado About Nothing...

[h0mer]

All this just because he got KB'ed from #ereethaxorjuarez.

Re:Explanation

[fatphil]

"
telnetted from Romania to FishNet, a Ventura, California-based Internet service provider. Once he obtained highest-level "root" access at FishNet, the
"
...
"
"Fortunately, he wasn't too bright because he left a lot of trails," said Bill Benefield, a system administrator with FishNet.
"

So he haxored your machine and _you_ think _he_'s not too bright? That man should become a polititian...

FP.
-- Real Men Don't Use Porn. -- Morality In Media Billboards

This sounds a lot like...

[AaronStJ]

The stuff that was/is going on in Efnet. It seems that IRC servers have always been popular targets for attacks because of all the personall politics that whiz around on IRC. A lot of Efnet servers have been suffering downtime lately due to a bunch of DDoS attacks.

I see two solutions, neither of which I have much faith in. The first is to make the existing IRC servers much less rpne to DDoS attacks, and from what I know, there isn't really a way to do this yet. The second would be to try to migrate all the "serious" users to some other IRC network (a new one perhaps) while leaving behind all the squabbling lusers. Of course, the lusers would hop onto the bandwagon, and we'd be back to square one.

DoS attacks

[kaume]

Takeing rights, assuming the use of Linux or other *nix varient they chould use ipfwadm and set it to disable ICMP packets at boot up, DoS problem solved.

IP Blacklist

[Desdinova77]

There was some discussion on one of the Security Foucus mailing lists that pondered the idea of an IP Blacklist that ISPs could use. The basic idea was that when a site is used in a DDOS attack they get added to this list then the ISPs black hole *all* the packet too and from the site. This means mail, web everything. This gives the sites that are being comprimised a real motive to secure thier sites. The basisc idea is that if you can't kept your box secure you become unreachable untilit's fixed. With something like this the admins that care will fix thier sites the ones that don't simply wont matter. The discussions died out while trying to figure out to administer soemthing like this. I still think it it would be a great idea if those issues can be worked out.

Re:Contact the meatspace authorities

[CyberKnet]

Isomer of unet/coders and unet/developers?

---

Re:Not funny. Not one bit.

[CyberKnet]

heresay. Tell me why you think what you said would help the medium at all. Everything you said have a distinct *negatively impact* on the subculture of IRC.

Maybe you have researched it. To fit it into a website though? IRC doesnt belong on websites anyway. What sort of information did you glean during this period that made you think you had the knowledge to make that sort of decision properly? A website is (by and large) single subject only, and by that rule, would (generally) only use one IRC channel in the first place. This would, of course support your theory, because "this is how IRC is used anyway!". HOWEVER, this is not how regular IRC users interact. It is a diverse place, where people on coding channels are just as likely to be in irc newbie channels, teen chat channels, pornography channels, the whole kit. I like IRC because of the vast subject matter available. I can go get anything I want from any one particular network. After MP3s? Try #MP3Jukebox. Interested in network collaborated developing? Try #Developers. After some raw, not so clean, flaky chat? Try #teenchat. Want linux help? Try #Linux, #RedHat or #SuSE. If you break it down, you break it. flat out.

If you would like to convince me you have an argument that counters that, by all means, tell me.

The emporer is not naked. In fact, the emporer is not even standing there...

CK

---

Re:Not funny. Not one bit.

[CyberKnet]

Have you ever used IRC? Do you have any concept of how it works, what goes on, why people choose a particular network? Your post would seem to make me think you havent. And I dont mean to be belittling at all, but it shows a serious lack of indepth knowledge of the subject medium.

Let me educate you a little. Users choose IRC Networks based on a few things.
1. It was the default server in mIRC (most popular IRC software)
2. The channel/nickname services offered
3. The pre-existing channels
4. The Users/User count

The purpose of irc is to congregate users to a place where they can interact. Splitting an irc network into "smaller networks" to lower susceptibility would defeat the purpose.

Please, before you post about something, try to figure out if you have any subject knowledge, and if your post is really worthwhile. The concepts which may make P2P work better are not going to make IRC work better. They are engineered in a completely different fashion (Speaking as someone who has been involved in the development of both)

---

Re:Try securing your boxen first

[eudas]

hmm. GUN. GNU. any relation?

eudas

Why authorities?

[netsharc]

I wonder why we always assume that we need some sort of government assistance in solving these problems.. I'm sure every admin of the boxes that got attacked/misused would like to nail this kid, can't we just ask them to co-operate and trace him down.. if he has a modem connection it might be down to the telco to trace his number, but wouldn't there be some IRC-loving engineer there who wouldn't mind releasing his address without some bullshit court-warrant.. of course then we can't just bust his door and beat him up, but can't we find IRC-loving thugs that wouldn't mind doing that? I mean, I don't think this kid would be the only one using IRC in Romania...

As to the legality of this tactic, don't ask me. But if you want to get it done bad enough...

Danger!

[robt]

Just what the world needs. An armed gypsy!

This is what you get with an unregulated Internet.

[achurch]

I realize this isn't the kind of comment the poster is looking for, but I see this as just another example of what will happen when anyone can put a server up and have it accessible from anywhere else in the world. Yes, if people secured their boxes that would be fine, yes, it's possible to make things work without outside regulation, but for that you need an ideal world, and ours is far, far from ideal. Hell, half the sysadmins out there probably couldn't secure their systems properly if their lives depended on it, and we all know the attitude of most businesses toward security. Unless both of those factors change significantly for the better--something I don't see happening anytime soon--we need someone setting rules on who can do what on the Internet. If you don't like government regulation, then get on backbone providers to clean up their act and not let bad packets through their routers. But as long as there are broken machines out there and idiots to abuse them, I don't think we're going to see any respite from this sort of thing.

As for what Undernet can do? Not much, really. Filter ICMP at ingress routers or turn off ICMP echo replies on affected machines, that sort of basic stuff you can do easily, but it only cuts down on some traffic at best. After that your only hope is to get backbone providers to cooperate with you in tracing down the problem sites and get the owners of the problem sites to secure their machines (or else get their network provider to pull their connectivity).

The one other thing I can suggest in general is just to not be a place that lamers would want to attack. Undernet is already one of the Big Three, so that's probably hopeless, but the network I started up about five years ago (and am still nominally involved in) hasn't seen any DoS attacks that I've been aware of. It may be obvious, but even the lamers have reason to their actions (usually)--mostly they're just looking for attention, so they atttack places that will cause the most disruption.

--
BACKNEXTFINISHCANCEL

Cisco IDS

[jroysdon]

The only real solution to preventing DDoS attacks is cooperation with your upstream provider(s) and something like Cisco's Secure IDS box which will dynamically update and block DDoS type attacks as fast as they appear. Fast enough to make it useless to even attempt. I didn't say it was cheap solution, but it's a very effective one.

Jason Roysdon, CCNP: Security Specilization

PS Normally I wouldn't use a signature or pull out cert letters, but here it's appropriate (plus I left off a bunch of my other nifty initials).

Re:The problem is the protocol.

[anichan]

How is redefining the protocol going to help? Even a firewall isn't much help when you're getting 10M/s of data pumping into it. Somewhere along the line there is an ISP that just doesn't want to deal with it, and will delink whoever the poor sap is that's the victim.

I'm sure that you're right that they want to take over channels, but for something this big, I don't really think that is the whole motivation. At this point, it would seem that their sole motivation is to see how long they can go on for, and what type of havoc they can cause. IMHO, of course.

Re:Try securing your boxen first

[ndrw]

Linux = MGB - niche, fast, pretty, but pray it doesn't break!

Commercial Solutions

[Telastyn]

After the attecks in Feburary (and before) a few commercial entities were working on such a solution. Most involve automated filtering script implimentation based on traffic analysis. A few others use interesting and innovate methods to garner information about such attacks for proscecution (sp). There are a very few that do both, and usually with a few other things thrown in for good measure.

Blame lame admins

[shin0r]

The script kids may be justifiably vilified for their actions; however admins MUST be held partly to blame for DoS launched from their networks. I tend to do my idling on IRCNet, and DoS attacks are a constant threat. What happens when you alert an admin to a compromised box however? Here's my personal experience, and i paste from an actual email :- to: abuse@****.ac.uk from: root@****.ms cc: abuse@ja.net Dear abuse team It seems the host bingo.****.ac.uk has been compromised and is being used to launch DoS attacks on our network. Over the last 5 hrs our border routers have been receiving constant traffic from this host peaking at a rate of over 18mbps, and this is understanderbly causing us some severe service difficulties. It would also appear that someone is running IRC bots from this host, compromising the JA.NET use of computers code. Please rectify this situation as soon as possible. Thanks for your time root@****.ms We never recieved a reply, and the box (and bots) stayed up for well over a fortnight. With lax admins in charge of serious amounts of bandwidth, is it any wonder that kids hack boxes on their network and use them for DoS attacks?

Analogies

[d3nt]

What's currently lawful and illegal is irrelevant. Only what's right and wrong matters. It's legal to have a whole network of poorly secured machines with an enormous amount of bandwidth at their disposal, but it is by no means right. It's an attractive nuisance, which in today's crowded world is immoral, although in this case not (yet) criminal.

Your right?

[d3nt]

I'd like to leave a few guns and explosives lying around in your neighborhood. It's my right and my prerogative.

It's All Counterproductive...

[NeuroManson]

Hackers, Crackers, Script Kiddies, lend me your optics...

The honest fact is, actions such as this are counterproductive...

European nations are, even now, writing laws out of ignorance, intending to strip away your rights further and further, with a largely ignorant public all too willing to swallow the anti-intellectual propoganda that you see in the media every day... A public that wouldn't care either way, as long as it (momentarily) assuages any of their fears...

This is something that continues to be brought to notice as well in the US government, also known as the home of the rider bill... Where without anyone having knowlege, they can attach ludicrous laws to bills as they are passed, whereas they could easily strip your rights away without a peep from it's similarly ignorant populace...

These are people who are perfectly willing to take bandwidth sucking garbage like script kiddie attacks and their "possible" end results, and turn them into justification for further attempts at removing more of your rights...

When they penned the DMCA, I said nothing, because my software was legal...

When they declared DeCSS illegal, I said nothing, because I ran Windows...

When they closed down IRC, I cannot say anything because (Connection reset by peer.)

Am I Missing Something here?

[darrad]

....come on. "logs on to the server and gains root access"!!! Who is in charge of securing these boxes? I know that it is not impossible to hack a root pwd, but give me a break, this is supposed to be one of the most secure OS's on the market. It would almost make you think there is a MAJOR security hole in the OS. My next question would be, if it is a smurf attack, why not filter the traffic? block udp, ping or whatever port he is coming in on. And then there is the obvious, if he has root access, what is the reason for the smurf attack, that seems a little redundant to me....
Hell, I dont know what the hell I am talking about...........

Re:Am I Missing Something here?

[einhverfr]

Unix/Linux is only as secure as its sysadmin is knowledgable. NT, on the other hand is more secure in the hands of idiots but insecure even in the hands of real geniuses (who are probably using Linux anyway). Creating a good firewall is imperitive for almost any system because it does enable you to filter out some kinds of DDoS attacks (f. ex. Ping of Death). However, this takes some good knowledge of the inner-workings of TCP-IP. haxor t0075 should be legal only if open-source. THat would give the sysadmins a fighting chance to patch the holes. (besides, ./configure;make install would probably confuse a good portion of the script kiddies).

I agree...

[karma_hax0r]

I got hit with an extended DOS, and it was a bitch.

Short of killing them, does anybody know what the legal recourse is? The statute of limitations probably isn't expired yet...

What agency would I report a DOS to? Or would they just shoo me away because it was (relatively) small scale?

One thing's for sure - it's not going to stop until we crack down. Who is giving these people such a large pipe, anyway?

Re:I agree...

[Cramer]

• what [is] the legal recourse?

Practically nothing. And this assumes you can conclusively prove they are the one(s) responsible. Very few people/organizations ever take legal action -- it costs far more to track the son-of-bitch down and haul their ass into court than they could ever recover.

Generally, they are too young to be crimally prosecuted anyway. PLUS, once you cross a country border (or several), it becomes even harder to bring legal action.

Just shut it down.

[Bender+Unit+22]

It is such junk anyway.
I can understand why the ISPs won't take it.. 99% of the stuff i have seen there are so stupid.
Ok so people can't help being stupid. but when they start destroying their own playground, just dont rebuild it or open it again.
I my opinion it's the same crowd who would do those attacks, who uses it anyway.(I might be wrong, but it just looks like that)
The only serious use of IRC i have seen, have been on private and closed servers anyway.

--------

Money Talks

[Cyclone66]

It seems as though if big business gets hit with a DOS then the authorities look into it (Ebay, Yahoo, etc.). But if its a free service like IRC then they can't be bothered. Typical!

Re:Try securing your boxen first

[juliao]

You do have a point.

I would not obviously agree with not blaming the true culprit. But is somehow seems that companies are being definitely lax in their security, and they should take some blame for that too, and just not blame it on the hackers.

From another standpoint: you loan someone your car, and it gets stolen because the person left it unlocked. Do you solely blame the thief?
-----

Re:Try securing your boxen first

[juliao]

Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative.

What if someone uses your house to set up a drug supermarket, or something of the kind? Don't you think you could be held liable?

The point is not what they do to your own boxes, i couldn't care less about that. It's obviously about what your boxes can be used to do against others. And if by laxing security you let them do it, you probably have your own share of responsability.

This is not the 1980's anymore. Having a host on the internet amounts to having some resposibility. Welcome to the 21st century, like it or not...
-----

Re:Important: please read!!!

[mr.nicholas]

As I said, I've never done anything illegal with a child, mainly because I know the consequences for both the child and for myself if caught.

So you've never done it because of the fear of getting caught, not because it is immoral or improper, or because an underage child isn't mentally capable of understanding the nuiances of the situation? Hmmm. I would have hoped that the fear of getting caught wasn't your primary motivator. The fact that it is says something about you.

Re:W00p

[slashdevnull]

Shibby.

Re:What about EFNet?

[kupekhaize]

There are several admins and other people on Efnet who are trying to fix the problem. They are working on a totally new IRC client/server process which basically hides all of the routing servers from the users. The new network is going to be called "EFNext".

In addition, with the new network, it is possible for admins on remote servers to ban people (with the approval of local admins) and quite a bit more.

In addition, server operators will be able to view the logs of the last people to have ops in a channel, and they can intervene and give ops back to the original owners of a channel.

Granted, most of the DDoS attacks happening today aren't due to takeovers any more, but rather certain people trying to overcome penis envy, but it should help with a lot of the problems that have been associated with the Eris Free Network in the past.

If you want, you can find out more information from:

http://www.efnext.com

The page is still under heavy development, but it has a lot of the technical documentation for the server, and gives a good idea as to what is planned.

Stopping the attacks

[sirgoran]

I have to agree. The attacks must stop.

It does seem to me that since this is a intentional attack against a business/system the cops should be brought in. Since it seems that the jerk-weed lives in a country outside the U.S., then it should be easier to stop this from happening. Since I don't like the idea of "breaking his fingers" or "killing him/her", I would be more than happy if the party responsable simply had the computer removed and distroyed.

Since they simply aren't able to be an adult in their use of the computer, just take it away from them.

And since money talks, I think that if the slashdot folks chipped in a buck for the bounty on this dweeb, we'll have the problem stopped within a week.

Anyone else in for a buck?

-Goran

Re:Not funny. Not one bit.

[krnlpanic]

I consider myself a productive member of Undernet. I have used Undernet for about three years and I have learned much of what I know about networking, html, linux and many other topics from people that I have met on Undernet.

There are idiots everywhere who think that it's funny to ruin the fun of others (Just read some of the posts on Slashdot). It really bothers me that people have to act like this. Have they nothing else to do with their lives?

I am an operator on one of the help channels. I help introduce people who are new to IRC by teaching them not only how it works, but how to maintain proper "netiquette". There are a lot of us who volunteer our time to help others in many ways and I would hate to see it ruined by a bunch of script kiddie idiots.

To see some real people who use Undernet, visit http://chatnewbies.net

-Krnl

Zarvox

[Zarvox]

See, there are a LOT of interesting postings here. I went through and read about 75% of them. Some are worthless, but some have some merit. I realize that DOS attacks against the DoS'ers are rather hipocritical. DoS attacks are illegal also. But you know what? This is OUR community. These kiddies are screwing with it and making us move out. Most of us out here are on 56k's and such. However, can you imagine what 250,000 56k users could do to a server over a few hours time? hehe, I'd leave my computer logged in for a few hours with the command "ping -t -w 1" while I go watch a few movies or something. A lot of people are saying to post the kid's IP here. Who HAS the IP? We've got THOUSANDS of readers who read /. every day. Someone, do some digging and find this dude's IP address. /. effected.

Re:seriously....

[Zarvox]

LOL, that's real cool. Just what I would like... I LOVE the AOL chatrooms so much. FOR ME TO POOP ON. The AOL/Yahoo chatrooms are out there for a reason. For the the newbies who can't use the real internet. The IRC chatrooms are there for people like most of us who would like at least a semblence of control over their #channel. If there's some jerk-off posting porn links to my scripting channel, or some asshole who's posting links to farmsex.com in my Quake2 channel, then I want to have the ability to boot the fuckers. I want to remove their voice so they can't talk. I want to be able to limit the number of users. I don't want to have to stand idly by in the channel #video_games_45 while people spam it. Screw that. I want power.

Our world

[Zarvox]

Ok, people. One person has made a DoS attack against UnderNet. Many people are walking away from it because of this. I say screw that! IRC is our turf. It's not the turf of some lame-brained little punk who wants to screw with us. I'm not saying that we SHOULD screw with him, but.... Hmmm, I wonder what thousands of people could do to a single user during one day? /.ed

Re:Upstream provider

[lifey]

if it is a DDoS attack, that means that it is not coming from 1 IP but possibly thousands.

Welcome to efnet...

[Verteiron]

These sorts of attacks have been hitting efnet across the board for the past year or two, though nothing quite on this scale from a single source...

Re:Welcome to efnet...

[Verteiron]

Whoops. Minus several million, redundant. Good reason to read the current posts before posting.

Re:script-kiddy culture is to blame

[Soruk]

> Would YOU run a public irc server

actually, I just did make that choice for one of my sites, and decided agains IRC and for a smaller, easier to manage web-based chat system instead. Issues like this were a part of that decision, definitely. I just felt that running IRC, even non-connected, was setting things up for the twits to come in and start wiping their feet on the carpet.

Thought of running a MUSH-type server? These days they're pretty refined and the server codebases (e.g. MUX 2) are actively maintained.

DoS the DoSers...

[kenthorvath]

Find out the ips of each and every DoSer and post'em riiiight here.... Let /. take care of the rest. =)

We must collectively have the equivelent of 8 or so OC12's

I just am sick `othis

[RevSmiley]

I can't understand why this can't be fixed. I have been a computer Luser since CPM was a dominat OS. Now it's Linux I use. I am not a Hacker or one these script kiddie/crackers. When I couldn't understand how to secure my systems when I spent the time and money to understand it and secure them as best as I could, If your connection is 24/7 it had better be secure or someone will own you. That is just human nature. I use undernet and am a Channel OP, It is from exchanging information with like minds from all over the world I learned about securing my systems and using Linux to get what I want and need done. You can say IRC is dead all you want. Some still find it useful. It is worth fixing. One of the problems maybe that in needs to generate the income to sustain it's self. I pay for bandwidth and drive space now. How come IRC can't operate on a similar model? I would gladly pay to have W and X back. Then we wouldn't have to camp on our IRC channel 24/7 to maintain control of ops. Efnet was too anal. The bs with no tilde in front your ident was lame. It is getting harder to get on UnderNet without one too now. UnderNet is better in some respects and not in others. I'll gladly pay to have access if that is what it is going to take to resolve these issues. As I posted in jest on one of the sites I help with. We need a neck streching for this snot sucking larpo. I'll provide the rope, sharp things and, firearms to run him to ground. Then we will hang him from a telegraph pole and wire his ass back home. Peace Brother and Sisters, Peace

Explanation

[zoomba]

Here's an explanation of what happened to the Undernet...

Romanian teen takes down IRC network
By by Kristi Coale, Wired

A Romanian teenager bent on revenge brought significant portions of the Undernet and several Internet service providers to a halt when he launched a series of smurf attacks.

The unidentified youth launched smurf attacks against at least five hubs operated worldwide by the Internet Relay Chat network Undernet, obliterated an Internet service provider's server in Oslo, Norway, and took down servers operated by AOL, said Undernet system administrators. The FBI's computer crimes division is investigating the incidents.

"We have some of the greatest minds in Internet technology here, and they couldn't do anything [to stop the attack]," said one Under Net operator who would not give their real name.

AOL representatives were unavailable for comment on the extent of damage they incurred.

Another Under Net operator stated that the attack began Saturday when the unidentified youth telnetted from Romania to FishNet, a Ventura, California-based Internet service provider. Once he obtained highest-level "root" access at FishNet, the youth launched at least smurf attacks - one against his former Internet service provider, the Romania-based Logicnet, and another against a UUNet service in New York.

"Fortunately, he wasn't too bright because he left a lot of trails," said Bill Benefield, a system administrator with FishNet.

Benefield said the youth entered FishNet services via news and mail server daemons, leaving his electronic footprints in the server logs.

The youth, who is believed to be between 16 and 19 years of age, then went on a juggernaut across the global network, stopping first at ISPs in Oslo, London and other parts of the UK, as well as hitting Chicago ISP Napnet.

At each stop, the youth would log onto the server, obtain root access, then delete files, canceling accounts. In some cases, it wiped out the entire businesses such as the ISP in Oslo.

Re:Explanation

[zoomba]

I suppose I should read the articles before I make posts... *sheepish grin*

People Calm Down!

[t0qer]

Ok i've read comments about shooting, stabbing, whacking, hiring a hit, blah blah blah, sounds like a bunch of dumbass jocks too me.

Think this through....

IRC has gone way beyond what its creators intended. The system is so conflounded because it went from just a way to do realtime chat to being able to track IP's, send and recieve files, play games over (read the descent faq) all kinds of fluff that was never intended for the original purpose.

How fast can a person read in IRC? If it were redesigned go go back to its original function what would be the maximum bandwidth a person could read? Heck I remember when I went from 1200 baud to 2400 baud and I couldn't keep up on the chat text.

So thats your answer ircops. Limit to just text going in and out of a channel and cap that limet at around ohh.. 1200 baud. Put it another way, would you trust a 3 year old with a gun? Hell no! Why would you even want these vunerabilities to exist in chat? Strip it down I say. I dunno, sorry to rant but I hope im making a +5 point :)

--toqer

We don' need no steenkin badges

[gridsleep]

We just track the little shit down to his home address (with a little friendly persuasion toward his isp), kick his door in a blow his fscking head off with a reliable Remington 780. Hey kid this is your brain. This is your brain on the wallpaper. Any questions?

Re:Try securing your boxen first

[mmol_6453]

As was the point earlier in this thread, no, there isn't a difference. I beleive the term is 'criminal negligence.'

Re:Try securing your boxen first

[mmol_6453]

Sure it's impossible to completely secure a computer with a network connection and/or physical access. It's also impossible to have a completely safe car if it's in use, or if it even exists in physical form at all.

I'm not in any trouble (laws unkbenownst to me not withstanding) if I retrofit my car with a four-hundred-gallon gas tank...But here are a few situations where I would be liable, if I survived:

1. I leave it in my home, someone steals it by knowing how to open my electronic garage door opener, and they get in an accident. KABOOM!
2. I take it for a drive, and someone rear-ends me.
3. I go for a drive, try to stop at a stop light, and discover a nice patch of ice. I slide out into the intersection, and someone broadsides me.

Each of these situations demonstrate me as tje source of the problem. While you may agree with some of the examples more than the others, I can be held accountable for each of them.

I know it seems like the media, courts, corporations and lawmakers are out to squash the techno-geek culture, but here's the main point: We need to take responsibility somewhere along the line. This is a good point right here.

Re:godammit.

[Luti]

Thats fucking rediculous. How could he just get root acess. I am no great sys admin but I like to believe my server is rather secure. The ISP's should fire those sys admins. This is truly sad.

disappointing...

[Barkboy]

Undernet brings new people together everyday. Ive lost count of the aquaintences I made over IRC/undernet. The people who DOS top quality free public services like this are nothing more than scum. There should be some kind of black list made to prevent ISP accounts being opened for these jerks. The NZ server was permanently taken offline for this reason, and now connecting is more difficult than ever. Thanks a lot guys.

Spoiled Brats

[pythagora]

When I was 4, I threw a temper tantrum and destroyed my favorite doll. My mom said, too bad, guess you wont have a doll anymore. If script kiddies are the ones using irc, and script kiddies are the ones trashing irc, they're screwing themselves, and they'll move on when the realize all the grownups found a new place to play.

Humm

[ceide2000]

It would be nice to find out what kind of DDos they are doing. For some reason I belive that someone is missing something here. A good firewall & security could really help. I am not talking about your $35 version. You pay for what you get. Chris

Re:Try securing your boxen first

[tilrman]

. . . And it is every ISP's right to simply refuse connections from misbehaving machines. Problem: The networking scheme of the Internet was designed with (or, if you prefer, has evolved on) the basis of trust between hosts, without much worry for security.

• Solution A: Make everybody trustworthy.
• Solution B: Redesign. Rewrite. Recompile. Reboot. (Repeat. :-)
• Solution C: Resign.

Re:Security Rulesets -- a wee hyperbole

[PiterPan]

ipfilters (?) -- unless you compile in ipchains support... It's actually iptables. I built my firewall around it while ago... 2.4.0-test10 or something...

--

Re: But it's true tho, aint it?

[droolfool]

I don't think so.

One thing is a hacker, someone who really exposes security flaws. But a script kiddie that just wants to say to his kiddie friends "Oh, look at what I did, I HACKED that machine!" is completely different. I used to be flooded by some stupid boy when I had a 28K modem, that sucked big time because phone lines were terrible already, a breeze would be enough to break the connection.

Of course, that kind of guy has that need to show everyone he's a "Hacker". But nobody *NEEDS* to be one. The problem is that his friends think he *NEEDS*, maybe they watched "The Net" and thought it would be l337 (okay, this is not original, but it perfectly demonstrates what made them think they it would be cool to "Hack" :)

Blasted into the epoch?

[serial+frame]

Damned script kiddies seem like they're distorting time and space, too! LOOK AT THIS!

998 Undernet webmasters. This page was last modified: Thu Jan 1 00:00:00 1970

Not a very good situation, though I understand Undernet is trying their very best at keeping order. As for the clock skew, I dunno about that =P

How it works

[DaSyonic]

As an IRC administrator and ircd developer, and since there seems to be confusion how a DoS attack works, allow me to explain. First off, The attacker gets a system with a fast connection. He then sends tons of spoofed packets to the server. Now the constant question I here so far is 'How do you stop it' and one guy even told of changing the kernel code to stop ping replies (which is idiotic)
You cant stop it. You can block replying to ICMP through the builtin firewalls, but then the attacker can just use TCP/UDP to try and take out your uplink too. You cant just block the subnets, the source IP is spoofed. There is only 1 way to stop it, and it shows the complete flaw of IP. You would have to goto your uplink, find out what interface the packets are coming from, then goto THAT uplink and ask them the same, and keep on going until you get to the originating IP. and since the guy doing it probably is using a machine he doesnt own, to get his IP you would have to wait until he connected to it. As you probably guessed, thats damn near impossible.
Modern IPv4 and IPv6 enabled machines should be REQUIRED to do interface checking to try and stop spoofing. It should see if the source IP coming from that interface is an IP that is on that interface. Being able to spoof the IP accross interfaces is dumb, and that is the root of the problem. Its not all that common that a cracker uses multiple computers to do an attack, but it happens. But even still, if we knew the IP from the getgo, it wouldnt be too hard to start adding them to your uplinks firewall.
Just a few thoughts, personally, And if your a script kiddie reading this, please look at your intentions, instead of attacking the box because they banned you, do something else that may be fun to you. Why hurt others? it causes lots of people grief.

Re:Try securing your boxen first

[shinji1911]

However, you are not free to leave your shotgun just lying around so any malcontents can use it. Understand that analogy as well?

Re:Try securing your boxen first

[shinji1911]

No. This is more like leaving it on a park bench while you go take a shit in the bushes. Sure, it's your property. They certainly know it doesn't belong to them. And yes, stealing is illegal. And so is using it. So what? You still left it lying around.

seriously....

[TheLadyM0N]

please get rid of the concept of Ops...and make it friendlier for ignore. aol and yahoo are based on that.

how?

[DaKaktus]

how do they know its a youth, of 16-19 yrs? maybe its just an iraqi soldier, with his new, uber-deadly playstation console :>

Take a pair of scissors...

[MikeLRoy]

And cut the line till you can sort things out.

Its very simple. This kid is causing a problem for several ISP's, their users, and many Undernet users. Trace back some of his smurf attacks as far as you can with reasonable certainty, call up the ISP, and politely ask them (since they apparently don't have root on their own boxen anyways) TO UNPLUG THE #(*(@*& THINGS!

As my brother demonstrated to me a few months ago, computers don't run without power.
-MR

Re:A case for Internet Licenses.

[jooniqzb1tch]

There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.
Maybe I'm elitist, but that's how I feel about it all.

elitist ? maybe you meant nazi or something ? There definitely needs to be some way of getting rid of the DDoS shit (improved routing, i guess), but in no way do we need a system that disallows people from getting on the net for any kind of reason. that just sounds insane to me. the internet is and will stay (we do all hope so) a 'free' and open place.

Where have all the hackers gone...

[maxmutt]

Ahh the state of the Internet. This has less to do with the script kiddies then with how corporate the internet has gotten.

First off, there will always be script kiddies. They'll have different names, different code, different reasons or ideals, but the effect is the same. They cause problems, disrupt services, whatever. They've been around a long time and will continue to be.

What happened to the hackers, the console cowboys, who knew the models, the specs, and RFC's by heart (some because they wrote them). The folks that would start playing around with the network layer and lower to figure out ways to stop the problem, maybe track the culprit down and give him or her something to play with.

Are most of the people out there little more then an auto mechanic for a computer? They know the languange the program in, the applications or code that the work with, the OS they use and can tweak it, tune it and basically extended it a bit, but they can't make any jumps of insight?

Wait...is this what a script kiddie becomes when they grow up?

Have the folks that wrote the RFC's and specs, those who started this whole business moved on? You know the admins and coders who had problems and wrote talkd, email, ircd or even httpd?

Don't ask the government to solve the problem. Don't wait for an ISP to do.

The govenrment doesn't have a clue and probably wouldn't have a solution you'd like. The ISP is out to make money, that's what they do, it's easier for them to disconnect then to for a solution and costs them less money.

"Neccessity is the mother of invention."
It should be the hackers motto.

Re:YUO = FAG0T

[BitchCak3s]

Who let you out of shugashack? *yawn*

Re:Hackers oppinion

[BitchCak3s]

Learn to spell. Get laid. Go outside. Take a bath. Nerd.

Re:DoS kiddies

[BitchCak3s]

spewn and the rest of his daycare rejects are pathetic. I don't use IRC. I just gleaned that tidbit by your petulant whiny posting style.

You Fucking Assholes!!!!

[Karahaj]

How can yo be so God Damn hypocritical!! Just because something is vulnerable doesn't mean it is right to attack it... you take the same damn attitude this little punk has. here's a scenario for the lot of you with this "it's the victim's fault" attitude..... Your daughter asks you to go outside and play, and you say yes. a few moments later a car drives by and starts popping off shots at random into the neighborhood. Your daughter falls to the ground when you step outside to investigate.... as you sit there holding your child's blood-stained body in your hands, crying out to God why did this have to happen, and your daughter asks you to make the pain go away, the assailants speed off as the police eventually arrive. They see your child, look up at you and say.. "well, you shouldn't have sent her outside without a bullet-proof vest..." Now how fair is that? All of you out there take stabs at a company for not being the most secure in the world, and how NO ONE can gain root to your box and just remember, when it does happen, by means of a malicious person, that it was all your fault for letting it happen..... just repeat that in your ignorant little mind, and maybe then will we rid the world of all these people that think crime is the victims fault. Once all of you are gone, i'll start going to bed with my house door unlocked, because the world will be a safer place.

Re:Moderate this up!

[norrisd]

but it applys

fsck his brain!!

[Skavino]

fsck his brain! burn him alive.. i love undernet. do something! anything!

Re:Important: please read!!!

[alpha320]

First of all, I'm an athiest, so quoting the bible means nothing to me. It also shows me that your points are biased and thus invalid. I would speculate that this whole viral "christianity" meme is MUCH more harmful to children than sex could ever be. You're just the basic gay-bashing bible-thumping type, so go fuck yourself.

Re:Important: please read!!!

[alpha320]

Roger, While I agree with you that in our current society, sex with children would be very harmful, if we were more enlightened it would be completely different. May I ask: What is your definition of a pedophile?

That's about par for the course with me :)

[kill-9.ws]

I always have to do things the hard way :) Thanks for pointing out something that I should've seen though.

Old school hacking

[kill-9.ws]

I haven't actually done this, but a friend of mine that's an old school hacker told me this trick that he used to use back in day on IRC. Go to your /usr/src/linux/net/ipv4 directory and edit the icmp.c file. Look for a section in there that says: Handle ICMP_ECHO ("ping") requests.

Immediately below that comment is a function that handles ping echo requests. simply comment out the body of the function. Here's what that part looks like.(roughly, I didn't spend that much time formating this.)

static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, int len)
{
if (!sysctl_icmp_echo_ignore_all)
{ struct icmp_bxm icmp_param;
icmp_param.icmph=*icmph;
icmp_param.icmph.type=ICMP_ECHOREPLY;
icmp_param.data_ptr=(icmph+1);
icmp_param.data_len=len;
icmp_reply(&icmp_param, skb);
}
}

Comment out the code between the first set of curly braces, recompile your kernel, and your machine won't answer pings anymore ;-p

Isn't it great having the source code to your OS?

Re:Old school hacking

[machinehead]

and if you dislike the thought of not being able to ping your box from your internal net, set up a firewall rule to block icmp echo requests on your external interface. mine is set up with ipchains in a linux box used as my router. ipchains -A input -i eth1 -s $ALL echo-request -p icmp -l -j DENY

Re:Try securing your boxen first

[BlakJak-ZL1VMF]

I dont see what all the song and dance is about. Yes, Putting a box onto the internet does *not* give anyone else the right to break in to it. Hell Ive had it happen to me *more* than once. A computer on a network is the responsibility of the SysAdmin. Any actions taken said box are the responsibility of the owner. So the Owner therefore makes sure that the boxen can only do what it is designed to do.. with as few security holes as possible!! This is why we have doors with locks. And this is why Admins who sit there yelling 'I shouldnt have to' should rethink their perspectives on life; one day it'll be you on the recieving end. Isomer, youve been doing a *bloody good job* -- above and beyond the call of duty, and Im sure many on undernet feel the same as I do. Regards to all the Opers and Helpers on Undernet who are trying to assist the masses. BlakJak

Re:Important: please read!!!

[localroger]

I have been a member here for quite a while

Then you should know that there is no general discussion board or its equivalent here. Your topic has not come up for a good reason -- the website operators haven't seen fit to give it a forum.

OTOH you sound sincere (maybe even desperate) enough, so I'll bite.

We are tricked, trapped, harassed, arrested, and seen as dirt by our government, authorities, and most of the people in this country. It reminds me very much of stories I've heard about Nazi Germany.

Unfortunately, I have to agree with you here. What you want to do, what you dream of doing, is repellant to most of us and highly illegal. But our Founding Fathers had clear ideas on this which are being ignored. It should not be illegal for you to write your stories, draw your graphics, and prosyletize for your position such as it is. It should IMNSHO be highly illegal for you to actually do anything about your fantasies with another underage human being, but that's just me at this time. Joe Haldeman painted a vivid picture of a society in which homosexuality is normal and "us heterosexuals" were treated about as you and your lot are (in The Forever War), very discomfiting that. The theory of relativity does not just apply to physics.

I always find it astonishing that erotic training is termed "child abuse",

Here you are so close to the line that an electron microscope could not detect the separation. How convenient it must seem to you that this necessary "erotic training" might require your services, eh? While there is a part of me that feels you are right in principle there is a much larger part that feels you are exactly the person I would NOT want any dependent of mine going to for advice. You are right that sex in general is not inherently harmful, but you are wrong in assuming that sex in coercive relationships is not inherently harmful.

I would have an even less hospitable view of you than I do had I not read Pat Califia's amazing writings. She and her comrades in a related sexual minority did come out in public for your cause -- at some cost to themselves -- but even they were reticent about your actual practices. You are on better ground when you demand your right to write and speak and draw and even make highly realistic 3-D graphic simulations. I will defend those rights, well, not to the death (coward alert) but at least until it doesn't seem worth my while to live in this country any more. You reach a point when an honestly corrupt place like Mexico looks positively wonderful by comparison.

I did not choose my sexual orientation, and even though many people say it's a sickness or a disease, it's just as valid as homosexuality, bisexuality, and many other orientations whose members were once persecuted as we are, but are now seen as being normal

While I agree that you did not choose your orientation, I disagree that we have to consider it "just as valid" as any other. There are degrees of validity in all things. Most of us here would, I think, draw the curtain and turn the eye at anything nonlethal and non-crippling between consenting adults; but what about those Victorian fetishists who got off on their own amputations? Similarly, our society has drawn a firm line this side of children. Don't cross it. Not in deed, at least.

As for word and thought and image, those should be free. As they aren't, and you are rightful in your protest. But don't ask for the right to touch our sons and daughters if you want to live very long.

The best solution to this problem

[geomcbay]

Is to post a Slashdot article about it every 2 hours for the next week. Be sure to include as many links as possible to the sites being DoSed!

Full Discloser!!

Re:DoS kiddies

[spewn-]

heh you come out with some shit "running your own irc network" more like u played with an ircd once and it made you feel horny.
ircops are just people, they deserve all the bullshit they get bcoz they think they are "godly" they should try and keep their userbase instead of glining someone that says something they dislike. they need to grow up and understand irc is a place for free speech and they shouldnt interfer, this is why they suffer bcoz they are arrogant assholes.
the more they continue to be this way, the more people will dislike them and of course, attack them..in my view, good ridance to Undernet, its turned into a joke.

Re:DoS kiddies

[spewn-]

hey you fuckin retard, your should do some research before you start blaming linuxsex, use a bit of your brain before u start flaming people. It could be anyone with a grudge against undernet and im sure there are loads of people out there that have had enough of this bullshit irc network and retarded opers. I see your an "Anonymous Coward" becoz ur too chicken shit to mouth off without taking consequences. Think before you talk.

Re:DoS kiddies

[spewn-]

oooook lets not get "formal" about this. 1) Yes english is my first language, but i dont have to be correct to satisfy you. 2) There is NO proof its linuxsex, just a bunch of rumours made up by ircops 3) Yes IRCOps are there for a reason, but unfortunately for Undernet they are a bunch of cowboys who dont know what they are doing. 4) Make an account 5) Are your pokebonk? Travis Haymour? heh i lub u pokey

Undernet are only to blame themselves

[spewn-]

Ok, i been on undernet for a few years now, all i can say is i have seen the undernet irc operators turn into bigger assholes each day. They G-Line anybody for stupid reasons, they think they can do what they like to anyone. This is where people retaliation coz they have had enough bullshit from these stupid pricks for too long. If the Undernet comitee actually took a look how the IRCOps handle situations, then they would understand these attacks. Also to point out that the Undernet opers also DoS or packet users and other networks - one particular culprit is pokebonk, who is a known child molesterer and takes his pain out on my friends :(( I hope undernet goes down, or the ircops piss off and get replaced with someone with some common sense. As soon as the IRCOps grow up and stop taking it so damn seriously the attacks will probably stop. heh :)

Re:Could a Reciprocal DDOS work?

[spewn-]

couldnt agree more :)

Re:DoS kiddies

[spewn-]

heh ok lets stop with the 1) 2) 3) shits coz its annoying :/ you obviously dont know how an irc network should be run, Undernet ircops dont know what the hell they are doing, i have been glined for some stupid shit like taking over my OWN channel, trying to steal my OWN bots, oh and also "compromising" my own box to abuse Undernet. and mm..i dont go to school so heh i guess im perm suspended, police rock they got nice guns, and get your skanky funkin hand off my head :)

Re:My Bitch

[spewn-]

pokebonk can have anyone under 10 years old, watch out kiddies >:)

Re:script-kiddy culture is to blame

[chuqui]

> Face it. IRC is the universal home of Those Who Have No Hope Of Ever Having Sex.

with someone else, you mean.

> Would YOU run a public irc server

actually, I just did make that choice for one of my sites, and decided agains IRC and for a smaller, easier to manage web-based chat system instead. Issues like this were a part of that decision, definitely. I just felt that running IRC, even non-connected, was setting things up for the twits to come in and start wiping their feet on the carpet.

Re:Not funny. Not one bit.

[chuqui]

is IRC going the way of USENET? Getting so large it collapses under its own weight, but continues along on pure inertia because nobody seems to notice its dead?

Maybe USENET is a thing the IRC people should take a close look at, and look for ways to avoid becoming the next headless brontosaurus blundering across cyberspace...

Seems to me the bigger a thing gets, the harder it is to manage, and the juicier target you are to idiots who get off on destroying what others build.

Perhaps the answer is to move from the large super-net idea to multiple, smaller nets that cooperate with each other, and where these smaller nets specialize in content areas? At the very least, it'd make the entire beast less susceptible to single-point-of-failure issues and DDoS, because even if someone took out one of the smaller nets, the others wouldn't be affected (or affected as strongly...)

Re:Not funny. Not one bit.

[chuqui]

usenet is dead. You just haven't noticed yet.

Re:Not funny. Not one bit.

[chuqui]

Yes, I've used IRC. Not huge amounts, but I've used it. I've also used real time chat systems going back to the late 70's, so I'm not exactly a novice here. built them and run them, too.

And just finished a couple of months researching IRC very closely to see how it fit into my site. It didn't, and I saw a lot of issues with IRC that I didn't like technically and administratively.

Just becaues you don't agree with (or more correctly, like hearing) what I say, don't assume I don't know what I'm saying... sometimes the emperor is actually naked.

Re:script-kiddy culture is to blame

[chuqui]

> Thought of running a MUSH-type server? These days they're pretty refined and the server codebases (e.g. MUX 2) are actively maintained.

Yes. I still might add a MUSH or MUD down the road. they're very intriguing, but I'm trying to do things in a supportable and manageable way.

There's no justice...

[pixel_bc]

... like mob justice.

I'm sure if this kids IP address was posted - someone loyal to the cause would would "take care" of the problem.

Ethics and bullshits aside - it would work, and probably deter people from messing with services. Alas, it'll never happen. Not as long as we're holier then thou. :)

What's in romania anyway?

[mrcutrer]

Couldn't we just blow em up? How big is Romania? Is it part of Rome? How does such a desolate country breed such a destructive genius? I don't know?

Oh yeah, that was facetious. Except for the genius part. Don't want to piss any more of you Romanians off!

Re:What's in romania anyway?

[highstand]

Mister whatever, i guess you are LUCKY beeing born in a BIG country that everyone might know of...

but flooding servers is not a romanian attribute

and, of course, the idiot that made a server insecure should be the blame :>>

That doesn't solve anything

[much0mas]

My Bad... I forgot to log in... the Anonymous coward above was me.

Smurfing the kid's server wouldn't solve a damned thing. All that would accomplish is making an assload of Romanians pissed 'cause you killed their ISP.

I think a swift kick in the nuts is a much better solution. Make that little bastard sterile and he'll think twice before he smurfs another server!

Filter everything

[misu]

It's quite simple...
Add any Romanian address in your Gline lists... see how they feel for a while. I can understand that his is not fair for the other Romanians, but let's see who's gonna provide support for guys like the one that was attacking you.
I am Network Administrator for an ISP in Brasov, Romania and i had problems with dos attacks also... there's not much you can do if you do not cooperate with your peers to see where the traffic gets loaded... It's a crappy thing and it takes time but when you find out where did the guy attacked from he will never use that connection again. I would have a request. Some say that there are no laws here... well, there is a departament in the Internal Affairs here that handles electronic fraudes... and we'll get him pusnihed for sure... even if every ISP in romania won't EVER let him use a connection.

I am a romanian, but these guys romanians or not with their DoS just make me sick !

Mihai
Network/System Administrator
Deuroconsult
http://www.the-viewer.com
http://www.deuroconsult.ro
http://www.deuromedia.de

Re:Try securing your boxen first

[zcat_NZ]

If you own a firearm you should take reasonable precaution to make sure it doesn't get stolen. If someone can come up your driveway, climb in a window and walk away with a loaded shotgun then perhaps you _should_ be charged with murder when they subsequently use it to shoot someone.

Quick question?

[alleng]

What's better for bringing down IRC servers, DR-DOS or MS-DOS?

Solution

[deran9ed]

Find someone else on IRC (efnet, etc) who lives in Romania, track the idiots info and we could all chip in some money and have this kiddiot wacked.

Or we could send him a ticket to India where the government can hire the script kiddiot for his skills

removing the dot in dot.com

Who Cares?

[Darlraven]

Who cares? IRC is a bastard child anyways. Who here actually *USES* undernet for something useful? (gaming, cyber sex, casual chatting etc.. don't count)

I'm not going to miss it. Besides, if they really wanted to end this DoS attack they could, through one of several ways:

1) Upgrade their security software, if it's a script kiddie (as they claim) this should solve their problems as a script kiddie is not going to be able to craft a custom DoS.

2) Contact the authorities and the domain registrar (for the script kiddie). This should have been their first response.

3) If the authorities are doing nothing (as they claim) then they are free to retaliate and shut down the script kiddie. If the authorities aren't doing anything about the script kiddie, they're not going to do something about anyone else using DoS attacks either.

Basically what it boils down to, is that the Undernet staff are either too uneducated or too lazy to stop the DoS attack. Either way I'm not going to miss it. In fact I couldn't care less. This is called natural selection baby.

Survival of the Fittest

[Super1-Dave]

The subject line says it all.

Re:What about EFNet?

[Grumpy_Cloud]

Wow, think of the money involved. :) I'll be willing to share in the wealth if anyone wants to join in on the patent. :)

An opensource solution

[DanMerritt]

The Corridors project was created to solve this exact problem. See http://corridors.sourceforge.net/ for information.

To all that believe the ISP's are at fault

[kghammond]

There are fundamental flaws in blaming the ISP's. If you want to keep going up the chain blaming those in charge, then you have to inherently blame the unix OS itself and all its developers for leaving the security holes in the OS to start with. Then for those of you who blame the ISP's for not disabling telnet for SSH, you can blame RedHat and all the other major distro's for including telnet in the distribution.

Could the ISP's do more to prevent the root access? Yes. Is it their responsibility? Yes. Is it their fault that someone was causing malice using their systems? No. You can't go blaming someone else for one person's actions.

Under the same argument being used by some, you could justify that a disassociated youth who commits murder is really the fault of society and not the youth. The youth still had to pull the trigger. Just like in this case, the youth still had to hack root access and begin the DDOS attacks.

The question is: How do you regulate actions such as this on the Internet. If the Internet is self-policing, then who takes responsibility for damage caused, and who enforces the penalties or punishments? If the Internet is policed? Who and how do you police it?

I KNOW WHO HE IS AND HIS INFORMATION

[ramdac]

THE ROMANIAN HACKER IS SYSOP aka METAL: Valcu Ghita Gheorghe aka Sysop -- 19 years old Str Brandusei nr2 sc.b ap.14 et. 3 Timisoara. cod 1900 Romania Phone: 4093462828 cellular: 4093738043 This is the HACKER CAUSING all the problems on Undernet. You asked for it, you got it. Have a nice day.

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ramdac]

Yes, you do need the country code first, of course.

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ramdac]

be prepared to get cussed out. He's not a nice guy :P I know how he is...

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ramdac]

the fbi already knows :P we'll have to post cen's information next.-- they were attacking me all last night

Re:I KNOW WHO HE IS AND HIS INFORMATION

[MrNiCeGUi]

I'm from Romania and I can tell you this are valid phone numbers. Incidentally, they are both cellphones. Want me to call him?

Re:I KNOW WHO HE IS AND HIS INFORMATION

[MrNiCeGUi]

409 may be the area code for Texas, but I think you should count the digits. It's like this: 40-International code for Romania 93-Code of the cellphone service provider CONNEX 462828- 6 digit phone number-the standard for romanian cities, except Bucharest - 7 digits

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ronner]

Yeah, too bad this Romanians phone number is someone in Texas, dumbass.

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ronner]

Yes, call him up... be prepared for a nice big phone bill though, since 409 is the area code for Beaumont and most, if not all of southeastern Texas, excluding Houston.

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ronner]

Yes, I find myself overwhelmed with fear over his lil script kiddy vocabulary, and fast internet connection. (nah, I still think he's a lamer, and if he does cuss me out, I'll just forward it to the FBI, I'm sure they'd find it quite informative)

Re:I KNOW WHO HE IS AND HIS INFORMATION

[ronner]

I kinda think you're the one doing it, just how do you know all this stuff, if it's true, about these attackers? rofl

Call him up :P

[ramdac]

Did you call him?

Re:Call him up :P

[ronner]

This message is mostly directed at the attackers, btw. heh. I don't really want my name anywhere on record as of calling him, especially since I hear the FBI is investigating this - yes, you little Romanian fucker, wherever you are... the FBI *is* after you now.. So I suggest you get your lil jollies in right now, you're not going to be able to do it for a long time to come soon. Although I doubt the idiot even has the mentality to comprehend or care, much less know about anything that's going on at slashdot.org. Also, I've heard they've already found you, so be watching your back.

Re:*Yawn*

[ramdac]

who were you responding to?

1997 Attacks

[e-px]

I saw you people reading an article on indy.net or something, that article is quite old and is pretty much cut and paste from the following url: http://www.wired.com/news/technology/0,1282,1446,0 0.html Second of all, I have not seen anywhere in OFFICIAL postings anyone saying anything about a Romanian "Script Kiddie", leads me to believe someone read this article at wired, or at that other site and thought it was "current" which it is not, unless you are trapped back in 1997.

Re:1997 Attacks

[Lazaru5]

e-px didn't say there wasn't anything going on now, just that the article being referenced to describe the situation now is from 4 years ago.

Re:1997 Attacks

[Tridus]

Well, I'm on Undernet right *now*, and I can tell you that it looks fairly legit to me. The network is something of a total mess. I haven't talked to any Opers about what is going on yet (they're probably busy), but from what my friends online tell me, and what I'm seeing, the information at Undernet.org is basically right.

Hold vurnable networks liable...

[DragonPup]

Call this unpopular if you wish, but maybe if a network is held liable civilally for damages it causes in a DDoS, should the admin be notified of the problem and refuses to act, would help shut down a lot of unsecure networks, imho. -Henry

The end justifies the means

[Kyron]

We cannot let this continue to happen, something has to be done, wether its getting his net access pulled, stomping the kid in person, hacking him, or DDoSing him back. If this continues to happen, and undernet does get shut down, the next targets will be EFnet, Dalnet, and etc. I personally am not an IRC fan anymore, but it saddens me to see something like this being taken down by some script kiddie.

I probably could provide a solution

[beavislasvegas]

Given the right circumstances I could fix the problem in a day. Have the people in charge email me at beavislasvegas@mail.com.

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[mionut]

Ok. Everything seems to be ok in your logic. What if u have only 4 C classes advertised throgh BGP, u're a tiny ISP :) and your net is splited into more /29 /26 /25 networks, and your provider is only advertising whole C classes (see KPN from Netherland) ? And u receive 14299092 41 bytes packets from random addresses? I really need a hint!

Undernet DDoS Attack

[wsm2506]

While I can sympathize will Undernet and, indeed all IRC networks, I feel at least half of the blame lies with the arrogant channel operators who are on meglomaniac ego trips, acting like little demi-gods who feel and, in fact, do anything to anyone whenever they feel like it, with no explaination or recourse (except possibly a DDoS against the whole network)from the person they did it to. Maybe what is needed is responsible channel ops.

Re:Undernet DDoS Attack

[wsm2506]

Read the atricle on "WIRED NEWS."

Re:YUO = FAG0T

[wsm2506]

I find your reply to be offsenive, in poor taste, and totally lacking in any constructive way.

Re:*Yawn*

[ronner]

It's obvious you've never been on Undernet, have you? All the opers there I've met, and though I wont say any nicks, #irc_help, are very knowledgable people, and represent the servers existance on the internet very well. Why don't you visit Undernet and actually look around before you post some dumbass comment like that. I'm sure I speak not only for myself, but most people who have been on the Undernet, too, when I tell you to get a life.

Re:*Yawn*

[ronner]

Some anonymouse dude, I screwed up a nice post too didn't I? sorry. heh.

The Lamer who is doing it and results

[IHATESYSOP]

First a breif mention.the undernet irc network can probably add all the protection they want and this kiddie and others like him will continue. He didn't just go after the unet servers he went after the upstream links that the servers hang off of. So he ddos' the isps. Yes i am sure they know his isp and the isp knows who the kid is, but what does his isp care? he isn't bothering them. They aren't loosing customers, probably gaining them since this kid also attacked his old isps. May be if an when the pieces of the undernet are put back together , they will k line all .ro and if they ever bring the services back purge all .ro channels. And then tell the .ro users to complain to their isps for not providing a safe and cooperational enviornment for the amount they are paying. Maybe then the isp he has will remove him. But right now his isp wont touch him. I doubt the fbi would even ask them since to them there is no monetary loss sufficient enough to take action. How ever i doubt the unet will purge all the .ro channels or kline all .ro domains. but i wish they would smarten up and do it for the regualr users who want to chat with friends. or you could just call the lamer from what i understand all his personal info was posted here somewhere. that is if his phone isnt off the hook

Quick news...

[magicbrus]

First of all, the rominian boy as stop the attack, thats what he said. (sysop-@undernet) Who's still attacking undernet servers, is a group call *linuxsex* or some others group who think that they are SMART. but they're not. To resume, Baltimore.* , Baltimore-R.*, NewYork.*,Paris.*,Dallas.*, washington.* and services are now delink. And of course, a lot a servers are splitting and often crash because of DoS. But it's i don't understand why Undernet didn't hide the ips of all services and ALL hubs, they did it for Dallas-R.Tx.US.Undernet.org and NewYork-R.NY.US.Undernet.Org, that is resolving at 127.0.0.1, and they are the two ramaning hubs for the US side. And everyone knows that without services (X/W/Uworld) , Undernet is not a nice place to go. A lot of channels are opless and that suck.

Call the police-- on Sysop in Romania

[allknowing]

From the U.S. dial the Police on Sysop: here is the number. 011 + 40 + 191772 (73)(74)(75)(76)(77) Tomanian Police in Timisoara give them this information: Valcu Ghita Gheorghe aka Sysop -- 19 years old Str Brandusei nr2 sc.b ap.14 et. 3 Timisoara. cod 1900 Romania Phone: 4093462828 cellular: 4093738043 This is the HACKER CAUSING all the problems on Undernet.

Re: Ask Slashdot: Undernet In Serious Trouble. . .

Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this?

The problem are all those unsecure-by-default linux installs. If all the linux distro companies would effectively TRY to make a secure linux distro then maybe there wouldn't be as much unsecure boxes out there.
I find it particularly damning that Debian, a non-commercial distro, is the most secure compared to all those other overfunded and undersecured distros.
It has been proved time and time again that people do NOT need all those services that are on by default in Redhat and Mandrake and all the others, yet every new version still comes with the most easily rooted apps all running in an open-to-everyone config.
Never mind the fact that it's possible to build a distro that has all these services, but none of them running as root. No, that would mean actually innovating for a change.
Jeez, man, I love Debian, but I hate linux.

A case for Internet Licenses.

[Wakko+Warner]

These days, when any moron can hook up a DSL or cable modem box and any moron can have his shitty unsecured Linux box hosted at a lousy datacenter with a fat pipe to the Internet, is it any wonder Distributed Denial of Service attacks are as common as they are?

Think about this: DDoS attacks can do much more monetary damage than car accidents can, yet we have no system of regulating just who can and cannot get onto the Internet. Would you let twelve-year-old get behind the wheel of a McLaren F1? Why, then, do we let them (and people of their maturity level) onto our global networks unsupervised? There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.

Maybe I'm elitist, but that's how I feel about it all.

- A.P.

--
* CmdrTaco is an idiot.

Re:Try securing your boxen first

[Jeff+DeMaagd]

The problem here is because a high-bandwidth machine can cause _soo_ much havoc on a network.

It is stuff like this that might cause your computer to be blocked. You may do what you want with your computer, but if your computer causes trouble on the network, don't be surprised if your service providers yank your connection. It is your right to do what you want with your computer, but the ISP has a right to not supply an open feed to problem computers.

He did you a favor...

[Nugget94M]

If he disabled telnet, he did you a favor. Telnet is a sucking chest wound of a security hole. Install OpenSSH.

you are so wrong

[Barbarian]

Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative. But if you leave your door swinging wide open, and a bunch of organized crime guys move in under your nose, and use it as a crack cocaine distribution center, it's now YOUR problem.

Re:script-kiddy culture is to blame

[banky]

The complete inabilty for the legal system to get their act together is to blame.

In the real world, tromping on someone's flowerbed is vandalism. But unless there's a serious amount of money stolen, most police agencies won't touch it.

These kids are immune to most real consequence. OK, so he's in Romainia, fine. If the US FBI finds him, they can't touch him unless the Romainian feds want to get him, too; and depending on how someone feels about the US taht day, they may just slap him on the wrist. Remember ILOVEYOU? They may not even have a law for this kind of thing.

Lets face it, until more of these waste-of-flesh dickweeds start getting gang-raped in jails, the problem won't go away.

(sorry I'm so mad. I just get sick of this crap)

Re:Try securing your boxen first

[Pig+Hogger]

The problem here is because a high-bandwidth machine can cause _soo_ much havoc on a network.

It's just like leaving a car running, unattended, unlocked with the key in the ignition. Any jerk can jump inside it and start driving it around recklessly.

You do that, and you can bet your ass you'll be "ticketed" for leaving your car running unattended.

--

Choking?

[Pig+Hogger]

How about choking ICMP requests? Let them go at normal pace, but if they eat more than 5% of the bandwidth, choke 'em (but log'em).

Of course, CICSO will charge an arm and a leg for that "feature"...

--

Death of IRC predicted, Film at 11

[Ex+Machina]

Just like EFNet undernet is dying. Here's an idea, why not hide the bot's ips from clients and hide server links from clients?
Also, why doesn't someone DDOS this kid's isp. That should make it hard for him to broadcast smurfs or control Trin00 /TFN zombies.
How come we haven't seen stuff like this happen on the OpenNap networks yet?

Re:Same thing, New Medium

[joshv]

I am sure the directional finder always lead to the local trailer park.

-josh

Romania e-commerce laws

[griffjon]

From the wire:

XINHUA

January 8, 2001, Monday

HEADLINE: Romania to Adopt E-business Law, XINHUA

BUCHAREST, January 8 (Xinhua) -- The Romanian government will adopt a law package for the development of e-business, newspaper reports said Monday. The package includes the law on e-commerce, digital signature and fraud in this field, Communication and Information Technology Minister Dan Nica was quoted as saying by the daily Ziarul Financiar.



Nica said that the ministry's specialists had already consulted with specialized parliamentary commissions on the bill, which was sent to all those interested, mainly to the IT community in Romania, for their opinions. According to Nica, the law package is almost ready, and the Ministry of Justice will complete it over the next days with the stipulations of penalties for fraud on the Internet. He said that Romania would soon have a regime of fraud treatment similar to those in Western Europe and the United States.

The law on e-commerce will stipulate the rules of such activities and the consumer and seller protection measures. After this minimum legal framework is created, Romanian authorities are to initiate bills of e- document and e-archive, e-notary and e- public administration, as well as a separate set of changes of bank, insurance and capital market laws to represent the legal basis for e-financing and e-banking activities.

Re:This is why I left efnet in the firstplace.

[thefallen]

You keep repeating that these are immature children, and implying that once they hit puberty this will stop. This sounds rather contradictory to the usual stereotype to me; the classic "these are people who can't have sex" would suggest that they're in fact kids who *are* in puberty right now. In fact, I would dare claim that this terrorism isn't about property; at least where I live, that sort of behaviour disappears at age of 12 or so, and I've never seen a 12-year-old who could use a computer (strange, isn't it?).

Rather, I'd say it's about sex and the lack of it, just like they said. Without too much experience in issue, I'd say that it's not exactly uncommon that 'normal' kids do pretty dumb stuff too, just because they think it'll improve their chances of getting laid, or to impress their friends. Usually they just don't have enough power to do much; here they do.

I'm ashamed to admit it, but the IRC politics, wars and the attack sounded just cool when I read it. Yes, cool. In times past, weren't the kids in puberty those who fought? It's the war instinct, if there is such.

Umm. I'm not going to read that again, it sounds pretty strange.

Re:Try securing your boxen first

[Tarnar]

Sure, just like you have a right to own a gun, leave it sitting on the border of your property, then shruging your shoulders when someone commits a crime with it.

Of course, on the other hand, you aren't responsible if your car is broken into and it is involved in an accident/crime, it's NOT your problem.

So, really, it's just a matter of precedence. It's up to a judge in a case that's never been to court yet whether your misued resources are your problem. I hope the concept of negligence works its way in, because a neglegent sysadmin can be responsible, indirectly, for measurable damage/loss.

fighting dDOS attacks is hard work

[sporkboy]

I wish I could tell you that there is an easy answer to this problem. Let me preface this post by saying that I've had experience with a problem almost precisely like this, where a friend's local ISP that he ran from his house was the subject of dDOS attacks on a regular basis, and those attacks were (when someone boasted or whatnot) related directly to the users running local IRC servers on his machine. So this problem is not limited to Undernet, neither its nature nor the lack of full-time resources to deal with it. And the end result of our situation was not encouraging, after losing 3 T1 line providers due to 'disruption' of their networks (not that they helped at all), my friend had to remove IRC server access and lose a large number of customers.

When dealing with these problems, we had a very methodical and (we thought) reasonable way to at least diminish future attacks. Keep in mind that this applies to smurf style attacks and not ones in which floods are launched directly from hacked machines. There is little that can be done for those aside from notifying root@host and hoping they lock it down. For smurf attacks and similar, which can be identified by having multiple 'attacking' machines within the same IP subnet, indicate a misconfigured router that is allowing IP broadcast ping packets into the subnet and replies to get out. I have never seen a reason why this should be allowed, and yet for years routers shipped with this as the default. Our methods involved the following:

1. Issue a single broadcast ping packet to NNN.NNN.NNN.0 (or was it .255?) and count the responses. If multiple machines responded, then the problem was in place.

2. Figure out to the best of our knowledge who 'owned' the routing for the IP range, typically through a traceroute or reverse lookups.

3. Contact, via standard abuse@ addresses, the network administrator of the subnets being used in the attacks, informing them of the problem and the solution.

These efforts lead to several hundred subnets being secured against use in dDOS attacks, which is a drop in the bucket but a decent accomplishment for a few guys with other jobs to do. It also lead to our being labelled by network admins as troublemakers and (often) criminals. A large percentage of net admins contacted didn't even know what we were talking about, and when we tried to refer them to well-known consultants that we had no affiliation with aside from knowing their name, we were called spammers or worse.

So until broadcast ping from outside of subnets is commonly blocked (and I believe most new routers ship this way) and the paranoid attitude that is ironically allowing these attacks to continue is reexamined, there is little hope to see it dry up. Skr1pt k1dd1e culture isn't about to go away, because wise-acre kids will always think they know best. Until then, best of luck in finding ways around this.

Power-hungry ops are to blame.

[WNight]

All the problems I've ever had with IRC have been with operators. Every single one of them.

I've argued, even flamed (and been flamed) before, but that's the same thing that happens anywhere else. But then an operator sees this (or is told about it) and the stupid twit takes it upon themselves to save everyone from themselves, by banning them from a channel or from a server.

If someone without operator status doesn't like what you say, they either ignore you (/ignore or similar) or tell you, then the world goes on. If someone with operator status doesn't like you, you get kicked, gagged, banned, etc.

IMHO the IRC networks shouldn't have channel ops, just a /ignore that really works (blocks everything, at the server). That way nobody could own a channel, or conversely, take it away. If someone said something you didn't like, you could /ignore them. If you didn't, it'd be obvious that you cared more about taking away their ability to say something that you did about just not hearing it.

And, for the uses where a private controllable (and secret) channel is desired, unnamed (and thus undesirable to control) channels that are created when you invite someone to a private chat should let the creator add and remove people at will. So if I need to talk to someone about something I create a temporary numbered channel such as #18327349 (randomly assigned, how thrilling) where I can kick someone from and nobody can join without an invite.

This way nobody could control the obvious places of gathering, #linux, #c, #quake, etc. These would always be free and open. But if anyone really wanted to talk about something private they could go off to a special temporary channel with their friends and have all the necessary control.

But, it'll never fly. I proposed this to a few IRC addicts once and the reason they gave for not wanting this is that they couldn't give and remove power by giving certain people ops and adding them to the bot. It was all a power trip to them.

That was when I stopped using IRC except for technical matters (asking and answering questions on programming channels, etc.)

Re:How hard can it be?

[Robert+S+Gormley]

Only "bozos" running home nets use Linux box as routers. Ever heard of companies like Cisco? Ones that make dedicated routing hardware?

Re:Try securing your boxen first

[eMBee]

yours is no better.

you do have the right to leave your car unlocked and the keys stuck.
even if you do lock it, someone could break the window and steal it.

do you want to be responsible for every person that the guy runs over?

greetings, eMBee.
--

Re:Try securing your boxen first

[eMBee]

but there is i big difference between commiting a crime and being just stupid, careless, dumb.
tongue (post #380) got it right.

greetings, eMBee.
--

It's the SAME article!

[Lazaru5]

The incident you're remembering is the one that was described in the article that was originally listed, and later reposted in comments. It's 4 freakin years old.

This is an entirely different situation.

Re:Try securing your boxen first

[tongue]

I'd say its a perfect analogy (aside from the problem of scale--few script kiddies can claim to have cause someone's death, as a car can).

By locking your car, you are taking REASONABLE precautions that an unauthorized user will not take it and do damage with it. Certainly, this doesn't prevent someone from breaking into it and hotwiring it, but REASONABLE precautions don't necessarily ensure no misuse, but they make it difficult.

However, if you leave your Stingray unlocked, with the keys in the ignition and the engine running in a bad neighborhood and your insurance company finds out, its a safe bet they won't pay the cost of replacement. Likewise, if someone gets killed as a result (and again, assuming everyone knows how you left it) its not a stretch to assume you will bear some liability in its misuse, though i doubt it would be criminal, probably civil.

The case of an unsecured box is the same. While a home box may be looked at as something along the lines of a pinto parked in your garage, circumstances under which i might leave my car unlocked, an ISP more closely correlates to a Stingray or even a Mac truck in a highly visible, public spot. To leave such a box unsecured is unconscionable. Additionally, if the ISP is publicly traded, the administrators are leaving the company open for a due-diligence lawsuit from its investors.

the moral? don't be an asshole. if you have bandwidth to spare, at least disable extra ports and check your logs every once in a while. and if you run an isp, for gods sake secure it. your users will thank you for it.

Okay, so... this keeps happening. Now what?

[Hadean]

Considering this keeps happening (including how another Romanian script kiddy did this to Undernet in 1997... this isn't just an isolated event. What can we ALL do? Or should we even care anymore, and just let IRC fall once and for all?

I'd chat with you more on this, but I can't seem to find any stable EFNet server...

Honeynet Project

[joshamania]

It's things like this that make things like the Honeynet Project look more and more attractive to me every day. I think that it would behoove more than a few of us to install honeypots on our networks and then prosecute anyone we catch. If there were enough honeypots around, we might start catching a higher percentage of the PFY's and getting Johnny Law knocking on their doors. While we may not be able to get the bastards in Romania, there are quite a few countries that don't look kindly upon this type of thing...

Killing them would be a bit severe

[cje]

However, I think the case can be made for beating them within an inch of their lives, to the point where they are unrecognizable. My logic is as follows: The primary reason that script kiddies pull shit like this is so that they can get recognition. If they have been worked over to the point where they are unrecognizable, what's the point? You'd see incidents like this drop like a rock.

So by all means, go a little vigilante and work them over with a tire iron. But don't kill them. Make an example of them, and the others will fall into line.

Re:A serious proposal for a more secure irc networ

[gorilla]

Now in order to make the task more difficult simply give out only one hostname that all users will use in order to connect.

Most IRC networks do this already, an alias of irc.[networkname].net (or .org, or .com). However, the names (and addresses) for the individual servers are still available, and for good reason. Users want to connect to a server which is local (networkwise) to them. Sometimes a server may become disconnected from the network, and any users on that server will want to change to a server still connected to the network.

As long as IP is used, it will be impossible to prevent users from knowing the address of the servers anyway, so there is no benefit in even trying to hide them.

Slashdot's evolving hypocracy, double-standards

[drougie]

I'm surprised to see slashdotters not rushing to defend these DoS attackers by saying something like, "They are helping by exposing security flaws and vulnerablilities so that they can be fixed."

I mean, that's the typical position one can expect from Slashdot when dealing with someone who has defaced a webpage or otherwise tampered with a system. Those people are considered noble.

Yet, I've gone through a hundred posts and not one doesn't call for the death of these alleged DoS attackers. Yes, what they are doing isn't as creative as drawing a Hitler mustache on Janet Reno on the Department of Justice's webpage, but is it that much worse? Apperently yes, because the victim is the innocent Undernet, and not the evil government. Bah.

I suggest to the Slashdot editors that they try to leave out their biases as much as possible in the headlines/stories because the biases are often flawed, hypocritical, inconsistent with previous biases, or just plain stupid.

godammit.

[Zurk]

"in each case the teenager telnetted to the server and obtained root access". what the FUCK ? he obtained ROOT access to the ISPs servers and they couldnt stop him ? people - this is fighting the wrong battle. any joe random cracker should NOT be able to obtain ROOT access to ANY server at ANY ISP. period. if those servers had been locked down tight and the sys admins at the ISPs werent so freaking incompetent this would never happen.

Re:godammit.

[segmond]

the really kicker is that he "telnetted" in. NO REMOTE ROOT login should ever exist, telnet, ftp, ssh, etc. how sad...

Re:Not funny. Not one bit.

[brianvan]

Sometimes some people have little respect for the amount of time and effort people put into their hobbies. I do find that disgusting, and I wish all of you the best of luck in maintaining order in spite of this problem.

By the way, you're cute ;)

trace route

[Calimus]

I don't know much about DDOS so if I'm talking out my arse, just ignore me.

Is it possible to trace route the connections the attacks are comming through? If so, would it be possible to find the closest router points to each of the sources and have the controlling IPS become aware of the abuse and filter it out?

I'm sure this must be a very basic way to look at things but if it could be accomplished it might buy enough time to let everyone calm down and think about how to block it rather then having to think franticly which almost always allows for oversight.

Re:trace route

[_ganja_]

Nice idea but I'll give you the first problem: With DDOS the source address of the packets are forged so you have no valid source address.

Second problem: These attacks are distributed hence packets come from many different places, more than one source.

Third problem: There are many different types of DOS attack, so you can't just filter on packet types.

The best analogy I can think of for DDOS attacks is this: Imagine someone had a worldwide gang of people that wrote post cards to you, they each sent you 300 post cards a day and there was a hundread people in the gang. You'd get 30,000 postcards a day that you never asked for, this would fill up your mailbox and you wouldn't be able to get your important mail. All you could tell from the post codes was that these cards came from 100 different places around the world. Furthermore the post office now want to charge you for all your extra mail and the only way to stop it is to tell the post office to throw out all your mail including important letter (or else move house).

What some of the major of ISPs are doing is running netflow accounting so they have detailed traffic logs but these tend to be huge. With these logs it is just about possible to indentify the source of the packets *IF* all end-to-end ISPs run this and are willing to co-operate. Just like traceing a telephone call in old movies this takes time and if the machine stops DOSing the target it can make this a lot harder. Once you have found a slave machine in theory you can check the netflow logs for the initial connection from the controlling machine that started the DDOS. This sounds like a pain and it is, it is my understanding that no-one has ever been caught doing a DDOS by this method.

Sniffing packets at ingress points for known DDOS master to slave commands would be a possible solution BUT every possible ingress point would have to impliment this (not realistic - massive understatment) and all the DDOS authors would have to do would be to change the used commands. This would just combat script kiddies using old software really.

Two words: Difficult problem.

IMOR ;)

[AnalogBoy]

Incredibly Massive Orchestrated Retaliation.

Its time those of us at risk of losing or home server and our way of life, to take up arms against these heathens. I say it is to be war between us! We shall do as our fathers did and our fathers before that! We shall point our mice and click the buttons, type the commands, and speak the words that send Millions upon Millions of brave packets to sacrifice their lives to protect our way of life, our dignity, and our porn downloads, and teach those evil bastards a lesson they will never forget!!!!!!!!

;)

"The news story we linked to was ancient..."

[devphil]

...but somebody will repost it in its entirety anyhow, just to be safe.

Contact the meatspace authorities

[devphil]

Just because it's a "virtual" carpetbombing of a "virtual" community, people tend not to look outside all of the software-based possibilities. Like, say, the police where the kid lives.

The cute "dept" tagline asks where's the KGB when you need 'em. Well, if there are ISPs going out of business because of this kid's actions, then law enforcement agencies will take interest.

Right, so, now that we've voted to bell the cat, who wants to contact the Romanian embassy? :-)

Undernet's not the only...

[Prizm]

About a month and a half ago, EFnet had similar problems. The server splits were getting so bad that many of the age-old EFnet servers were disconnected. However, one thing which helped EFnet was the breaking off of many of the servers to form the new net OpenNet. I think this helped two-fold.

First, it helped the users doing the DOS attacks realize that they were making a huge dent, and that if they continued, they really would lose their playground.

Secondly, it helped the network as a whole because many of the conflicting groups and users doing the DOS attacks changed networks.

Opennet has somewhat dwindled now, it was a bit of a fad, and most of the users have returned to Efnet. But I think its effects are still lasting. EFnet is without a doubt more stable.

Perhaps Undernet needs a similar approach. Just my 2 cents =)

Re:Try securing your boxen first

[Myrrh]

Sure. People who run servers should, absolutely, always and no questions asked, be held completely responsible if their box is used to break into another box.

Don't you realize that it is impossible, impossible to completely secure any box that has a network connection to the outside? Or, for that matter, a box to which anyone is allowed physical access? It's simply not possible. Not only that, but new vulnerabilities come out all the time! That's why we sysadmins read bugtraq, CERT and CIAC.

I strongly disagree with your assertion that people running a server should be held responsible for breakins just as though they themselves had performed the breakin. It is not always--actually, rarely--the fault of the person who runs the box that was used to leapfrog. Sysadmins do their best to secure boxes to the best of their knowledge and ability, but we are busy people, and we have many other things to worry about in addition to network security.

I would say that an ISP or a person running a server should take all steps possible to secure a server against attack, and be prepared to demonstrate that she did so if there is an investigation. Only in cases of negligence or deliberate malice should someone be held responsible for actions occuring on or through the server they run.

The link the /. crew removed as 'ancient'

[Wog]

In case you'd still like to see it:

http://www.indy.net/~sabronet/news/undernet.html

This isn't the first time for Romania...

[signe]

I remember several years back when another "cracker" from Romania was causing problems for Undernet. Attacking servers, attacking services. Problem was that Romania has no laws regarding computer crimes, at least none worth mentioning.

However, the person in question made the mistake of attacking the norman.ok.us server, which is/was hosted by the National Severe Storms Lab. Attacking a government server is a big no-no. It was enough for one of the opers to contact a friend with CERT and get Romania's internet traffic blackholed. Sent to the bitbucket as it hit the major backbones. It was a quiet day, and suddenly there weren't any more problems from that person again.

So why not go through CERT again? If Romania's not going to respond to problems from its citizens, then they should be treated just like an ISP who won't do anything about spammers. They get the death penalty, except this time it's the Internet Death Penalty, rather than the Usenet version.

-Todd

---

Re:Try securing your boxen first

[Coolfish]

More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).


I like that analogy.. let's extend it:

Wind0ze = Ford Exploders, built Ford tough - to explode!

BSD = Volvo, boxy IS sexy!

anyone think of any more? :)

Re:Not funny. Not one bit.

[AugstWest]

uh, I use usenet on a daily basis, and have for 6 years now. it's not dead. there are just as many tight, solid communities out there now as there ever were, if not more.

i just don't get the whole "usenet is dead" argument.

Bullsh*t, what about responsibility?

[Fross]

If someone walks into this open house, takes the gun you have in there and then kills someone with it, you are responsible for letting them obtain the gun. (Strange US gun state laws notwithstanding)

Likewise when someone abuses a site you've left unchecked, the site owner is responsible. You can bet your ass that if this was being directed at a business instead of at Undernet, that they would be suing the pants off everyone whose systems got rooted, for negligence, aiding and abetting, you name it.

You have the right to do whatever you want with your system, but if something bad happens with them, they are ultimately your responsibility.

Fross

Re:Try securing your boxen first

[jerdenn]

Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers...

Sure, and while you are at it, if anyone's home is ever broken into and a firearm stolen, charge the homeowner with murder. While you are at it, the next time your local corner store is robbed, charge them with a drug related offense, as we are all pretty certain that the money will go to buy drugs, anyways....

I'm tired of the 'if you would just secure your boxen' stuff. So, my servers aren't locked down - doesn't give every Tom, Dick, and 5kr1p7 kiddie the right to mess with my crap.

Hey, it's just my 2 pfennings. We are all entitled to our opinions - you, yours, and me, mine.

-jerdenn

Re:script-kiddy culture is to blame

[mOdQuArK!]

Please tell me how removing a murderer from society (he can never kill again) does "infact [sic] make the problem worse in a way".

I think it's a social/psychological argument - long term, if a society as a whole gets used to killing everyone who's a criminal, then the individuals in that society will be comfortable with killing as a solution to problems. Same principle behind showing many hours of mindless media violence to desensitize your population to real-life examples of that violence.

Short term, of course, killing the truly incorrigible is a "cost-effective" solution.

Re:script-kiddy culture is to blame

[mOdQuArK!]

I think the _militant_ pro-lifers would be quite happy if abortion was a capital offense. Then they could kill evil doctors in the name of God & receive accolades from society while they're at it.

The only reason they're operating outside of the law, is that the majority of society doesn't agree with their extreme views.

Of course, they've justified their behavior by defining the situation as being in a "war", where it is acceptable to sacrifice human life to achieve some "more important", long-term goal.

What makes ME even more disgusted, are the pro-lifers who aren't willing to pull the trigger themselves, but who quietly condone (& support) the behavior of the militants because of the widespread chilling effect it has on the availability of aborton (all those agent-of-Satan doctors fearing for their lives).

try a better chat protocol

[MattW]

Nothing popular yet, but at least one very talented software engineer I know of wants to create a DNS-based client-to-client chat service that would allow for a total distributed chat architecture, so that you could never DoS a server, only a single client. There would be no such thing as "ops", and no need. Clientserver chat protocols had their day, and were good in their day. Time to change models.

Re:Undernet's had it coming. -- AGREED!

[OmegaDan]

Your exactly right, the entire undernet has a baditude, most people on undernet are just capital assholes, especially in technical forumns ...

For instance, in #solaris some retard (who was an OP!) was telling the newbies to unlink /dev/zero ... they were keeping tally of how many people they'd gotten to ruin their boxes...

For some reason, the "culture" of the undernet has mutated into an angry, arrogant, mob ...

Romania, are you sure?

[ruckc]

Having being a undernet frequent visitor over the past few years, and knowing most of the wrong people, makes me doubt Romania.

What can they do? A firewall would help, some, but not solve the problem (FreeBSD ipfw cost $30 486 w/8-16mb ram and 500 mb harddrive,).

But a firewall will not fix the problem, no not much will, except make everyone happy of which will never happen. But you cannot let them, the kiddies, walkover Undernet so it is forced to close, you must stand up so they cannot do it to another server and another.

If it is a DDoS, then obviously the kiddie got in the machines that he is using by a vunerability, and is controling them, but I doubt he fixed the bug, kill the machine? (shutdown now) Contact the dumbass admin that didnt patch his server, tell him you were forced, by 50000-60000 undernet users. But it does not really matter in the end though, he will always find more insecure boxes, and he can continue the attack, any "Romanians want to go raid his house and make his ass stop please? I really wouldnt mind, and I doubt most people would care other than him and his parents.

Oh well just my few tidbits of information.

OpenVerse Visual Chat is an alternative.

[cruise]

There are alternatives to IRC and most of them are smallish and content specific. Personally I prefer an environment with less people for exactly the reasons you mentioned. OpenVerse Visual Chat is such an environment. It's desgin limits the mass destruction which can occure on Undernet. Check it out at http://openverse.org/


They are a threat to free speech and must be silenced! - Andrea Chen

Correction

[_outcat_]

It's poor form to reply to one's own post, but I must make a correction. There are 20-odd ops and regulars who are active in channel and on a need-to-know basis on what goes on in channel; but the headcount in channel is usually from 80 to 100. The other channel referred to in the post, the older one, usually has a little bit more than that.

That is all.

"The GIMP Girl"

Defensive measures

[Animats]

Whatever happened to that scheme to have major routers follow every 20,000th packet with a routing info packet? That was being talked up a while back as a way to trace SYN floods.

Once you've got the forged source address problem under control, the rest of the problem can be worked. Try turning on fair queuing at the first upstream router at a bandwidth choke point.

If you can actually find the attacker, having them visited by a lawyer and private detective working together can be very effective.

Rom != Romanian

[yerricde]

Gypsies are the Roma. They are not Romanians. (Read More...)
Like Tetris? Like drugs? Ever try combining them?

Re:Try securing your boxen first

[rgmoore]

I'm tired of the 'if you would just secure your boxen' stuff. So, my servers aren't locked down - doesn't give every Tom, Dick, and 5kr1p7 kiddie the right to mess with my crap.

That is, interestingly enough, not in line with traditional Anglo-Saxon common law concepts, such as maintaining an attractive nusiance. If, for instance, you have a swimming pool, you are legally responsible for taking active steps to keep neighborhood children out. If you don't and one jumps in and drowns, you can be held civilly and (IIRC) criminally liable. If you don't lock your tool shed and the neighborhood drug dealer takes it over as his place of business, you can be held liable. I am merely suggesting holding people with open network connections to a similar standard: if you have a box that's likely to attract DoS kiddies, you must take serious steps to keep them out or be held partially liable for whatever damage they do with your box.

Re:Counterefficient

[bellings]

And seeing an article on Slashdot about something you're doing is probably a good way to egg him (or her) on.

This may not always be the case. One of the serious disadvantages to virtual "communities" (like Slashdot, or IRC, or UO, or whatever) is that it's very easy to forget that there are humans on the other end of the line. It's a whole hell of a lot easier to destroy something when the only consequences are to a group that doesn't seem real.

There really are people who like to hurt things -- people who set cats on fire. These people are broken. But just about everyone likes to destroy things -- people who built big lego cities when they were a kid, just so they could play godzilla, or play Quake deathmatches, or just see how many levels deep they can 'eval' their scheme interpreter before the machine grinds to a halt. These people are, for the most part, not broken.

The problem is that crashing Undernet is a little like watching the NASCAR crashes in the sports hilight films -- it's pretty easy to imagine that there are no real people being hurt. But, by publicizing this, there's a slim chance that this punk will realize he's actually hurting real people.

Of course, it would be nice if they provided his name and address, so someone could go explain it to him in person.

Re:What about EFNet?

[AshPattern]

Maybe someone should patent one-click hacking, and then sue everyone who used the apps.

How hard can it be?

[Kjellander]

To every bozo running an ISP out there, use this script on your router to prevent anyone on your net from forging an address:

#!/bin/sh
#This will prevent anyone forging an adress on your net.
#Lots of stuff stolen from pmfirewall.

IPCHAINS=/sbin/ipchains
INNERIF=eth1
INNERIP=`ifconfig $INNERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
INNERMASK=`ifconfig $INNERIF | grep Mas | cut -d : -f 4`
INNERNET=$INNERIP/$INNERMASK

#Deny and log all packets with forged addresses from the internal network.
$IPCHAINS -A input -j DENY -s ! $INNERNET -d 0/0 -i $INNERIF -l

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:script-kiddy culture is to blame

[_ganja_]

I have no hope of ever having sex (with a human) but I have hardly ever used IRC. I find these kind of sterotypes offensive to the "no chance of getting shagged league".

Talk to someone at MIT

[Alien54]

MIT is one of the major hubs of the net. (actually, a number of certain high tech universities are major hubs, but that is another topic)

In some places in there, they have bandwidth that makes OC48 look like a dialup modem.

Ping Flood anyone?

but seriously, maybe one of those type of places would be happy to host X and W on a really really fast machine. or a main frame, all as an experiment in internet security countermeasures.

then add in some sort of code to escalate the response is an attack continues, so that the more a kiddie attacks, the more the kiddies get hammered until they go *poof*!

Re:You guys are assholes!

[atrowe]

It's Michael. Notice how the link to the Undernet site is gone now. I'm glad to see that Slashdot's authors are professional enough to admit they've made a poor judgement call and take the necessary steps to correct it.

Re:Same thing, New Medium

[Technician]

always lead to the local trailer park

Not always, but often enough. It mostly did go to poor neighborhoods and never to the elite part of town. How ever it did go to some nice country homes right on the riverbank once. About 1/4 were from cars. They were most likely to initiate flame wars thinking they were unfindable. Fortunately, they usualy parked someplace making rapid triangulation very easy. With music blaring, they seldom noticed my arrival, plate copy and departure. (I don't hang about to get shot at or identified) The DF stuff was descrete and looked like twin mirror mount trucker antennas. It wasn't the obvious loop or beam antenna. Later they get the friendly letter on the front door and under the wiper blade. Another advantage then over DOS now was the guy you were looking for was within 20 miles.

Re:Same thing, New Medium

[Technician]

Back in the 70's the same thing happened, but it was called CB radio. Linear amplifiers and music were the common D. O. S. attacks after a flame war got started. My effective defence was a radio direction finder. Leaving a note on the offenders door worked wonders as it proved the attack was not as anonymous as they originaly thought. The difference then was they couldn't use my radio in a D.D.O.S. attack where now computing services are stolen and used in the attack. I got out of CB radio and never got into chat rooms. I got better things to do.

IRC is in trouble anyway

[q000921]

The IRC protocol and conventions need a major overhaul, IMO. On the one hand, they are not robust to many kinds of abusive behavior. On the other hand, they expose the IP addresses and login names of users, creating privacy and security concerns as well without helping protect IRC itself significantly.

Unless IRC gets fixed or replaced by a new open protocol, you are probably going to see more and more chatting move to proprietary protocols and servers.

Re:Try securing your boxen first

[nightfire-unique]

Huh? :)

I was referring to the criminal act of driving a car which is not road-worthy (comparing it to the not-criminal act of putting a not net-worthy server on the 'net). It is dangerous to drive an unsafe car, because other people could die when your brakes fail. By a similar token, it is dangerous to put an insecure box on a major Internet backbone (highway?) because of the damage it could cause when it is easily rooted.

--
All men are great
before declaring war

Re:Try securing your boxen first

[nightfire-unique]

Granted... :)

But that also depends on your perspective. To a corporate chairman or major investor, a few people dead on the highways due to unsafe vehicles would seem insignificant next to the death of their web site.

--
All men are great
before declaring war

Re:Try securing your boxen first

[nightfire-unique]

Sounds like a good reason to me to not allow corporations determine our laws.

Like we needed another.

Seriously frightening when aggravated sexual assault (think - that's raping and maiming or attacking with a weapon another human being) carries about the same maximum sentence as a serious copyright infringement.

--
All men are great
before declaring war

Re:Important: please read!!!

[localroger]

Don't you feel stupid?

You just wasted a lot of time writing that in response to an old troll.

Not really. Not knowing his history, I still figured on the possibility it was a troll. But I think it is always good to bring a rational thought into such a discourse. After all, if the only responses are "begone troll" and "begone pedophile," and this happens time and again, doesn't this create a potentially inaccurate representation of /. posters? He is, after all, trolling our open-mindedness. Do we want to lose that to deny him his little yuk?

Re:Important: please read!!!

[localroger]

Roger, While I agree with you that in our current society, sex with children would be very harmful, if we were more enlightened it would be completely different. May I ask: What is your definition of a pedophile?

A pedophile is one whose primary sexual attraction is to children. This does not mean s/he cannot have sex with adults, only that the most satisfying image possible is that of sex with a child. Both hetero- and homo- sexual variations are possible.

I think you should be able to entertain whatever fantasies you want, but I think I speak for the consensus when I say sex between adults and minors should not be allowed. I don't think the power relationship can be resolved in any productive way. While it might be possible to establish a relationship that even the minor party finds enjoyable and feels is non-coercive, the weight of years and experience will always be there in ways that just don't exist when two adults are thrashing out their differences.

And it is really hard to imagine a world in which this would be different, no matter what the differences in mores or technology. We are born knowing nothing and need a prolonged developmental period to establish our concept of self. Sexual experimentation between children may be a natural part of that process, but I don't think that sex between children and adults is.

I have seen indications that some so-called pedophiles area actually "getting off" on the power imbalance itself, rather than the child-adult thing. That may be an individual quirk, but it's worth paying attention to. Most of us arne't into sex with kids, but everyone understands power. In our culture, it's the universal fetish.

Re:not sincere

[localroger]

*sigh* live and learn.

Preventing DDoS attacks

[sgoldsby]

Applicable to the DDoS problem.

I'm in the security business. When trying to find chinks in the armor, I've done serious damage to checkpoint, pix, raptor, ipchains and other firewalls.

We've recently started rolling out Netscreen boxes for perimeter defense. They proxy the 3way tcp handshake and reliably deflect synflood, udpflood and pingflood attacks, among others. We can then use the flashier boxes with more bells and whistles to do more detailed inspection of what makes it through. We're deploying a good number of these becuase their ASIC architecture is so danged good at the wire level checks.

Of course, this doesn't help if you have 100MB of SYNs coming in across your T1, but they'll never make it through to the server to hog up it's resources.

If more of the backbone providers used a tiered approach to protecting their pipes, the DDoS kids would have a lot less success. Steve

Re:BOMB ROMANIA! CR0SH THE FUXORZ!!

[MrNiCeGUi]

Great! I'm from Romania and I'm delighted to see the great minds come to work on Slashdot. This is (probably) just one person. He has a permanent Internet connection available, which means here either he is rather rich (these things aren't cheap here, you know) or is a student living in campus. Things like "Bomb Romania" or "Let's bring their Internet connection down for two years or so" don't really help. And they shouldn't be at +1. And, FYI, the gipsy population here does not exceed 5%. Most of them don't use computers and I doubt that those who do would do such a thing. This is because someone here mentioned "armed gypsies".

Re:script-kiddy culture is to blame

[jorbettis]

or worse yet, angry ircops who are scriptkiddies themselves.

Heh, I know the feeling. I have frequented the SlashNET network for a few years now and have developed some fairly nice friendships. Recently, the ops of radon.slashnet.org and perdition.slashnet.org decided that it would be great fun to use their IRC Operator status to harass me.

They kickban me from the main channel at random, make the servers reset my connection, set services to automatically kick me, they've even gagged me twice. The second time they would have left it on, but I was able to ssh to another box and log in from it to make it known that I had been gagged. They then removed the gag and tried to pretend that they hadn't done it.

Needless to say, IRC, which is supposed to be a recreational activity, is now a pain. I do not get on to be abused by a couple of assholes who happen to have enough access to somebody else's bandwidth that they can become 1337 s3rv3r 0pz.

If they're trying to get rid of me, they're doing a pretty good job. I'd already be gone if I was any less interested in the other people on that network.

I wonder how many of these attacks on IRC networks are caused by an Op abusing his powers and burning a few bridges with the wrong people.

Try securing your boxen first

[rgmoore]

We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?

Well, how about trying to secure some of the boxes that are being used for the attacks first? According to the second linked article:

Another Under Net operator stated that the attack began Saturday when the unidentified youth telnetted from Romania to FishNet, a Ventura, California-based Internet service provider. Once he obtained highest-level "root" access at FishNet, the youth launched at least smurf attacks - one against his former Internet service provider, the Romania-based Logicnet, and another against a UUNet service in New York...

Benefield said the youth entered FishNet services via news and mail server daemons, leaving his electronic footprints in the server logs.

The youth, who is believed to be between 16 and 19 years of age, then went on a juggernaut across the global network, stopping first at ISPs in Oslo, London and other parts of the UK, as well as hitting Chicago ISP Napnet. At each stop, the youth would log onto the server, obtain root access, then delete files, canceling accounts. In some cases, it wiped out the entire businesses such as the ISP in Oslo.

The first thing to do is to stop letting the guy root computers with great connectivity and bandwidth. Secure the damn boxes and he won't be able to do this kind of thing. Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers. There's really nothing you can do as long as this vandal can get his hands on serious DoS capable hardware.

Re:Try securing your boxen first

[nightfire-unique]

Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative.

Hrm. Bad analogy.

More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).

--
All men are great
before declaring war

What about EFNet?

[LightningTH]

EFNet has been under a constant DDos for awhile now. It has been to the point sometimes that chat is impossible and almost all servers delink. Upon looking at EFNet.org it is obvious how many servers have permamently left.
Also, did the DDos ever stop on the LinPeople IRC network? I know it was being hammered by someone that wanted things his way.

The real issue is that there are scripts and applications out there than make it 1-click possible to hack computers. This is to the point of 1-click to hack the whole internet. People need to learn about security and how to tighten their computers down and keep up with security holes so they are not prone to being hacked. There are a ton of linux users out there, but a very small percentage that know how to correctly use it and secure it so their computer is not part of the DDoS's.

(Slightly) OT - I Love Undernet

[perdida]

Really, I do.

The Undernet was a place that I was able to use like the proverbial Roman agora, shaping a lot of my political arguments and testing them against people who otherwise would not have dealt with me.

I was 15 years old and an over-bright geek girl when I discovered #debate on Undernet, which I had joined due to my recent accession to the Debate Team at highschool. I, a new anarchist, met some of the great folks who were making up the famous and oft-mirrored The Anarchist FAQ . Some of the issues I discussed -- and was forced to research at a level far higher than would have been required at school -- included prisons and imprisonment, the decentralization of utilities, and other supposedly "boring" questions of public policy that I learned, early on, were fascinating to me. Like other geeks I specialized early and Undernet was my venue to this specialization.

I argued with long time anarchist theorists as well as libertarians, Democrats, Republicans, and government employees and politicians with decades of experience in politics and policy. Nobody gave a shit- or knew, without a lot of work- that I was young, Jewish, Yankee, and female. It taught me that mentality was key and that I could do anything.

I then joined up in #politics, which is slanted much further to the right and is often very silly and vapid- but still often contains some of the best and most informed argument on the Net from time to time. People have discussed foreign policy, economics, ecology, cryopreservation, and lots of other issues in there.

I have gotten jobs and close friends through Undernet. I will be a lifelong inhabitant of #politics as long as it exists and isn't overwhelmed by script kiddies or other idiots.

My congratulations to IRC's staff for keeping it up so long and my hopes that Slashdotters can help them, loan them the brains, time and other resources necessary to fend off this idiotic attack.

Counterefficient

[suwain_2]

(Is that a real word?)

Posting a Slashdot story, and making a huge deal out of this is a horrible way to try to resolve this problem.

Had no one ever mentioned anything, this "script kiddy" would have wondered what was going on and stopped the whole thing. But now he's probably seeing that "Underworld" has acknowledged the attack (it's written in a sad, melanchony tone; and it also gives the impression that they are clueless and helpless -- I know this isn't the case, they just seem to have worded it poorly.) And seeing an article on Slashdot about something you're doing is probably a good way to egg him (or her) on.

Just let it die of inattention -- it's remarkbably amazing how well this works.

Comment removed

[account_deleted]

Comment removed based on user account deletion

A serious proposal for a more secure irc network.

[bl968]

The primary issues facing Undernet, Dalnet and EFNet is that they give the script kiddies all the information they need to launch savage DDOS attacks. The IRC networks give out to any interested party the IP addresses of the servers, the IP addresses of the hubs, and finally they give out the IP addresses of the end users. When you provide the keys in a manner such as this, expect someone to try them in the lock.

The first step to resolving this is IP mirroring. Unless you are an irc operator, you see your own IP address on each server and each user on the network. This removes the first bit the user needs for a massive disruption of the network. Ircops need to be able to see the hostmask in order to protect the servers from the misdeeds of users.

The next step in protecting your irc network is to have no publicly listed server connecting to any other publicly listed server. All hubs should be ircop only. This makes it so that the hubs the all-important links to the edge of your network are hidden from public and from the hackers view.

Now in order to make the task more difficult simply give out only one hostname that all users will use in order to connect. Each server would be required to take users if the resources are available for them. Local users to a server would of course have priority. The single hostname may not totally protect your network however it will ensure the hackers have to work a bit harder to get the information on the server they are using to connect. No offense to any serious hackers out there is intended however script kiddies are by and by lazy creatures.

These measures will not protect the average user who accepts CTCP chats or DCC's however those who do not should have total immunity from the script kiddies.

In order to provide channel operators with a modicum of control in their channels have a bot that can see host masks and accepts ban commands via private messages giving the users nick. The bot would only allow the ban if the user issuing the command is a channel operator in the channel they are requesting the ban for.

You could also get smart and use channel services. Channel services while it might rile some of the ircops who see channel ownership as a bad thing. However a private ownership of a channel once created and registered tends to make sure that there is no point in attempting to split servers from the network in order to try to take control of a channel. If you do not like ownership of channels simply, decide on a very short-term idle channel deletion. If a channel is popular enough to have people online 24x7 then they have the right to decide who controls their community.

Many IRC networks and services packages implement these security-improving provisions already. You can look at Stratics IRC Network which while small has a very effective implementation . Stratics IRC is a gaming related network offering these features.

Re:script-kiddy culture is to blame

[nightfire-unique]

some of them over 20 these days (get a life, folks)

Um. Have you considered the irony of posting something like this to slashdot?

--
All men are great
before declaring war

script-kiddy culture is to blame

[alhaz]

Face it. IRC is the universal home of Those Who Have No Hope Of Ever Having Sex.

Efnet, undernet, chatnet, all the big nets. the PFY's known as scriptkiddies (some of them not even youthful pimple faced youths anymore) go to IRC because it's somewhere that magically makes their penis extend two or three whole inches, just because they can find some person or some group of persons, cause them a great deal of displeasure, and say "Look what i did!" to their buddies.

What these twits would realize, if they had grey matter operating above the brainstem, is that by doing this, they're making everyone who has donated equipment and bandwidth to IRC networks question whether or not that was a good idea.

IRC networks are going to go away because of scriptkiddies, unless these kiddies, some of them over 20 these days (get a life, folks), knock it off.

Would YOU run a public irc server if it ment you were going to get DoSed into the stone age twice a week? I sure as hell wouldn't. Maybe that's why chatnet only has 4 servers in the US these days.

All that being said, undernet has always been a haven for oversexed, underage wankers anyway.

Go ahead, moderate this post as a flame. I'm just upset because my home channel, which has existed in one form or another since the previous bush administration, has been moving around from network to network lately trying to find one that doesn't get shut down constantly by angry users, or worse yet, angry ircops who are scriptkiddies themselves.

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[brass1]

I personally find this article interesting for the simple fact that I'm a Systems Engineer at one of the Undernet sites that was forced to delink last week because of the DDoS on our Undernet server[1]. I've read most of the comments, and must say that most of them are lacking in the kind of content that the ordinator of the article has requested. In fact, most of them border on immature (which must be why most of them are moderated to a 1 or a 2). With that said, many comments had useful incites, though they are defiantly not news to anyone close to any IRC network.

First of all let me state that I have as little to do with the actual operation of the Undernet server or the network as a whole as possible. That role if fulfilled by another group who works very hard with a real task and literaily deals with IRC problems in their personal time, so it's hard for me to comment on the politics of their situation. I can however, comment on the politics, and a few technical details (For certain reasons, I'm more than a little vage in what we observed during the attack) of the situation I was involved with at the time. What follows is somewhat of a chronology of the event.

Hr 1 - 3. The attack started pretty slowly. So slowly that it really didn't set of any alarms, though some customers on remote parts of the network did notice high latency, and a bit of packet loss. This was enough to start looking around, but not really enough to suspect an attack.

3:00 - 3:15: Connectivity is lost to nearly any network that requires crossing a border router. The traffic stats from the border routers show that nearly every bit of connectivity is full company wide. It was clear that at this point that this was probably an attack, though it was unknown what was being attacked, or where it was coming from.

3:15 - 4:00: Using historical data the sources of the attack were identified. Using this data, we initiated contact with each provider we have connectivity from to request filters be placed in their network to block the attacks. At the same time the company's tech support call center is overwellmed with calls from customers experiencing various problems. Further, all the major application servers (mail, news, etc) are also nearly unusable since they no longer have connectivity to the remote machines they were talking to. As a topper, one of the noisier (literaily) network monitoring programs our NOCC uses has gone into "make random noises mode." This is due, in large part, to the nearly 600 alarms it thinks exist because of connectivity problems to the rest of the network.

4:45: I remove the FDDI cables from the FDDI card in the IRC server.

4:00 - 4:30: The attack is starting to dissipate. It's theorized that it's because the machine that was being attacked was no longer on the Net. Also about this time, the distributed filtering should start taking place.

6:00: After spending a couple of hours cleaning up the mess that such an attack leaves on all the other machines I receive the standard email from the security people requesting time estimates for my labor on this afternoon's Comedy Hernia Hit.

This chronology is reflective of nearly every other DDoS attack I've experienced in the last 12 months. It's clearly frustrating, and a complete waste of my time (especially since it was my last working day before a very rare vacation), and it should be pretty clear why I don't want IRC servers on a network I have to maintain.

Let me be clear, at no point was the server itself ever effected (other than, I assume it lost connectivity to it's hub during the attack), but nearly other major application was affected in some way, and it definitely caused a lot of paying customers to not get the service they pay for.

Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this? I know all the machines on my network are secure, but I can't control machines I don't maintain. And that's just the problem. This isn't about the host sites securing their network, most of them do and the ones who don't learn quickly that they have to. Adding (more) security features to the application (ircd) also isn't the answer, as the machine itself was never affected. Hunting down the initiator of the attack only prevents that person from attacking anything for a while, like the death penality I see no indication that it's a real deturiant to the crime. Quite honestly, I too am at a loss as to what, if anything, will ultimately solve the problem short of completely abandoning the technological foundations that the Internet was built on.


As for law enforcement, they are generally quite interested in such attacks[2], but they have clear guidlines in what they can and can not get involved in (you have to show a capial loss grater than a specificed amount). In this case I know these guildlines were met, but generally these investigations go nowhere because the trail often leads to cracked machines that have no usefull telemetry of the attack, or the intrusion. I have often thought that companies who fail the maintain basic security on their network should be held liable to damages to other networks in these situations, but even that is quite troublesom.
Of course, there is one method that solves this problem, at least for me. It was to remove the service from our network. As a Sysadmin who has customer's who pay to use other services I have no trouble with this. As someone who tries to be a useful member of the "Internet Community" I have serous issues with this method. In this case, no good deed goes unpunished.



[1] In fact, I personally pulled the FDDI cables out of the machine during the attack once we determined the machine that was the
[2] Though, sometimes you have to work to make contacts with people smart enough to care.

Use those sources...

[Thalia]

I expect this is the Trinity attack that is described in considerably detail here by X-Force. You can find the actual article and anlysis of the Stacheldraht tool here written at the University of Washington. The author of that article claims that he wrote a program that detects Stacheldraht on a system. Of course, getting the ISPs that are sending these DDOS messages to actually use some security might be a bit difficult. By the way, this is old news, since the CERT advisory is dated June 99.

Thalia

This is why I left efnet in the firstplace.

[greysoul]

I feel my comment is best left to my writeup on Everything2: People like that are the reason I left Efnet (idea)
But, if you don't feel like reading it, I'll sum it up here. and add a bit, now that I think about it.

-------
I used to be a script kiddie, then I hit puberty.
You either understand that last statement or you dont. Kids are kids, and having worked with emotionally hadicapped (not retarded) in a highschool setting, I know what they do with computers. I'm the one who had to fix them. (macs, no less)....

There's 3 reasons I've found that kids like to break things

1. They don't own it, so they cannot comprehend that it has value to someone. This is perfectlly normal for kids between the ages of 2-6, it varies in it's severity, but it usually goes away before kids are injected into the social realm of dealing with other people in school, so it's not a big problem.

2. Kids between the ages of 6-18 more commonly express their destructive skills on something because they do not understand it, and feel that by breaking it they have power over someone who does know how to use it. Ownership isn't a factor in this, I've seen kids break their own things because they cant make it work (you see this very commonly with "broken" toys in younger children.

Again, most kids will stop, or mellow down by the time they've hit puberty.

The third case is most common in mentally or emotionally challenged children:

3. "If I can't have fun with it, no one can." This is more common among older kids and extends beyond material items. This is the only case where I've found that ownership REALLY matters, but not in all cases. most people, however, grow out of this phase as well.

So what is someone who hasn't outgrown this state well past the time they should have? The police and doctors call them Sadists and Sociopaths. In this case however i would feel reluctant to use either of those terms. I think in this case it's more a case of a pre-pubescent pissing match between himself and another channel.

Back in my own script kiddie days on IRC I witness MAJOR network wars included the disabling of about 50% of the @home network in san diego, cutting down telephone poles, cutting off power to NOC's, angry kids beating the SHIT out of the kid who nuked him at school, calling in bomb threats to places, ANYTHING and EVERYTHING they can do to disable an ISP even if only for a second.

just long enough

All that shit I saw, was _ALL_ related in one way or another to "channel takeovers" some of them over things as petty as who's allowed to flirt with the only girl in a channel, platform debates, music debates... rarely over anything more mature than a 6th or 7th grade level.

Which brings up this point: most of the people who do this are still kids (under 18) so unless they nuke a military server or something, all their gonna get in most cases is a warning, maybe a fine.

So, what's to be done? I say it's time that the more mature half of the internet joins together to fight this in a way that younger kids have no controll over. I've had AMAZING success tracking down script kiddies and calling their parents. People who are clueless, or who have something to lose by being related to a kiddie, are VERY helpful.

Here's some ideasI've used and had VERY good success with.

1. Fight back online - Pro: it's fast and can be effective. Con: lowers you to their level.

2. Call their parents/employer/school*** - Pro: Can be VERY effecting in the long term. I've had people fired, grounded, suspended, and reprimanded with one phone call. Con: Can take a while, or you get someone who just doesn't care.

3. Call the ISP from which the attacks orginate.* - Pro: Admin's will always know what you're talking about, and they're usually helpful as DDOS through their systems reflects badly upon them, costing them dollars. Con: most dialup/residential ISP's dont really care or log things, so it's hit or miss.

4. Shut it all down, and walk away for awhile. - Pro: Best idea if you can afford this option. Most kiddies get bored after a few days, or when school starts. Con: depending on who you are, shutting down your system and doing something else may not be possible.

So, there you go... those are my loosely compiled thoughts and ramblings on the subject of Script Kiddies.... ciao
-Doug

Not funny. Not one bit.

[_outcat_]

I've seen some amusement on this thread, amusement at the very fact that Undernet has been DoS'd.

Well, don't be. It's not funny. There are people losing money because of this; there are people who are becoming absolutely brainless and deciding "Gosh, it'd be fun, let's go the way of the skript-kiddie and and help the DoS'ing be even worse!"

Then there are dedicated channel ops and owners who are building bots, starting channels, writing mailing-list software to help their members and fellow ops deal with the crap that's going on. I'm a 200-level op on one of the linux channels on Undernet (check my user info for more information) and while there are those here who feel IRC is a waste of time, I believe it's one of the best ways to communicate with people all around the world about a common interest. If you don't like IRC you don't have to use it. I can see how some people think it's a waste; but it's something I enjoy. And so do 20-odd other ops and regulars in this channel.

I met these people because they helped me install Linux over two years ago; there are ops and regulars who are good friends of mine from Australia, New Zealand, Canada, the US, UK, Malaysia, Germany, Greece to name a few. We put faces to the names via webcams; we know who's going out with who, we comfort our friends when they're going through crap, and we came together and cooperated with a mailing list and new bots and new policies once W went on the blink.

Someone tried to compromise our channel yesterday (a takeover, for the unschooled) but order was restored. With W (X for other channels; we happened to have W when he was still around) the oplist, auto-kicks, and bans are very easy to store; without W, the guy managed to get ops by pretending to be one of us. Could have done some damage, but thanks to some IRCops (Thank you seti and saralee!) order was restored, new bots put in place, and new channel policies. I know there are other /.'ers out there who know what a close-knit channel is like and how much it sucks when stuff like this happens.

Right now there's rumors that W and X will never come back. If they don't Undernet is dead...and where is a channel to go? Some IRC networks have strange ident issues; some are dying out; and some have a structure such that it's hard to even keep hold of a channel because of skript kiddies. Right now Undernet splits a lot--too many users and not-so-perfect routing. It's also hard to connect to a server. There's a lot of lag.

And now I get to a point I think bears hearing: Forking doesn't mean animosity. (Are you reading this, RMS? :P) There's another Linux-related channel on Undernet which a few people split off of for one reason or another, and those people started our channel. There was some degree of disdain amongst our channel because of some of the policies of the first channel. (I like the place, though. :) But the two channels are cooperating on some of the DoS issues. We're all about Linux and getting a good place for our users to chat.

To the skript kiddies out there who are continuing to pummel Undernet because you think it's cool: Stop acting lower than dirt and get a life. You can find something better to do than cost people time and money.

"The GIMP Girl"

Re: Ask Slashdot: Undernet In Serious Trouble. . .

[_ganja_]

I wasn't there but based on the details above which are extensive there is something that I would have done very quickly that would have saved you grief at least in some of your network. Even if you did what I'm about to mention, its worth posting as its also good advice for anyone else getting DDOS'd (or aleast its a starting point).

DUMP THE ROUTE As soon as possible stop advertising the affected block to your peers, this is the fastest way to prevent the traffic entering your AS and saves bandwidth on your internal lines. It under your control and its faster than informing all your peers and waiting till *they* get filters in place, its not their problem and even if they filter the traffic it still takes their external bandwidth.

This depends on your BGP config and a few things will happen, firstly if you're a large ISP you're going to lose other customers as you're not advertising their IP addresses and depending on peering agreements the minimum could be as large as a /20 or /19 but its better than lossing the whole network and all your customers! If upstream peers from you are not aggregating your routes this will in effect remove the route from the whole net (might take a little while to converge the whole net) and the traffic from the attacking DDOS machines won't get very far (their own subnet). If your routes are aggregated upstream and you've withdrawn the route the traffic stops with the upstream ISP anyway.

This should give you breathing time without the loss of your whole network and (at least you'll have bandwidth to telnet to your routers) identify which machines were getting attacked. Talk to the upstreams and get them to dump the host(s) specific route to null.

I meet far to many network admins that think they know everything there is too know about networking that just state "what can I do but put filters on the border", which is fairly useless for preserving external bandwidth which of course is what your customers are paying for.

BTW, while I'm here, anyone want to give me a job?

Will configure routers for food.