Slashdot Mirror
The DDoS Attacks, One Year Later
ATKeiper writes: "One year after the DDoS attacks against major Web sites, C|Net reports that there are still 'no strong defenses deployed' against such attacks. The only person so far accused by prosecutors is Canadian teen hacker mafiaboy, whose trial starts in a month. Was it a forgettable stunt? A much-needed wake-up call for insecure e-commerce sites? Lame script kiddies giving hackers a bad name?"
The punishment for being a script kiddie who initiates a DDoS attack should be this:
Tie him to a table. then get about 20 people to stand in a circle around him. Then they should all converge on him, and poke him repeatedly. Just hard enough to hurt a little bit, but not too much. One person doing it would be annoying, but not bad. Multiply it by 20, or more and BWAHAHAHAHAHAH.
punishment for more serious attacks could replace sticks with finger poking. Lets see how long DDoS attacks would keep happening.
Of course, all of that would require that they actually put some effort into trying to find out who is responsible. All you have to do is get an infiltrator into some kiddie group. they like to bragincessently about their latest enterprise, whether it be leeching the latest warez release, or using 31337 sk1llz (some program made by someone who was actually semi intelligent) to h4x0r some computers.
For the people who actively try to crack systems, there should be a different punishment. If they get caught, they should be required to submit to a colonostomy. (To those non-medical geeks, a colonostomy makes a prostate exam look like a walk in the proverbial park.)Basically, they would be violated, and examined in the same way that they did to whatever system they got into.
Mostly script kiddies should obey my sig:
----------------------
Opportunities multiply as they are seized. --Sun-Tzu
Denial of service attacks are to cracking what parking a logging truck in the no parking zone in front of a bank is to bank robbery. It takes no talent, just a disregard for public convience and a big truck/pipe.
--
Remove the rocks to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
I'm still wondering why the attack against Microsoft the day after they fixed their DNS routing mistake made so little news. There are still plenty of major web/e-commerce shops out there, but perhaps the spector of DDoS just can't make news and grab eyes like it did just a few months ago.
Evan - needs to hit preview before submitting
Outdoor digital photography, mostly in New Engl
Just because it was Yahoo, does that makes it ok.
No. It doesn't. In fact, Yahoo is my browser home page. I probably hit it dozens of times a day. As far as I'm concerned, it's the best all-around portal/search engine out there.
What if it was your online brokerage company that was being DOS'ed and you couldn't get through to tell you're broker to sell your RedHat stocks before they evaporated?[sigh]
Can we be rational about this for a moment? You write like you have exactly the same sort of momentum and hysteria going as NASDAQ in general did.
Okay. Brainflash: the Internet is merely a communication tool.
A DDoS interrupts your communication. Like walking into an elevator with a cellphone.
It's an outage, an interruption, inconvenient and frustrating but not the end of the world.
On the other hand, what would the ramifications be if someone could press a button and selectively give a cellphone user a brain tumor? (Oh, think of how useful that would be when you're driving!) For one thing, it would absolutely kill the cellphone. No one would use them.
This could be a parallel to more malicious and dangerous cyber-terrorism; breaking into secure machines and disseminating private information.
The DDoS is inconvenient and makes you reconsider your reliance on the medium. Hold the fire and brimstone: give your broker a call with a telephone.
Does your above statement still work?Unless the Internet is blown beyond all proportion, from being the (revolutionary) communications tool that it is to the realm of a lifestyle, yes, it does work.
A year ago, the Internet was basically down. The traffic from the DDoS was such that most other pages that I tried to load were unusably sluggish. At the time, I didn't know why. I pinged big sites (including Yahoo) and did traceroutes trying to figure out where the bottlenecks were. Satisfied that it wasn't on my LAN or even with my ISP, I gave up: Instead of looking up a supplier using www.four11.com, I picked up the Yellow Pages.
It sucked, it was inconvenient, I had dozens of users asking me why mail was bouncing and pages didn't load, but it wasn't the end of the world.
Fire and Meat. Yummy.
Perhaps ISP's should work with server operators to make their servers better equipped to prevent an entry by a nefarious source...
I actually wrote all the Terms & Conditions of service for an Asian ISP last year, and I made a point of including a section which made the customer responsible for having a secure system, or the ISP could cut their access.
Unfortunately ISPs don't (generally) have the resource required to police all their customers, and thus the problem is ignored.
I strongly agree that the problem is with all those broken boxes hanging off the internet, and not the site administrators at the target.
We are slowly moving towards automated self-updating servers, but don't hold your breath!
Interesting idea - what if one day out of the year was known as the unofficial "hack" day, when all the 1337 SKs and true crackers concentrated all their attacks. The sys-admins would know as well, so they could actually take time to update software and try to secure their system, set up honeypots, etc. For one day, the limits of security would be tested. And, given that most sys admins don't know much about security, we'd all get a day off work.
But what date? The date Kevin Mitnick was arrested / released / scheduled to get off parole? The anniversary of the DDoS attack? Personally, I like the idea of the first Friday /Saturday in April. Every few years, it would fall on April Fools Day, it would give sys-admins a Friday to secure the systems, and would allow them to get the systems up and running by Monday.
Or maybe not, since it is all illegal. But wouldn't it be nice knowing when it was coming?
The defence is for the freaking administrators of all the main systems (major IP subnets) to not allow a subnet ping (a ping where every node that is alive returns a ping to the sender)...This would stop ALL DoS attacks in which the person causing the attack is only in control of one computer.
That leaves us with attacks that are comming from super-high bandwidth systems, and attacks that are using large numbers of systems. The high-bandwidth systems are MOST likely NOT going to be responsible for many attacks, as most hackers can not afford to pay for the kind of bandwidth needed. This leaves us back to the issue that the person starting the attack will need to break into any/all systems that start the attack. Now this could be easily resolved if people were just informed correctly about what security issues they need to worry about (like placing your system behind a decent firewall, software or hardware based).
That would then block out a very high number of the people trying to do these attacks, because face it, most of these attacks are from novice hackers who can not actually hack the system/entity that they have a problem with so they launch a DoS attack because it is so easy to do. Increasing the difficulty of launching this type of attack and the people who are doing these attacks will either need to learn how to be a better hacking (in which case they will probably find a way to actually gain access to the system that they are DoS'ing and just wipe them) or they will get fedup with it and go piss and moan to they friends.
How are we to protect ourselves, and save the new economy and way of life and working we see growing for the first time?
My suggestion is that we greatly improve punishments for script kiddies and throw cash at the problem by initiating 'online cops' with special dispensation to track them down. The Internet needn't be a lawless fronteir anymore.
Israel has done this to an extent. We should too.
You know exactly what to do-
Your kiss, your fingers on my thigh-
You know exactly what to do-
Your kiss, your fingers on my thigh-
I think of little else but you.
I wrote a text from the administrative standpoint on how to pretty much eliminate 80% or so of an attack on a variety of hardware/software based level which can be found at my site.
./script basis.
Now as for the attacks themselves, this wasn't anything new as DDoS became popular after Mixter coded a scriptkiddiot tool, which allowed malicious users to actually implement these attacks on a
The foundations for DDoS though are a bit old and could have long been resolved had thorough network's been set up to deny any malicious activity to leave their networks and attack others.
Many admins have the knowledge to do so, but I think theyre resources are tied into making things work right then and there as opposed to doing it right.
"When I was a Buddhist, it drove my parents and friends crazy, but when I am buddha, nobody is upset at all"
The linked article is out of date. On January 18th Mafiaboy pleaded guilty to 56 of the 66 charges. The other 10 charges were withdrawn. CBC has some details.
The key difference between slashdot and a DDOS is the legitimacy of the access.
When slashdot links to a site all they are doing is advertising the existance of said site. Its not that much different from when a gas station does a roll back the clock sale and marks their prices down to $0.49 for the day and it has similar results. Every person going to a site linked to by slashdot has a legitimate reason to go there. Additionally many of the sites benifit from the added traffic. For many of the small sites if just 1 percent of the slashdotters that visit the site keep coming they will have increased their number of readers by an order of magnitude or more, and by increasing their numbers they have increased their earning from any advertising they may do.
The traffic generated by a DDOS attack on the other hand is not legitimate traffic. Its sole intenet is to bring down the site. It dosen't bring new people to the site, it dosen't generate banner revnue for the site it just brings it down. It'd be the equivalent to somehow brainwashing a bunch of people to all get in their cars at the same time, drive down to the gas station. Once they got there they'd pull up to the pump, take the nozzle out, flip the lever and then hang it back up again without pumping any gas. All you are doing is preventing legitimate access from taking place, and in the gas station example they'd all probably get prosocuted for trespassing.
You can't blame slashdot for a site's inability to keep up with legitimate demand, the same way you can't blame the community for a store's inability to keep a hot item in stock, say a Furby a couple Christmases ago. Who do you blame, the store who can't meet demand, and the site who can't keep up with traffic.
"You can't fight in here! This is the war room" --Dr. Stra
Regard these attacks for what they are irresponsible acts by people with little regard for the public good.
My other sig is extremely clever...