Slashdot Mirror
The DDoS Attacks, One Year Later
ATKeiper writes: "One year after the DDoS attacks against major Web sites, C|Net reports that there are still 'no strong defenses deployed' against such attacks. The only person so far accused by prosecutors is Canadian teen hacker mafiaboy, whose trial starts in a month. Was it a forgettable stunt? A much-needed wake-up call for insecure e-commerce sites? Lame script kiddies giving hackers a bad name?"
I can't believe no one has taken down the root servers yet.
The attorney general went apeshit just because of Yahoo.com and e-trade. Imagine what would happen if the *.root-servers.net suddenly stopped responding. 99.9% of internet users would be paralyzed and helpless.
Here, instead of releasing poison gas into the subways or toppling the world trade center, this is really easy to do and americans will so get their panties in a bunch:
- Amass lots of rooted boxen (given). Use the BIND exploit for the ultimate irony.
- Write a perl script and use a resolver module to send bogus random requests to each root server in sequence. The more random the better, as they will be harder to filter. Don't forget to spoof the source address.
- Run on each rooted box in background. Cron it to start on boot.
- Gloat to world newspapers.
It's ludicrous that none of you extremist terrorists have done this yet. You can do this from the comfort of your own homes and you don't even have to risk capture if you live in a US hating country.Killing a bus full of passengers is good for horrifying headlines, but in the end no government will really care. Mess with the internet on the other hand and you're a force to be reckoned with.
And for all you jackasses crying Treason, would you rather they poisoned your local water supply or that they just took down .com? I know what my priorities are.
The DDoS attacks last year relied on the ability for Mafiaboy to install programs that would help propigate the DDoS across a large number of unintental volunteers' computers, such that all he had to do was wake them up at a given time with a given target, and that's all he needed. He was able to get such programs installed thanks to the help of email viruses, web page javascripting, and activeX. IIRC, many of the computers that were found to be part of the attack were computer clusters at universities, implying how easy it was to get this propigated.
If we had OSes and browsers that would not run untrusted code unless the user said yes, the DDOS would not have had been as effective. Even if that option's there, the important of what untrusted code is is not well implied. MS's 'error' message if you use prompting for ActiveX controls and scripting is "Scripts and ActiveX controls are usually safe..."; this is NOT true. Sandbox the browser, do not let it access any system files (as there's need for it to!). And make sure that computer users KNOW this and the effects that running such programs can have, don't take a passive view of "oh, a new bug fix is out, you ought to install it when you get a chance...".
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
What the article doesn't mention is that is father is called up on the witness bench, and his name has come up in the list of acusee, as he is, according to the procecutor, probably involved in the DDoS attack.
MafiaBoy's father allegidly gave him information on the technicalities of such an attack.
Local newspapers have reported at some point during the year that this is what's going to be used as a defense. The father allegedly knew how to do such an attack, for having read about it, and discussed it to his son, which then tried it. The father did not know the extent of the attack, not being very technical himself, hence the defense relying on the fact that MafiaBoy did not know either that this would cause such a severe attack.
Another newspaper had reported that the kid itself was "frame through ignorance" by his friends to do th3e attack itself.
Both newspapers were full of inaccuracies, of course, such as for the usage of the word "hacker", as usual.
Karma karma karma karma karmeleon: it comes and goes, it comes and goes.
Once people start combining attacks with stock market manipulations, people might start paying more attention.
Sell short EBay, DDoS them for a couple days, collect some cash. Day trading and the speed at which attack news travels has made the markets so much more reactive to the slightest bit of bad news. Do this just before some kind of major EBay event so you can claim a legit excuse for the sell and hide your tracks carefully when starting the DDoS (AOL via a stolen cell phone?)
You heard it here first.
c.
Log in or piss off.
If you did that, would that make you a Tacker?
Then the media could go bonkers about attacks by crazed teenage Tackers out to bring down the highway system!
(But seriously, a thumbtack wouldn't do sh!t against a car tire...)
Does it make you happy you're so strange?
Well, it depends on your tire design I suppose. If you compartmentalized the tire well enough and used some kind of emergency reinflation system like that "great stuff" expanding foam to refill the punctured compartments...
... and there is no doubt, that one day he will be
where the eye of his telescope has already been
Oh, yeah. It all went back to real life, where this is no more than some offended 5kr1p7 k1dD13Z deciding to lash out. It had no influence on the world as a whole, had (as the article pointed out) no influence over the cyber-world...
This was an event that didn't shape anything. It didn't cause any sweeping changes (i.e., Columbine or the Challenger explosion), and certainly didn't bother anybody a week after it happened. I recall being astonished at the organization, having so many people DoS-ing at the same time... it gave me hope that the Internet community could bind together and fight for a common cause. Instead, it was just a trojan run by a single person.
It was a non-event of Y2K proportions. Get over it.
------
Like sane egress routing checks set up on the individual ISPs end?
No, it won't prevent DDoS attacks, but if the checks are set up so as to prevent packets with spoofed IPs from ever leaving their segment, then the people being attacked can see who's attacking, drop packets from them and notify the ISP hosting the (inadvertent?) attacker, letting them know what's happening.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
One of the latest developments in the war again DOS attacks has been with a working group at the IETF that is trying to create ICMP Traceback messages.
Essentially what these messages do is generate an ICMP packet with the previous IP address and the present IP address with, I believe, the first 60 bytes of the packet for every 20,000 packets that pass through the router. This packet will be sent to the source address so whoever the poor victim is can figure out who the REAL culprit is and not have to chase after spoofed IP addresses. Of course this should only be done on the edge routers and not the core so as to not generate unnessary traffic and to keep the internals of a service provider secret.
Now when this would happen is somewhat up in the air. Those of you that have attended IETF meetings know how slowly things can move (my personal experience is with diffserv... shudder, 4 years to argue about 6 bits of data in the IP header). Not to mention every single router vendor has to implement this and on top of this, the service providers have to update their routers with the software updates that support ICMP traceback messages.
May Day might be a historically consistent day for rebellion/mischief/etc. Hey, it works for the anarchists and whatnot, no?
Problem is that these "internet trash" have exactly 0 respect for rules to begin with, so thinking that all of them (or probably even a significant portion of them) would abide by the one-fun-day-a-year approach is probably optimistic. Cool idea though! :-)
--
Fuck Censorship.
News for Geeks in Austin, TX
I am pretty sure you quote him out of context here. DNS is not a kludge, it is a relatively good way of naming hosts. Especially if people would still use it as a hierarchy. As a general naming system for web-content, it is a kludge.
And "DNS-style abuse" doesn't even refer to the DNS system per se, but to the current policies surrounding the use of DNS on the Internet. Read: trademark-disputes, cybersquatting, etc...
We all know these sites weren't DOS'ed. They were Slashdotted!
Men believe what they want. - Caesar
Perhaps I'm just insanely naive?
:-)
You are naive, but not insanely so
There is not a lot you can do if 500Mb/s starts trying to ram itself down your 100Mb line. These vulnerabilites are an inherent part of the infrastructure.
While the state of the art in withstanding an attack has advanced measurably with the new kernel (SYN cookies, etc.), the Ramen Worm and other recent security problems have shown pretty conclusively that it takes a long time for security patches and package updates to make it into production servers.
Unfortunately my friend this has nothing to do with OS kernels, and everything to do with infrastructure elements like pipes, routers, switches, and firewalls.
The infrastructure cannnot handle the level of load being placed on it when these attacks take place.
I agree you can actually DOS a server, but these attacks were against the infrastructure.
Why not have a DDOS reunion tour? I'm sure the folks at CNN, Ebay, etc would love to see your sup3r 1337 skillz again...
morons...
I am become Troll, destroyer of threads
are you on glue?
/. link to a small webserver which happens to get crushed for an hour or two is not irresponsible . How many sites have had their fame MADE by a good slashdotting?
/.'s responsibility is to provide it's readers with interesting content, and unfortunatly, not all the good stuff is on Yahoo or CNN.
the "/. effect" is not malicious(sp?), nor dose it "Kill" sites... the odd
In closing...Take yer reactionary karma whoring elsewhere.
I am become Troll, destroyer of threads
The rush-to-market took presidence over security, even though preventative measures against DDos attacks was outside the remit of most sites, it was a wake up call.
A year later secuity is a lot higher in the product requirements!
Okay. So, it's basically DNS that ships around Word documents instead of zone records...
Hmmm... Opening Word, hitting the space bar once, and then saving the document creates a file that is 19,456 bytes in size. (Under Word 97, Windows 95B, using the normal.dot template.) Adding a few generations of Microsoft Bloat, multiplying it by millions of proles... afraid to estimate the implications of PowerPoint...
Sounds like, through sheer volume, it might create its own DoS attacks...
;)
Fire and Meat. Yummy.
There's a miniumum size for a LaTeX file with one space in it, too. What's your problem, then?
Bloat.
with two spaces in it is probably 19,460 bytes
(2/19,460)*100 = 0.01027749229188% efficiency.
Hmmm... I think that's even less than I expected from a Microsoft product.
And when files like that are being passed around between .NET machines the way zone records are for today's DNS servers, I worry about the future Internet traffic.
I think I'll stick with vi for all my text editing needs.
Fire and Meat. Yummy.
How are we to protect ourselves, and save the new economy and way of life and working we see growing for the first time?
Yeah! But if Microsoft moves all of, for example, Office 2003 to their ".NET" philosophy before DDoS has been conclusively thwarted, they're shooting themselves in the foot.
Who is going to buy into .NET when any 15-year-old with a cable modem can lock every secretary in the world out of Word? Every accountant out of Excel? Every CEO out of PowerPoint?
(Okay, not *ALL* of them, but it will be enough that almost all global business stops at the mercy of a mouseclick over a WWF desktop in a New Jersey bedroom.)
The ease of committing a DDoS is therefore, in my view, a very convincing deterrent to the mass adoption of centralized pay-per-use software subscriptions.
Fire and Meat. Yummy.
Did anybody check this guy out? I mean, come on right?
The problem with capped Karma is it only goes down...
SIG: HUP
Reminds me of the allegory of the monkey who can't get his hand out of the cookie jar because he won't let go of the cookie. Security measures to help prevent all DoS attacks as well e-mail virus-like scripts and web scripts severely impair the ability to control and advertise. Until then, you're better off using 3rd party security measures.
----------------------
The sad thing is, e-business will probably decide that the better way to deal with events like these is NOT to secure their sites better, but instead prosecute the hell out of the offenders. That'll work well the moment someone else tries it and isn't too much of a stupid HaX0r to brag about it on a chat site. Also interesting is how these opportunities for learning generally end up involving the lawyers.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
"Lame script kiddies giving hackers a bad name?" It's not the script kiddies giving hackers a bad name, it's the press's misunderstanding and misuse of the word.
http://www.codewolf.com - Just good stuff to waste time
Why don't sysadmins start blocking off invalid TCP/UDP packets that the router? AFFIK lots DoS attacks use packets with invalid TCP flags, have a look here. If they are dropped by the backbone provider end of problem..... mind you having said that most crackers will simply find another exploit.
I suppose some sort of stateful tracking would be handy as well, but that wouldn't stop DDos.
Its a game of chess
I can't think of anything witty right now
Its a dangerous attitude in some respects, but in others its not. Its dangerous because it makes folks think hacking is harmless (till their credit report gets ripped off, etc) But heck most people survive just fine if the power goes out for a bit, why not the Internet?
I'm not agreeing with them, I just see that in responses from folks I talk with that aren't /. readers. The scary part is, DDos attacks ARE the tip of the iceberg. Its kinda like a doofus with a gun. Someone fires one in the air, everyone runs for cover, life stops for a sec, and then folks go about their business, not caring if the bullet came down and killed some poor sap. It just leaves folks unprepared for the real deal like when hackers manage to cull sensitive info on many of the top public officials (or their comuter systems) and hold the government hostage. They'll be totally unprepared.
The best we can do is a) spread the word to our less technically inclined friends that it IS a big deal, b) hacking is different from cracking, and c) contribute to hack prevention/detection systems like Snort (Not necessarily in that order!
Top Most Bizarre/Disturbing Error Messages
I'm afraid the only way to make DDoS attacks infeasible is for victimized companies to begin suing both the owners of the networks that have been hacked to produce the floods of packets, and one or more of the ISPs responsible for forwarding those packets to the victims' networks. The grounds for such lawsuits would be negligence in not repairing security holes in those machines, and-or allowing communications from obviously spoofed packets inside their network.
When companies are informed of the potential liability of not properly securing their networks, they will finally take serious steps to prevent their property from being hijacked and used to attack other systems.
We all know this, but sometimes forget, so bear with me here. Hacking didn't used to have anything specific to do with security. Now it's all about security and how to circumvent it. Trying to call it "cracking" will never work. CNN has bigger disinformation pipes than the original hacker community, which has a "tiny urethra" of a PR pipe, and nobody wants to talk about that.
Mafiaboy is nonetheless the fall-guy for a worldwide Society Of Loners who will get the message just in time for their little sisters to find the crack pipe behind the auth server.
Meanwhile, national ISPs like WWC.Com and Frontier.Net can't keep their billion-dollar networks running for a week without a major outage. MSN hires gorillas who don't know Cisco from Crisco. Go.Com is its own worst enemy rather than the cyberjewel of the most widely held corporation on Earth. And Intel jailed Randal Schwartz for doing his job.
Cracking is relatively about as debilitating to the net as keying Vint Cerf's car. But I don't want to be associated with that, either.
--Blair
"My tan is the color of a television tuned to a dead channel."
While the state of the art in withstanding an attack has advanced measurably with the new kernel (SYN cookies, etc.), the Ramen Worm and other recent security problems have shown pretty conclusively that it takes a long time for security patches and package updates to make it into production servers.
Red Hat hopes to make a splash through their automated update services, but so far they don't seem to be making much of a splash.
What is really amazing is that there aren't more DDoS attacks, considering the continued vulnerability.
IMO, Urban Existentialists will be the curse of slashdot. They are becoming ever more frequent, and are frighteningly easy to implement. How are we to defend the moral upright citizens from attack when you can grab a hotmail address and troll away? Script Kiddies, with long winded trolls running amock, who needs 'em?
The e-economy is like a shining jewel, eh? Man, you smoke too much fuckin' pot, dude... lay off the weed.
My suggestion is to nuke your sorry ass off the planet, but that'd be unfair to those unfortunate enough to be near you.
News for turds, shit that splatters
The punishment for being a script kiddie who initiates a DDoS attack should be this:
Tie him to a table. then get about 20 people to stand in a circle around him. Then they should all converge on him, and poke him repeatedly. Just hard enough to hurt a little bit, but not too much. One person doing it would be annoying, but not bad. Multiply it by 20, or more and BWAHAHAHAHAHAH.
punishment for more serious attacks could replace sticks with finger poking. Lets see how long DDoS attacks would keep happening.
Of course, all of that would require that they actually put some effort into trying to find out who is responsible. All you have to do is get an infiltrator into some kiddie group. they like to bragincessently about their latest enterprise, whether it be leeching the latest warez release, or using 31337 sk1llz (some program made by someone who was actually semi intelligent) to h4x0r some computers.
For the people who actively try to crack systems, there should be a different punishment. If they get caught, they should be required to submit to a colonostomy. (To those non-medical geeks, a colonostomy makes a prostate exam look like a walk in the proverbial park.)Basically, they would be violated, and examined in the same way that they did to whatever system they got into.
Mostly script kiddies should obey my sig:
----------------------
Opportunities multiply as they are seized. --Sun-Tzu
Denial of service attacks are to cracking what parking a logging truck in the no parking zone in front of a bank is to bank robbery. It takes no talent, just a disregard for public convience and a big truck/pipe.
--
Remove the rocks to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
I'm still wondering why the attack against Microsoft the day after they fixed their DNS routing mistake made so little news. There are still plenty of major web/e-commerce shops out there, but perhaps the spector of DDoS just can't make news and grab eyes like it did just a few months ago.
Evan - needs to hit preview before submitting
Outdoor digital photography, mostly in New Engl
Just because it was Yahoo, does that makes it ok.
No. It doesn't. In fact, Yahoo is my browser home page. I probably hit it dozens of times a day. As far as I'm concerned, it's the best all-around portal/search engine out there.
What if it was your online brokerage company that was being DOS'ed and you couldn't get through to tell you're broker to sell your RedHat stocks before they evaporated?[sigh]
Can we be rational about this for a moment? You write like you have exactly the same sort of momentum and hysteria going as NASDAQ in general did.
Okay. Brainflash: the Internet is merely a communication tool.
A DDoS interrupts your communication. Like walking into an elevator with a cellphone.
It's an outage, an interruption, inconvenient and frustrating but not the end of the world.
On the other hand, what would the ramifications be if someone could press a button and selectively give a cellphone user a brain tumor? (Oh, think of how useful that would be when you're driving!) For one thing, it would absolutely kill the cellphone. No one would use them.
This could be a parallel to more malicious and dangerous cyber-terrorism; breaking into secure machines and disseminating private information.
The DDoS is inconvenient and makes you reconsider your reliance on the medium. Hold the fire and brimstone: give your broker a call with a telephone.
Does your above statement still work?Unless the Internet is blown beyond all proportion, from being the (revolutionary) communications tool that it is to the realm of a lifestyle, yes, it does work.
A year ago, the Internet was basically down. The traffic from the DDoS was such that most other pages that I tried to load were unusably sluggish. At the time, I didn't know why. I pinged big sites (including Yahoo) and did traceroutes trying to figure out where the bottlenecks were. Satisfied that it wasn't on my LAN or even with my ISP, I gave up: Instead of looking up a supplier using www.four11.com, I picked up the Yellow Pages.
It sucked, it was inconvenient, I had dozens of users asking me why mail was bouncing and pages didn't load, but it wasn't the end of the world.
Fire and Meat. Yummy.
Perhaps ISP's should work with server operators to make their servers better equipped to prevent an entry by a nefarious source...
I actually wrote all the Terms & Conditions of service for an Asian ISP last year, and I made a point of including a section which made the customer responsible for having a secure system, or the ISP could cut their access.
Unfortunately ISPs don't (generally) have the resource required to police all their customers, and thus the problem is ignored.
I strongly agree that the problem is with all those broken boxes hanging off the internet, and not the site administrators at the target.
We are slowly moving towards automated self-updating servers, but don't hold your breath!
The defence is for the freaking administrators of all the main systems (major IP subnets) to not allow a subnet ping (a ping where every node that is alive returns a ping to the sender)...This would stop ALL DoS attacks in which the person causing the attack is only in control of one computer.
That leaves us with attacks that are comming from super-high bandwidth systems, and attacks that are using large numbers of systems. The high-bandwidth systems are MOST likely NOT going to be responsible for many attacks, as most hackers can not afford to pay for the kind of bandwidth needed. This leaves us back to the issue that the person starting the attack will need to break into any/all systems that start the attack. Now this could be easily resolved if people were just informed correctly about what security issues they need to worry about (like placing your system behind a decent firewall, software or hardware based).
That would then block out a very high number of the people trying to do these attacks, because face it, most of these attacks are from novice hackers who can not actually hack the system/entity that they have a problem with so they launch a DoS attack because it is so easy to do. Increasing the difficulty of launching this type of attack and the people who are doing these attacks will either need to learn how to be a better hacking (in which case they will probably find a way to actually gain access to the system that they are DoS'ing and just wipe them) or they will get fedup with it and go piss and moan to they friends.
How are we to protect ourselves, and save the new economy and way of life and working we see growing for the first time?
My suggestion is that we greatly improve punishments for script kiddies and throw cash at the problem by initiating 'online cops' with special dispensation to track them down. The Internet needn't be a lawless fronteir anymore.
Israel has done this to an extent. We should too.
You know exactly what to do-
Your kiss, your fingers on my thigh-
You know exactly what to do-
Your kiss, your fingers on my thigh-
I think of little else but you.
I wrote a text from the administrative standpoint on how to pretty much eliminate 80% or so of an attack on a variety of hardware/software based level which can be found at my site.
./script basis.
Now as for the attacks themselves, this wasn't anything new as DDoS became popular after Mixter coded a scriptkiddiot tool, which allowed malicious users to actually implement these attacks on a
The foundations for DDoS though are a bit old and could have long been resolved had thorough network's been set up to deny any malicious activity to leave their networks and attack others.
Many admins have the knowledge to do so, but I think theyre resources are tied into making things work right then and there as opposed to doing it right.
"When I was a Buddhist, it drove my parents and friends crazy, but when I am buddha, nobody is upset at all"
The linked article is out of date. On January 18th Mafiaboy pleaded guilty to 56 of the 66 charges. The other 10 charges were withdrawn. CBC has some details.
The key difference between slashdot and a DDOS is the legitimacy of the access.
When slashdot links to a site all they are doing is advertising the existance of said site. Its not that much different from when a gas station does a roll back the clock sale and marks their prices down to $0.49 for the day and it has similar results. Every person going to a site linked to by slashdot has a legitimate reason to go there. Additionally many of the sites benifit from the added traffic. For many of the small sites if just 1 percent of the slashdotters that visit the site keep coming they will have increased their number of readers by an order of magnitude or more, and by increasing their numbers they have increased their earning from any advertising they may do.
The traffic generated by a DDOS attack on the other hand is not legitimate traffic. Its sole intenet is to bring down the site. It dosen't bring new people to the site, it dosen't generate banner revnue for the site it just brings it down. It'd be the equivalent to somehow brainwashing a bunch of people to all get in their cars at the same time, drive down to the gas station. Once they got there they'd pull up to the pump, take the nozzle out, flip the lever and then hang it back up again without pumping any gas. All you are doing is preventing legitimate access from taking place, and in the gas station example they'd all probably get prosocuted for trespassing.
You can't blame slashdot for a site's inability to keep up with legitimate demand, the same way you can't blame the community for a store's inability to keep a hot item in stock, say a Furby a couple Christmases ago. Who do you blame, the store who can't meet demand, and the site who can't keep up with traffic.
"You can't fight in here! This is the war room" --Dr. Stra
Regard these attacks for what they are irresponsible acts by people with little regard for the public good.
My other sig is extremely clever...