Slashdot Mirror
Post-mortem of a DOS Attack
MartinB writes: "Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a network of compromised IRC bots being used to flood vulnerable targets. Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets, making it impossible to spoof IPs. However, he warns, even consumer versions of WinXP won't have this safety 'feature'. Is there time to prevent this? Is implementing the standard always A Good Thing?" Gibson uses too many exclamation points in his article. But it's still interesting, if only to note the number of exploited personal machines on cable modems.
In the past week I've been emailed 3 "funny joke" executables for windows from different people (one of who is an engineer at a large software company and should know better). The cc list on one was over 50 people, and the forward list was even higher. How the hell can you stop DoS attacks and home PC hacking when people are so clueless?
He claims: "It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods"
This is not true: it is easily done under such systems -- just not with the sockets layer. People have been doing it for a long time using such things as the TDI layer or direct NDIS calls from applications.
Steve Gibson is well known because he communicates well with ignorant users and has a flare for the dramatic. However, he really just doesn't understand security.
Personally, I think that it is important that every OS has a full TCP/IP implementation and I think that Gibson is barking up the wrong tree: It's important that ISPs don't route packets into the wild that don't have correct source IPs! That should be a trivial thing to do and would more or less remove IP spoofing.
There's no use in crippling the TCP/IP implementation, more sensible routing is what is needed to get rid of such attacks and to be able to find its originators.The problem of DDoS attacks still exists, of course, but it could be removed by 'intelligent' routers that don't route traffic that behaves in certain patterns, eg. heaps of SYN packets from one IP to another.
There are already high level people calling for
the next generation internet to be a cluster of
VPNs, to cut back on the DDOS stuff. Guess what?
It's probably gonna happen that way.
The Internet is based on far too much of a
consensus model. Consensus models don't scale
well. Bye-bye.
this kinda irc botnet is probably a lot easier to trace than non-irc based DDoS as every trojaned program contains in it the exact server/channel/key as he shows in the article, did you read it? :)
If the hosts are spoofing the sources of the packets then you're probably screwed but these aren't. They are installed on windows systems that can't spoof (without rewritten tcp stacks) and installed on so many that the likelyhood of being able to track down the owner of one and get co-operation in locating the trojan file is high.
The problem is like he said the FBI won't get involved unless $5000 worth of damage is done, or business lost and even then they are already overworked with the cases they have. Its not an untraceable system but anyone who traces you is unlikely to do much.
Gibson is most definately a blowhard, as most any educated individual can tell from the general tone of the article. But at the same time, he presents a body of interesting research. It's great that he's taken some time to properly dissect a DDOS attack. The detail of the discussion is certainly something that I haven't seen in other similiar articles and is welcome, even if the subject matter is somewhat geared towards the compsec newbie.
Frost_Byte
----------
frost_byte_si
AT SYMBOL
hotmail.com
Just because Winsock does not support the
"IP Header Include" flag does not mean that
packets cannot be spoofed from a 9x machine.
The Winsock DLLs are just interfaces for the
Ring0 VxDs for transport.
If 9x will not construct and send spoofed packets,
then look at Exploit Generator:
ftp://ftp.technotronic.com/denial/expgen085.zip
Hopefully no one actually takes him seriously.
Windows is the target of choice because there are large numbers of clueless people with good connectivity running Windows.
However the clue level among random Linux users is not great, and Linux has implemented the full protocol all along. If the same people were all using Red Hat, that would be just as bad as everyone using Windows XP.
Sadly as long as there is no real penalty for running a compromised machine, there will be no pressure on ISPs to care. And as long as that is the case, there will be armies of bots ready to go.
If you want to fix the problem, have a fine of $500 per compromised machine the FBI finds that you have online, and a similar fine for every compromised machine an ISP connects whose activity pattern over at least a week indicated was likely compromised. With that kind of financial bait, the police would be motivated to enforce, ISPs would be motivated to do something about the problems, and consumers would have a reason to care about security.
Nothing less will even slow DDoS. Certainly not putting the same naive people on a more capable OS (like Linux).
IP spoofing is NOT impossible on win9x boxes. Take a look at winpcap and the windump developer's pack sometime. It is very difficult and you have to build the packets yourself from the link-level header on up, but it IS possible... I've done it.
There are no major consequences yet because nothing truly important has been hooked up to the internet yet. There were no deaths due to car accidents for a long time after the automobile was invented, but that's only because they all went 10 mph back then. [insert cliched information superhighway analogy here]
You are completely missing the point. No intervention would be necessary if the users themselves would wake the hell up and manage their computers properly.
I don't mean the server, I mean the users of the individual computers which were hijacked and then used in the DDoS without their knowledge. A few minutes going over their configuration, or buying ZoneAlarm or a similar product (which Gibson found to be effective against this particular bot) prevents any one computer from being used.
I agree that bugs in the computer itself are also a bad thing, but through some small effort by the users (less effort than, say, buying a burglar alarm system or a Club) the bug's effects can be reduced or eliminated.
That was hands down the coolest article on computer security I've ever read. :)
Everyone always writes about cracking in a condescending, "when-will-they-learn" tone, as if it's all a mildly amusing game (which it is to them, because the authors are rarely the ones being cracked). Gibson, who did get attacked himself, looks at cracking as the serious and dangerous problem that it really is. This article describes a real war, with first strikes, counterattacks, espionage, and so on.
This really opened my eyes to what a huge problem the internet's technological loopholes have and will become. More mainstream articles after this form would surely help raise the awareness about security issues that was sadly lacking in all the unknowing carriers of Zombies.
(And no, I do not consider this "fearmongering". Fearmongering does not offer solutions or point out that none of this would have happened if people would just GET A CLUE.)
These attacks are verydifficult to defend against, because they simulate actual valid traffic. And you can't block the source address, because it's invalid.
If the address is invalid it should have been blocked by the outgoing routers or the router at your edge. i.e. my firewall won't pass any of the private IP blocks and the routers at my ISP drop packets from IPs in those same private blocks.
Now spoofing routable address is a different story but again if the edge routers simply dropped traffic from IPs it shouldn't see on that particular interface you'd see a hell of a lot less DDoS than you do now.
Maybe you do this, but most of the internet does despite efforts to the contrary -- MFS once threatened to disconnect people who weren't blocking spoofed traffic entering and leaving their network.
I tend to think that far less of the edge routers are doing this than you may think. As you said, filtering becomes expensive as the routing tables become larger and companies are not wanting to spend the money on new equipment. That's why I'm suggesting that only the edges perform this type of filtering. You have a limited number of interfaces and the IPs flowing between them are far smaller than the number of acceptable addresses flying through a core router's interfaces.
Also, I'm not talking about the dialup providers. The amount of bandwidth a single (or even 1000) dialup users can provide doesn't even register on the map of these DDoS attacks. But every DSL and cable provider should be filtering their incoming traffic.
ou gotta read how he complains about the standart socket implementation of Win2k / XP. First people complain about the lack of, now because its there, damn give MS a break.
I don't know about you, but my routers simply drop traffic which doesn't come from an IP that isn't from the interface it's coming in on. I don't care what they users run because the edge routers won't allow spoofed traffic... well not unless they spoof another IP within the block(s) on the interface. :-)
There are only ten (10) exclamation points in the article, excluding the ones during the IRC chat log. Considering the article is SEVERAL pages long, I find it hard to consider this *excessive* use of exclamation points!
-Michael
Of course they can. Any half way decent intrusion detection system will notice the pattern of a DoS attack, and dynamically add a firewall rule to block *all* traffic from the offending IP for a period of time. DDoS attacks are trickier, because you need to block several (often hundreds or even thousands of IP addresses or ranges), but the same principle still applies. The concern here is that a large scale DDoS attack will cause the firewall to be processing so many rules for each packet that it's unable to keep up with the traffic. The undesirable packets won't get past the firewall, but random packets will start to be dropped, including ones containing genuine traffic. So you still get a DoS, albeit a lesser one than you would have had without the firewall.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
That still doesn't explain why you don't completely block UDP access to a Webserver (and whilst under attack you could probably survive without Ping and traceroutes also)?
There are two issues you're addressing here.
Windows crappy sockets implementation prevents it from participation in spoofed packet building attacks, like SYN floods and the like. These attacks are verydifficult to defend against, because they simulate actual valid traffic. And you can't block the source address, because it's invalid.
Windows crappy security allows trojans to be installed that can make attackes that don't require spoofing to be effective - massive pingfloods and the like. These attacks, as SG shows, can be effectively 'cancelled' to a degree. The attack was still going on, but the number of packets coming in wasn't as big a deal the the fat pipe upstream from the small T1 lines
This space for rent. Call 1-800-STEAK4U
He probably runs multiple servers - it's hard to test Windows trojans on a linux box. And DDoS is blind to your OS. You can DDoS a Linux box as easily as a Windows box as easily as a MacOS box. DDoS is a weakness of TCP/IP, not of a particular OS; therefore, it can affect any system on the internet
This space for rent. Call 1-800-STEAK4U
You're right, I don't know what I was thinking :) Attacks like SYN and such are still creating the bandwidth DOS attack. However, they tend to do it a lot less effectively, since the problem witht he spoofed attacks is that they appear to be valid data, where I can tell that a 64K fragmented ping packed is not valid, and have the ability to filter based solely on the properties of the traffic. You can't filter on those terms for a spoofed DoS attack.
This space for rent. Call 1-800-STEAK4U
Oops, forgot my footnotes :) And whoever modded my main post as a troll is one of the people who can't read that I mention up there in the beginning. They apparently can't read here either.
1. You wouldn't know it from reading comp.os.linux.help
2. Aunt Maude who just bought her new Celeron 500 and 15 inch monitor bundle from Walmart
This space for rent. Call 1-800-STEAK4U
It seems there's a confusion in the discussion below, because people are too dumb to read the part of the article where Steve talks about Spoofed attacks. Let me try to explain.
SG talked about two different attacks. The main one is the brute-force, fill-your-bandwidth, ping attack. This attack is based on known ports and data types that fall outside of what can be considered 'normal' traffic, since in no way should well over a gig of ICMP ping data per minute be considered normal. Because of this, the routers on the upstream side could be configured to disallow the passing of that data. This is what brought the servers back on the net each time.
The part he just briefly touches on is the spoofed attacks, like SYN attaacks and the like. These attacks require the source to manipulate the TCP stack outside of what would be considered 'normal' use. Like sending SYN packets and not sending the SYN-ACK in reply to an ACK that is required in the 3-way handshake. These attacks simulate normal data - SYN attacking the web server, for example. All connections to a web server start with a SYN. So there is no way to statelessly determine if any given SYN is valid or not. The only way to calcel out these attacks is to disable valid services running in your network.
The problem isn't necessarily that Windows will now be able to spoof - the number of machine on the 'Net that can spoof has increased dramatically since Linux appeared on the scene. However, people that run linux also tend to know more about the technical aspects of their computers, and understand how to look for the signs of your computer being taken over (1). The typical Windows consumer (2), however, has very little idea what goes on inside the case where all those wires are connected to, and half of the time, couldn't even get the computer set up right if the cables and ports weren't color-coded. These are the people that see a new Email from Aunt Maude that says "Re: Re: Re: Re: Re: Re: Funny! Open now!" and open the little attachment that drops the Sub7 pieces into their registry before dancing around on their computer and making them laugh. And the problem is stupid laws that keep the FBI from pursuing 13-year-old script kiddies because out laws prevent much of anything from happening to them. Kids that sell drugs and rape other kids go to Juvenille Detention until their 18, at which point they get out, do it again, and go away for a long time. The legal system needs to start treating the spoiled brats who have nothing better to do than DoS computers the same way. If they were picketing and physically blocking entrance to a Brick-and-Mortar store, the police would drag them away. This is the cyberspace extension of that very same idea.M
This space for rent. Call 1-800-STEAK4U
--locust.
Anyone who knows networking will tell you that this is exactly what SYNcookies were made for. The attack didn't use up all the network traffic, but rather used up all the filehandle-slots on the server OS.
Just take a look at that graph and the anver is obvious.
When using SYNcookies the server doesn't allocate a file-handle for each new connection but puts a 'challenge' in the Syn/Ack package and waits for the last Ack of the 3-way handshake. This effectively forces the attacker to reveal his IP address if he wants to use up the filehandles, and then you just block hin in your router.2 C3AF4F2snlbxq'|dc
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D727
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Then is implementing a flawed standard always a good thing? Or is it better to implement against standard without the flaw? That's the real question. I think you are just reciting pieties.
Have we already forgotten that SourceForge and apache.org were just compromised? Were their systems set up like a 13 year old might? Why is it that whenever there's a security compromise, a bunch of yahoos come out and insist that it is the fault of incompetent administration or clueless users, when even some of the most technically sophisticated groups can't protect themselves against intrustion? This is like blaming a rape on the victim's failure to dress properly. Do you have some sort of commitment to a philosophy of social Darwinism that makes it impossible for you to accept that the victims did nothing wrong and that the perps are, in fact, entirely blameworthy?
Gee, now *I* want an army of trojan attack zombies installed on a bunch of cabled Windows PCs ready to DDoS on command....
!r
EvilBot1.3 ready to attack...
EvilBot1.3 ready to attack...
EvilBot1.3 ready to attack...
.
.
.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
From his DOS attack history page: "defragment our server's hard drives" ? Seems that he's not using Linux for his servers...
And then he complains about being DoSed? Sheesh...
--
Comment removed based on user account deletion
Comment removed based on user account deletion
As long as ISP's let their customers forge the source addresses, this problem will continue. It's not really that big of a deal if the hacker pretends to be Bob next door. Any ISP worth it's salt can track down the true source of any traffic inside their network. And, if the network portion of the address is correct, I know which ISP to call to report the problem.
The reason DDoS attacks are as bad as they are is due almost entirely to lazy ISP's who don't do ingress filtering. The days of routers not being fast enough to do simple filtering is long past. I personally think ISP's should be held liable for allowing their customers to send out spoofed packets. Maybe then the situation would improve.
steve gibson certainly has some talent. as a former iomega employee, his utility for testing zip and jaz drives for the click of death was a pain in my ass, but it was truly useful. likewise, shieldsup is good as a first step into securing your 'personal' (cable/dsl) connection.
but, cripes, does he ever has the capability to totally and unnecessarily alarm people. i think it borders on fearmongering. the exclaimation points are just the beginning.
is his 'bandwidth usage' graph a paintbrush creation? why is there no label on the horizontal axis? he virtually promises the reader that attacks like this CAN HAPPEN TO YOU and WILL HAPPEN TO YOU when Windows XP comes out. The large point fonts and colors aren't helping, steve.
still, the logs of his conversations with the haackers are particualrly interesting.
oh, and steve, if you include instructions like this: netstat -an | find ":6667"
you're just asking the kiddies to make irc servers on other ports.
complex
Not at all. He hardly uses any. He does make good use of Bold Text. Makes the long piece much clearer, as bold delineates. Nex
Let's no also mention that's there's millions of Windows and Unix boxen around to be administered, and only (relatively speaking) a few hundred thousand (my guess) really really competent/knowledgeable sysadmins. And are you really going to stop watching Pr0n when someone calls telling you one of the machines used in a DDOS attack is on your network? I'd bet earthlink and/or other ISP's would have to hire a fulltime army of tech support/customer contact reps just to call and tell their customers that they've been trojaned. Have YOU ever worked tech support? Here would be the sample conversation:
"Hello, Sir/Ma'am. This is Joey with Earthlink and..."
"Sorry, I don't want any.." *click*
conversation #2
"Hello, Sir/Ma'm. This is Joey with Earthlink and I'd like to inform you that you have a serious problem with your computer that needs to be fixed"
"Oh really, what's that?"
"It's a program that participates in a distributed denial of.."
"Excuse me? What the hell are you talking about?"
"Distributed Denail of Service.. Think virus and I think we'll be somewhere in the same book.."
"but I have Norton! I don't have a damn virus!"
"Sir, we're receiving numerous complaints that.."
"What? Are you spying on me? I'm calling my lawyer!"
Or, alternative conversation 3:
script kiddie: "Hello, Sir/Ma'am? This is Pines at Earthlink. You have a virus that we've been able to detect on your system and I'm here to help you clean it up.."
customer "Oh really? Wow! I'd really appreciate it!"
script kiddie "What I need you to do is go to www.mybotsonline.com and download the "Clean.exe" file and that will patch it right up for you!"
customer: "OH! THank you very much! I'll do it right away!"
Sigh.
If you were me, you'd be good lookin'. - six string samurai
You gave UP Unix admin for tech support? Jesus, do they not pay you there??? I'd kill for an "apprenticeship" UNIX administration position.. :) (and what kind of weed were you smoking when you thought that would be a great idea? If I ever smoke pot, that's the stuff I want.. :) )
If you were me, you'd be good lookin'. - six string samurai
I thought the exchange with ^boss^ was funny as hell. You could almost read "Jesus, if this guy can fucking hack my bots, spy on my channel, know how many active bots I have, what targets I've hit in the past week, fuck! fuck fuck fuck! I'd better start staying over my friends' house and I'd probably better format and shred my harddrive! Fuck fuck fuck!"
If you were me, you'd be good lookin'. - six string samurai
Firewalls don't help against valid traffic flood attacks.
True enough, but what the firewalls would really help prevent is the act of getting infected to begin with. Sure, there's going to be plenty of people still infected by the typical con-email approach (My father passes pretty much every "cool" executable on to me that he gets from friends and family) but at the very least, a simple firewall program will keep the numerous security holes that most regular users don't even know exist from being exploited on a daily basis to get these trojans installed.
The best thing MS could do for the internet community is to write up a basic firewalling service that is user configurable and is installed by default with the TCP/IP stack. That way users that know what they're doing and need ports open to run servers can do so (The idea being that if they need to run such a server, they would probably know the basic concepts of a firewall and security) and users that don't know how to do much more than browse the web and read email (my father) could do so with little risk of their system being compromised.
Of course, I doubt it would happen (Any Windows developers out there reading this? I thought not...) but it's always nice to wish.
if( read(this) ) { you = programmer; }
The email I wrote to CERT is located here. It details some of the stuff that happened as I got rid of the botnet. I deleted around 500 bots when all was said and done.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Glad someone else is invading these bot nets like I did.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I still have a copy of it and it works great for bringing back data on "dead" spots.
Gibson may have a way of waving his arms and getting excited but the guy's got a point - this kind of attack sux. The punk that went after his site did so because of a supposed slight via word of mouth. Imagine if you're home connection had come under that sort of attack? our ISP would've been as likely to simply cancel your acocunt and blame you as they would be to actually do something about it!
Build it, Drive it, Improve it! Hybridz.org
That was his point - they could care less. SOME ISPs follow up on complaints, many do NOT. Report some SPAM sometime and see what I mean. Better yet, report the punks that scan your systems constantly (you see them in your logs right?) and see how little they care. It's a joke and they simply cannot keep up with the flood of crap.
Hell, the little punk could've blocked the caller ID too and while the phone company sure as heck would've known who it was that would've required yet another layer of drones to cut through. The more drones you have to convince the less chance you've got of catching them. Eventuall you grow tired of pursuing and give up - the punk gets away scott free. Been there, done that! People need ot get alarmed, ISP's NEED to be "outed". Deal with a few of them on stuff liek this and you'll understand his frustration. Hell, his torubles getting hold of a network guy are more the norm than anything else - no surprises there at all...
Build it, Drive it, Improve it! Hybridz.org
The reason he's torqued about spoofing is because IF the attacks had been spoofed he wouldn't have been able to track them back AND the attacks would've been much nastier than the glorified PING! storm he was weathering. Imagine if it had all been fragmented packets aimed at Port 80 instead. How do you defend against that - shut off Port 80? Oh wait....
:-)
If you can't track them back (easily) then how will you stop them? Getting ISPs to NOT forward packets that aren't sourced from their domain's IP range would be a start but not perfect IMO as you could simply make it look like Jimmy Joe Bob next door
Build it, Drive it, Improve it! Hybridz.org
The complaint here is about Gibson's misplaced blame and his pathetic "solution." Gibson's "solution" of crippling Windows boxes so it's more difficult to spoof IPs is why we experience as much difficulty with spoofing as we do.
Because Windows makes it difficult to spoof, the ISPs can get away with ignorant and incompetent router administration, with little fear of it kicking them in the ass.
The current situation at most ISPs trusts the machines plugged into them to be well behaved. This is not a reasonable trust. Just because Windows doesn't spoof easily doesn't mean I can't grab another box from another vendor (or hell - build my own) and tell it to spoof.
Simple answer: if you are an ISP, don't route packets coming in on the wrong interface.
Junior anarchists aren't going to subsidize a playground for corporate whores forever.
Wow. Traffic analysis. A standard tool used by NSA, GCHQ, et. al. Amazing how much you can learn from communications without actually reading the messages. Think about that when you use encryption. What can your opponent learn just by tracking who you are talking to?
Best Slashdot Co
@echo off
ipconfig net0 10.0.1.1
spoofmanypackets.exe
ipconfig net0 back.to.normal
OK, a little crude, but it'll work - or do these script kiddies really not write scripts anymore
I don't see why a normal user would want or need it - there are plenty of low level drivers out there to build and send spoofed packets under windows - but what saved him was the fact that these machines were not set up by the attackers, but were stock machines compromised by a "zombie" irc attack bot.
The non-standardness of the sockets is an issue with porting software from other platforms, but that is a winsock/port issue, not a low level packet construction issue.
--
-=DaveHowe=-
Apostrophes can be correctly used for plurality IFF lack of it would look unclear or stupid (for example: I SAW UFO'S YESTERDAY). (it looks gay to write UFOS; and people may not even realise what UFOS means, although UFO'S is very clear).
Note that there is a difference between writing UFO'S cos you have no clue, and writing UFO'S if you know what grammar rules are, and deliberately write an apostrophe in order to avoid confusion.
Apostrophes can also be used for contraction. Therefore "DDoS'd" as a contraction of "DDoSsed" or however you like to spell it. This mode was more commonly used in the past ("two star cross'd lovers...").
I am in no way a "coder" so this is all just conceptual.
With that said: Why not just take advantage of the bots mutating ability and have them download an "update" which causes them to...
A. remove all traces to have the bot run at boot.
B. Create a text file on the desktop explaining that the computer has been infected.
C. remove itself upon completion and initate a reboot.
Seems simple enough to me, If a total, albeit, skilled programmer could infiltrate, and comprehend the network of comprimised Windows machines in week, it seems like it is a doable task. All that is needed is to obtain the trojan to have it reveal all the important information, then initate a Update via whatever command it looks for via irc.
Is there anything fundementally wrong with this mode of thinking?
--
It's not that difficult. Just put an installer program into some email attachment. Don't even bother to reboot, Windows machines reboot often enough without any help from the outside. Even if you don't need a reboot because of some new installed package or a BSOD, most Windows users turn their PC off when they're done using it.
This sig under construction. Please check back later.
Yes, it's taken from Berkeley Sockets. However, it is an incomplete implementation. The stack itself is feature poor, (i.e., can't spoof IPs, can't ping subnets), and not all the tools that are usually considered part of TCP/IP are included. For example, nslookup is not in Win9x, probably because they couldn't get the Win32 port from NT to work. So much for a common API. Also, but NT/2000 and 9x don't include some of the servers and clients.
Gamingmuseum.com: Give your 3D accelerator a rest.
The attacked used a compromised Earthlink account. O.k. so then Earthlink could easily check their router's info since they all have caller ID to determine who the heck called the number.
I do feel sad for the guy, and the article was well written but I think it's sort of filled with FUD to give it that "OH MY GOD" kind of edge to it. Sorry don't want to be a troll but I see discrepencies in the article.
I wonder what will happen if some of my theories were crafted. Now you'd be looking at massive backbones going to hell.
Want Root?
I said they should note that a SYN - ACK - SYN needs to occur which is TCP based, not UDP so all UDP traff should be blocked since for a website you'd need that 3 way connection, not a UDP based connection. Re-read my post.
As for your "it is hard through a general purpose router" comment, bs you could easily drop all UDP packets without worry if your not providing any UDP based services, and it won't affect (dropping the UDP packets won't) the router as much as having to route the packets.
Want Root?
The only way to calcel out these attacks is to disable valid services running in your network.
Actually your wrong. I wrote "Daemonic" when I was writing "Theories in DoS", a paper on higher network level based attacks such as BGP, OSPF based attacks. Now what Daemonic does is sends pseudo random garbage (spoofed) to any port you specify.
Simple lame little DoS attack right? Now even if you don't have the service running for the port your sending the data to, it'll still crap out your Windows2000 box with ease. Now if you send it with a multicast source address which is weirder (haven't benchmarked) things really get odd.
Either way it'll bang up your network. Now FYI sending data through to a port thats not running still has to get there which means the network can still amass latency, which is where you would want to nip it at the butt with your router or firewall.
Want Root?
So someone writes and says they're a 13 year old script kiddie who knows that the FBI will traceroute, etc, etc, etc., and this is believable? Highly doubtable. As for the attacks, I would say Mr. Gibson should have his uplink provider hire some clueful router administrators who would've fixed the problem in a heart beat.
Lack of understanding from those involved often create more harm than they help. UDP packets coming in to a website? And the admins couldn't think firsthand network skills SYN --> ACK --> SYN, 3 way TCP handshaking? They need to go back and study up using some Cisco Press material.
Anyways for those who haven't seen the page yet or are in charge of networking, and or firewall equipment, check out Stopping DoS which is a "do this now" tutorial to stop beating around the bush and cut DoS attacks at both the firewall, and network (router) level. It's not an rfc, not a write up of what a DoS attack is, simply a "fuck it's 3am and I'm getting DoS'ed now how do I stop this shit" paper.
Want Root?
I read the article earlier on from the article on the Register. Very interesting I thought. DDoS attacks are more widespread than a lot of people would imagine and people do need to take them seriously. With regard to the Win2000 and WinXP versions of windows implementing the sockets standard: yes it is a good idea for them to do it. Poeple sticking to [good] standards is the right thing to do.
Just by having a broken version of sockets isn't going to stop people trojaning systems and using them in DDoS attacks. Other systems get cracked and used in DDoS attacks. A friend of mine had his box attacked for no apparent reason. The attack caused 30x the amount of traffic as the rest of the university (where he works) was using (their pipe is around 655mbit, recently upgraded from 34mbit - the old one got totally saturated by recent DDoS attacks that I know of). All the source IPs were spoofed, they've no idea who did it. Whilst his machine can be totally firewalled to the outside world, if this were done to an important machine it would be a real problem. People do have the ability to carry out spoofed attacks right now. If MS leave their sockets implemenation broken then sure it'll get worse, isn't the way to fix it.
So what is? Well obviously generally improving system security and the level of clue of the average user so that there aren't so many compromised hosts for these people to do what they like with will help. An important fight against the spoofed IPs issue though is making sure networks have firewalls and their routers are checking source IP addresses. ISPs shouldn't allow packets to leave their dialup networks if that packet does not claim to be coming from one of their IP addresses. It's been commented on before when the DDoS topic comes up - if everyone were doing this DDoS would be a lot more easy to tackle.
--
Right. Maybe you do this, but most of the internet does despite efforts to the contrary -- MFS once threatened to disconnect people who weren't blocking spoofed traffic entering and leaving their network. We already know alot of providers just don't give a damn, as gibson puts it, as long as the bill gets paid.
Packet filtering becomes rather expensive as the filter list gets longer and the number of packets continues to grow.
Sorry, I left out the "not". Go ahead and give it a try; I bet you'll not be able to find anyone with functional spoofing filters. (No one I've ever worked for has one.)
It's not the size of the route tables. The filter list has to be inspected for every packet on the interface. You need help from the silicon to do it right.
- Sorry I kill ya' Fidget.
As an admin (dare I say BOFH?) I'd just shut them off and wait for them to call tech support and then proceed to explain to them what they had done (knowingly or otherwise doesn't matter.) Disruption of network services is generally within the terms of service agreements.And, yes, I have disabled customer's access and then gone and sat in the helpdesk area (the "fish tank") to wait for them to call.
Well, the packet has to come from somewhere. A spoofed packet will have a source address other than the actual source of the packet -- usually not even remotely similar to the actual source. If the router at the next hop takes the time to verify the incoming traffic on that interface is coming from addresses known to be there, then spoofing becomes a non-issue. Unfortunately, no one is sufficently paranoid (or insane) to configure spoofing filters on every interface. It's too much of a configuration management headache and it proves very costly to the router.
For example, let us assume an ISP has a customer with a LAN on the far end of a T1 using the class C 192.168.1.0. If the ISPs router were to see packets sourced from 172.16.4.7, then obviously something is not right. It's either spoofed or a mis-configuration -- the customer could be multi-homed, or have two LANs, etc.
Read the story more carefully. He contacted the FBI, and after they blew him off he proceeded to work out the information.
Perhaps if he had gone back to the FBI with this information, they would have paid more attention to him, since they could have used his data to go after people DDoSing the big boys.
www.eFax.com are spammers
Gibson finds out how the zombies work. He finds the IRC channel they use for control. He gets the command set.
Rather than turning all this over to the FBI, so that they can start tracking these people down, he makes it known to them that he has it, and publishes it. Now, the people who make these abominations will move their control over to something else.
Granted, the FBI might not do anything with the data. If so, then make a stink about the FBI not doing their job!
Personally, vigilante justice is starting to sound better and better....
www.eFax.com are spammers
*sigh* Sometimes I wonder why I bother.
Everything I said is the first post is the truth.
(Notice that I didn't post Anonymously)
I didn't even know that moosoft existed until I was pointed at their site. I used the evaluation version of their software to remove the bot.
I am not a customer of moosoft, and have nothing to do with them.
I have since found other free (as in beer) programs that do the same job.
Doing a web search for SubSeven will give you links to a number of programs that remove it.
If you don't want to belive me, whatever. I just thought that other people in my situation may like a fix to the problem, as the article didn't seem to suggest any. (If it did, I must have missed it).
I probably shouldn't try to explain myself to an "Anonymous Coward", but what kind of proof do you want?
I'm reluctant to give out the IP address of the IRC server, as an influx of connections may get me DoSed.
--- I'm sure using a computer was fun back in the 80's. *sigh*
Hehe, no not exactly. I'm not quite that stupid, although I am stupid enough to be infected with a trojan it seems.
I of course did some research into the cleaning app before downloading it. I found some reviews of the software and also found it mirrored on download.com. When I did download the software, it was from a mirror. I also virus scanned it before running it.
I didn't trust the guy, so if I wasn't 100% sure about the app I wouldn't have downloaded it at all.
--- I'm sure using a computer was fun back in the 80's. *sigh*
I must thank Gibson for the article, and Slashdot for bringing it to my attention.
After I had finished reading I thought I'd check my machine (It's multi-boot, I don't use Windows that much). To my horror, I found out that my Windows partition was infected by the SubSeven bot.
So I kicked up my IRC client and connected to the IRC server that the bot was on. I entered the admin channel and just sat there. A little while later somebody messaged me. I explained that a hidden bot was connected to the server and asked how to remove it.
I was pointed at: http://www.moosoft.com
I downloaded the "Cleaner" application which did a fine job of finding the bot and removing it.
I had a little chat with (I assume) the person controlling these bots. The person seemed to be quite helpful, which supprised me.
From the IRC stats, there were over 900 infected machines connected.
After removing the bot, I disconnected from the IRC server. I'm now considering what to do next. The IRC server was hosted by a company offering UNIX shells, and IRC server hosting.
Do I just leave it at that, put it down to experience and move on. Or should I inform the hosting company, and possibly risk being DoSed myself? (I suspect that the person I talked to on the IRC server logged my IP, which is static)
--- I'm sure using a computer was fun back in the 80's. *sigh*
Remember, this is the guy that came up with nano-probes (that we all laughed at and called marketing garbage) and writes ALL of his stuff in ASM because of course, that is soooo much better and more efficient than a compiler. *huh*?!
9 21 4&mode=thread
http://slashdot.org/article.pl?sid=00/09/29/154
This article is entertaining, but not especially informative. He bitches about Windows 2000/XP including raw sockets capabilities and says he doesn't know why - wouldn't this be so that applications can do packet mangling? (firewalls, NAT, IP Aliasing, etc?)
One wonders if this is lack of knowledge on their part or company policy to not do anything that might generate customer service calls from confused users who don't understand what the warnings mean?
Never understimate the power of human stupidity -Lazarus Long
You mean, first he gets DDoSed (or DDoSd, whichever you prefer, I guess) by...
Apostrophes are not used to signify plurality, only possession and contraction.
---
Linux: The world's best text-adventure game.
!if !he !were !reffering !to !the !exclamation !points !in !the !script !commands, !he !would !have !written !it !like !this
slashdotted.
You mean, first he gets DDoS'd by a bunch of script kiddies using IRC bots, then he gets...
DDoS'd by a bunch of script kiddies using web browsers.
No intervention would be necessary if the users themselves would wake the hell up and manage their computers properly.
Since this DoS attack was done with a large number of infected computers, there's no way to completely protect the server without also blocking out legitimate users. And whenever a large number of computers is compromised, it's usually the fault of the operating system (or its user interface) rather than the fault of the users.
The shareholder is always right.
Disc-lamer: I *am* making much of this up. I haven't tried to turn this into working code. Take it with several grains of salt. But the principles are pretty much correct.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"Gibson uses too many exclamation points in his article." - CmdrTaco
There is a grand total of... 1 exclamation point in that article. CT, learn to count... or learn to stop smoking weed.
Hey, c'mon. Gibson has been writing about a terrible and dangerous future for years now!
;)
mmm, wait a minute, that was William! Maybe his brother?
HAHAHAHAHAHA :)
:) Nice of someone to set up a couple hundred bots just for you, wasn't it? :P
/.'d? :)
Um. Yah.
I wonder if floodnets can be
Get off my virtual lawn, you damned virtual kids!
In any case, with his skills he was certainly able to do things the kids did not expect, including infiltrating them at their most "secure" locations. He accomplished things that were beyond what they believed were possible.
:)
Where there's a will there's a way.
In addition although the IRC RFC may seem trivial in comparison to other such documents, I'd bet it's one of the last places these kids would have thought to look for information.
I believe Gibson was on his toes, and I suspect his article documenting his work demonstrates a hacker it his finest.
Get off my virtual lawn, you damned virtual kids!
Heh, one other thing -- you make good points. Thank you. :)
Get off my virtual lawn, you damned virtual kids!
It was brilliant. :)
:) I told them "I can wave my hand and make you go away."
:P
A few years back I had a few kiddiez harrassing me on IRC. They were really "37337."
I did a traceroute to them and noticed a router of some sort sitting right in front of them -- it just looked wierd. I opened a telnet session and found myself at:
zimmylan>
A Cisco ISDN router, with no password set.
They replied "0h y4H, d0 1t."
I rebooted their router.
They thought I was God.
Get off my virtual lawn, you damned virtual kids!
My favorite line was: Before you question Gibson's skill, or his "inside information" (as one poster suggested "he must have had the Windows source code") consider that this man downloaded and learned the RFC for IRC. That might seem alien to someone who relies on the work of others, or reading script FAQ's, but this fellow knows how to make proper use of the tools before him and relies on his own knowledge to craft solutions.
He did not have any help from Microsoft. He knows his tools and he knows his craft. By his own words he's not a magician, he's a scientist.
Be humbled kiddiez, for every dozen of you who "hax0rz" on IRC there's someone like Gibson who actually can hack and run circles around you. Notice that ^boss^ gave this guy respect?
That's very wise.
Get off my virtual lawn, you damned virtual kids!
I have admired Steve's work for decades.
...
That said, the battle is Liberty vs. Security.
I use Liberty to replace privacy, privacy is not in the constitution, security is, Liberty should be if it isn't it unlike privacy is without a doubt at least implied.
Steve's take on EL's security policies is pretty good. From what I read, he did not ask for the information, only that they secure it.
On the other hand Steve approached them as an individual and asked them to perform an action that would, could produce an invasion on the security of a member subscriber. This based on a telephone call from an individual claiming to be Steve Gibson.
Anyway the point is Steve didn't carry much weight because he shouldn't. On the other hand when a subscriber of EL calls in and says they are getting DOS'd, they should get attention (they don't).
2 cents
... that Cable Modem users need to learn about firewalls to stop themselves from being willing *participants* in a DDoS attack rather than being a victim?
Phillip.
Property for sale in Nice, France
> Is implementing the standard always A Good
> Thing?"
One can always find a situation, however esoteric, where doing it the "wrong" way seems advantageous. Just like there's always a situation where ignorance provides some benefit, but that doesn't mean that one should always choose ignorance as a matter of course.
Standards are the same way. The one-in-a-million situation where a nonstandard approach provides an accidental benefit (this case for example) isn't really a good case for *always* implementing a non-standard approach.
Insert simplistic political, ideological, or personal proselytization here.
Wouldn't work - the NIC address is only used on the local hop, and discarded (well, replaced) with the next pair.
That MAC address is how the cards themselves talk to each other, while inside the ethernet packet is -another- set of addresses, which you would consider to be the "real" addresses - the TCP/IP source and destination.
Very interesting information and good link.
Rangers Lead the Way!
Yeah, it's Norton. He sold his name and face to Symantec, who spent the "goodwill" thus acquired in a most unseemly rush years ago.
Symantec may suck, but in his day Norton was a god. I still have his x86 assembler book, it's quite good. If you use it to teach yourself, as intended, you wind up writing several significant chunks of the Norton Utilities, with his guidance of course. I've often wondered how much (if any) his various competitors owed to that book - as I remember it was just after that book was published that I started seeing the clone product that MS bought for dos 6, whatever the name of it was... the package they pulled scandisk and defrag out of. Oh well, idle speculation that - but it's certainly plausible.
"That old saw about the early bird just goes to show that the worm should have stayed in bed."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Just how long do you think it will be after XP ships before at least one huge hole is found in the default setup? And how much longer before updated bots start taking advantage of it?
I give it two weeks, max.
"That old saw about the early bird just goes to show that the worm should have stayed in bed."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I would be happy to see anyone who did that to me prosecutable, and I don't know why you'd not want them prosecuted
I think the difference with the war on drugs and people doing shit like this, is that drugs don't affect other people. I'd compare more to something like valdalism. You're messing with their stuff.
Better to stay silent, and let people think you're an idiot than to open your mouth and remove all doubt
Indeed. You don't even need to do the hard work of building a full stack if you are just going to SYN flood or similar. You just need a packet driver and some IP smarts.
Implementing the standards is always a good thing.. Creating a flawed standard is a bad thing.
I read slashdot for the articles.
How many of his bots are cable? The guy was talking about IRC bots and how many of them are on shitty cable connections and are not on T3+ Not how many hacked boxes he has.
God, root, what is the difference?
Firewalls can stop your computer from becoming a pawn in a game.
The number of computers that are just sitting out there waiting to be own3d is probably one of the biggest threats out there. It's like guns just lying around the house.
bun-fhuinneog agam!
Possibly it will also be clear to everyone reading this that we can not have a stable Internet economy while 25 year old MSCEs can't actually administer the machines they are supposted to be taking care of. The same also applies to Un*x admins. Administering a machine does not mean installing an OS and plugging it into the patch panel.
You are completely missing the point. No intervention would be necessary if the users themselves would wake the hell up and manage their computers properly.
;)
True, and I agree totally. For some reason when I hear "threat to the interent economy" the first thing that comes to mind is someone lobbying for tighter goverenment control. I'm sure Steve was thinking more along the lines of hyping the problem
--------
-------
"Every artist is a cannibal, every poet is a thief."
You don't think that's terror?
Ummm, no I don't think that's terror. You are confusing the word "terrorist" with "terror." Gibson used the word "terrorist" to evoke an emotion of irrational fear. Your example of "terror" is nothing more than the result of poor business planning.
If your "life" depends on your internet run business, you'd better have the technological know-how to deal with any and all potential problems that come up, including script-kiddies.
Oh, and your example is rather heavy on the side of exaggeration. Please explain how a person with a bankrupt company is unable to get a temp job somewhere in order to pay for food. Please, I challenge you to show me ONE case where a DoS put someone out of business and caused them to starve to death. I'll take just ONE. In the mean time, I'll be sending you a list of all the people hurt, injured or killed because of the actions of a real terrorist.
--------
-------
"Every artist is a cannibal, every poet is a thief."
And I'm still waiting for you to show me one example of someone being homeless and starving to death because of a DoS. Don't you have one?? Here, I'll help you get started in your research of real terrorism
I'm not saying that losing your job is not a bad thing, but it's nothing compared to being blown to bits and losing a loved one.
A 13 year old on the internet DoSing some wannabe security expert does not constitute "terrorism." Blowing up his house does. The only thing disgusting here is your belief that they are somehow the same thing.
--------
-------
"Every artist is a cannibal, every poet is a thief."
once again, shortsightedness and herd mentality prevails in IT.
Yeah, i did tech support last year for two months, and then went back to unix administration. tech support fucking sucks. My hat's off to anyone who can hack it, because i couldn't.
This Steve Gibson guy is just an idiot.
You gotta read how he complains about the standart socket implementation of Win2k / XP.
First people complain about the lack of, now because its there, damn give MS a break.
Before you email me, remember: "There is no god!"
I'm not sure what the solution is, but enforcement is unlikely to deter. He seems to have dealt with it in the right way, and didn't even suffer $5000 worth damage, in fact he probably has gained business because of the publicity. I realize that if the attack had not been subject to filtering, he might have been down a lot longer, but it seems that tools should be developed to defeat such attacks or at least minimize their harm. And educate the kids doing it, communicate with them (as he did), find out why they're doing it, get them to think about what they're doing and the effect of their actions on real people.
ok I'm idealistic. but the status quo of relying on enforcement doesn't work very well either.
hiv positive people can live a long time now before getting aids if they ever do. besides your bf and all the others are going to die anyways. Just tell them.
I just don't think you're going to solve the problem. In fact, you might make it even worse. Crime went down during the 90s; maybe because with the economy doing well people had less incentive to break the law (not because of increased threats of prosecution -- or why has crime started to go up again now?).
I'd compare more to something like valdalism.
really? maybe it's more like a boycott, or picketing in front of a business. They didn't break into the guy's servers. And no one forced the owners of the compromised machines to download the trojans. (OK this last point may be the weakest part of my argument...)
I just think society as a whole would be better off if people like wicked could be shown more information about the effects of their exploits. Educate him. Find out what his incentive is to start ddos attacks and attack the problem right there. That, imho, is the most efficient way to prevent future problems.
putting him in jail may satisfy your thirst for revenge but won't stop other attacks very efficiently.
Like all software that MS uses, it probably changed it to suit their needs.
yeah, there are legal and ethical issues with counter-zombieing. That Max Butler story is sobering, it looks like the feds turned on him after he refused to rat on a friend. nice.
with the techniques he employed, it seems quite possible to create an anti-zombie "team" to go out and defuse ddos nets. I'd probably even pay a team to do just that, if I was losing real dollars to a ddos.
Here!
/Svennis
---
Slagborr
Ok my karma is maxed out. When do I become Enlightened?
This attack was so effective because it involved hundreds of Windows hosts which were easily infected. Eggdrops (though there is a version for Windows) run on *nix servers, like you said, which are slightly harder to infect with a trojan. So eggdrop bots used for DDoS are much less common as it's harder to get the large numbers (and the bandwidth) to pull off a DDoS attack.
But, eggdrops are very frequently used on IRC for channel services (as mentioned earlier), and even in massive bot nets. However, these exist for redundancy rather than attack. On a netsplit-prone network that has no services (namely EFnet), bots are absolutely essential to maintain any public channel, and the more the better. And of course, eggdrops are preferably hosted on good connections, as they themselves are frequently targets of attacks.
--
Cable Modem users need to learn about firewalls
Firewalls don't help against valid traffic flood attacks. In a VTF DOS (such as a ping flood, port 80 SYN flood, or Slashdot effect), RFC-conforming packets (not mal-formed packets as in ping of death) disguised as legitimate requests are sent to the target; so many packets are sent that the pipe fills up and the server has trouble fielding requests. Such attacks take advantage of the client-server nature of the commercial Internet as we know it at the turn of the century by using lots and lots of underpowered connections (56K, ISDN, low-end DSL) to take down fat pipes (high-end DSL or cable, T1, even T3).
Floods MUST be blocked upstream.
Will I retire or break 10K?
Nothing more than the whim of a 13-year
old slashdot editor is required to knock any user,
site, or server right off the Internet.
Clearly this is not an issue. All it takes is one compitent programmer in the cracker community or elsewhere to write a modified TCP stack for Windoze which can spoof the source IP and all the zombies can bring it with them. what Microcruft supplies for free only speeds things up very slightly.
Remember most of the compromised machines are on cable connections, so downloading their own TCP stack wouldn't take much time.
_O_
_O_
.|< The named which can be named is not the true named
I'm suprised he didn't write his entire note in assembly language.
_O_
_O_
.|< The named which can be named is not the true named
Based on what Gibson said in his article, part of the problem is the fact that this dude Wicked was doing something pretty illegal, but there was no effort or intent to apprehend & punish him for these actions _unless_ significant amounts of cost was incurred, and such costs can be demonstrated.
So if he takes down your office server, sucks to be you, but if he attacks AT&T's web site, damned straight he's going to jail. That's pretty bogus.
I don't understand, though, how Steve can gripe about Microsoft's decision to implement a complete version of sockets in WinXP. He gripes because it will be possible to send a packet programatically "from" any IP address on chooses (spoofing). He wants Microsoft to BREAK the standards compliance because someone could use if for a DDoS attack. I wish people that don't like Microsoft's way of doing things would make up their mind; I would LOVE to see a fully implemented standard, and I don't (and have no reason to try, on a modem connection) want to DDoS people. They either want standards compliance, or they don't. Grrr...
Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available.
When would a hacker use a DOS attack in the first place..
you would see steve did contact earthlink and the fbi and neither were interested in doing anything even when steve offered to fly to @home in redwood city to help them find more infected cable client pc's, they just told him to go away... what are the descrepancies in the article, oh great wise one?
"...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"
they had worked with him before on the Patchwork issue when all the russian and ukie haxors broke into all the banks running win nt.
it's not like he was a nobody crying wolf, but what is the use of going after a 13 year old?
they let them walk with counseling when they kill their classmates with a gun...
"...can you imagine a BEOWULF CLUSTER of these? That'd be some serious power!"
Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a website run by open source hackers (Note from C.T: crackers) called "News for nerds, stuff that matters" where people post website that are to be DOSed.
Nicknamed the "slashdot effect", it has already brought down countless of web servers in the past.
!
^_^
From reading the article, it looks like the attack did use up all of the downstream bandwidth on his two T1s, so I assume the graph was of upstream bandwidth.
You raise a couple good points. However, 90% of these bots were eggdrops, which were run off of *nix and NOT Windows. Many *Nix boxes were spoofed. I'm sure recently, that number has changed, but I'm sure that bot net still consists of mostly *nix shells with strong network connections. There is a lot more stability if it is running as a process on a *Nix based shell. The ideal eggdrop bot would be running off an isp with t1 or t3 connectivity. I've accessed, them, but never ran one. If I was to run one, I wouldn't even consider using windows. I am not a Linux advocate by any means, but this is just how it is.
Bot net is nothing new. I have had access to and have seen this army of compromised irc bots, it is called Bot Net. It has been around for years, used mainly for disconnecting enemy script kiddies to take over their channels back in the days. It is downright amazing the power of these bots. A good network of them would eliminate your average target in just seconds. One command is all it takes to have thousands of separate network connections from all over the world ping flood the address with huge packets. Therefore, it is also virtually impossible to trace.
So in theory, even spoofed packets could be traced back to my machine by my ISP (assuming the NIC address is slapped onto every packet sent by my machine).
Would it be possible to use some system like this to prevent spoofing (at least from always-on connections) - assuming the ISP's would agree to check ddos packets against NIC addresses ?
Yeah, and you are helping!
/. effect wins again!
P
--
Sorry 'bout the excess '!'s. I have an allotment for the day, and I haven't used ANY until now!!!
Yeah, sounded to me like if I'm very nice and respectful to him, maybe he won't give my details to the Feds.
Woefdram, l'apprenti sorcier
Nah, how about instructing all his bots to send crap e-mail to his own address? Through a remailer, of course. Let's see if the kid's smart enough to see what happens or to stop it :)
Woefdram, l'apprenti sorcier
That could change quite dramatically if a few ISPs actually started to make their users aware of security and provide them with help (both helpdesk and software like ZoneAlarm). It happened to cars, for example. Manufacturers knew you were in big trouble when you crashed a car, but no one thought of telling the public, because it might scare them away from their cars. Look what the situation is nowadays: results from crash-tests (such as Euro NCAP) are heavily used in commercials for cars. The more security measures a car features, the better the public likes the car. Security sells!
So why wouldn't this be true for ISPs? Suppose I'm someone who wants to get a cable modem because I want to surf a lot and maybe run some other stuff. Not an advanced user, just John Doe who likes having a permanent and fast connection (and I think that's the larger part of cable modem users all over the world). Now two of my friends have normal providers who keep their mouths shut about whatever might concern security and two others have a decent ISP, that explains about what might happen and how to avoid it. Sure, the first two guys will probably have less "strange messages" to worry about, but I think I'd sleep a lot better if I knew that my connection had at least some sort of protection against the threats my other two friends don't even know exist.
And I think it would be better for ISPs themselves. After all, if their users have some basic knowledge of security and check their configuration every now and then, the ISP will not get involved in this kind of stories as often. Better for their name and the chance of probable claims from victims.
Again I want to point to a story from car history: the Ford Pinto. This car had the petrol tank behind the rear wheels. It proved that this was catastrophic when another car crashed into your back: the tank would burst and the petrol would instantly turn to fire because it was in immediate contact with the hot engine of the car that crashed into it. Ford didn't change it, because at that time security didn't sell. When it turned out that Ford had known that this car was dangerous and hadn't done anything to change it (because it was cheaper to pay a few claims than to change the design of the car), they got the public opinion against them.
I think the same goes for ISPs: security does sell, it's just that the general public needs to be made aware of it. I'm sure a lot of @Home users aren't too pleased to hear that they've been abused for criminal activities, while their ISP knew that but didn't act. So let's spread the word: using the Internet can be dangerous, just as driving a car can be dangerous. Don't be defenseless, do something about it!
Woefdram, l'apprenti sorcier
It's normal for me to keep a packet log up and preview it every so often just to see that nothing "funny" is going on.
The number of attacks (port scans, etc) dropped thru the floor the moment I set net.ipv4.icmp_echo_ignore_all=1 in sysctl.conf. (Red Hat system)
Probably 1/20th of the previous level.
-Ben
I have no problem with your religion until you decide it's reason to deprive others of the truth.
If you wear a condom while blowing junkie male prostitutes, are you practicing safe sex?
This sig is xenon coated, and will glow red when in the presence of aliens
Why would they care? Guess what - when an OS has 95%+ of the market or whatever the figure is (that sounds high), you have a statistically higher chance of being hit. Besides, I'll bet you that Linux would do just as poorly in the hands of the same people who had their machines zombified - how many people are capable of properly securing their machine? And how many people do you think would have been running and old, out of date copy of the OS anyway?
In fact, what he's saying is that by making Win2000 more like UNIX that Microsoft is making the entire Internet less secure. And in this case (making spoofing packets easier), I believe him.
You are in a maze of twisty little relative jumps, all alike.
How I wish you were kidding. As much as I dislike AT&T (roadrunner/mediaone), at least they filter the ms file sharing ports...
-bluebomber
The Daily Build
fine article... one thing was conspicuous due to its absence; nowhere in the article was there any mention of MacOS, not at all surprising... not that MacOS (particularly MacOS X) is some sort of hardened concrete bunker, it does not exist in a vacuum and if a Mac box is connected to the internet... well... but it sure as hell is more secure than WindowsWhateverNumberOrSuffix
Hmm, using winsock, this is true. Generally speaking, this is completely false. Anyone can write a ndis driver to spoof to their heart is content. There is a windows port of pcap which has a low level ndis side which provides mechanisms to send arbitrary packets out.
He doesn't make any firewalls (yet), so how can this be a competing product?
Wu-Tang Name: Half-Cut Skeleton Get your own Wu-Na
There's no point in adding such feature to OS as long as you have full root/administrator privileges. Since you can load your own tcp stack which will allow this. And such obscure layer won't stop fucking kiddiez from doing DDoS attacks, they will just download newer sources/binary with kernel modules/dlls included The thing which WOULD help, is to enlight lazy administrators about setting proper ACLs on routers. Ie that routers will drop spoofed packets and possibly deny any malicious inbound traffic (read scans ran across whore internet searching for insecure boxes). After all, from my own experience (I'm running IRC server on major network), most attacks come from insecure University boxes , which often have pretty good pipes.
--
Friends don't let friends use multiple inheritance.
Nah. Have the bots DDOS the IRC server. :)
Alright, people using Linux want Windows users to switch to Linux because it's more stable, more respectful of open standarts, blah blah M$ is crap blah blah lusers blah blah BUT when MS decide to be more respectful of one of these open standarts, IT'S BAD??!! Ok home users will always be 'Administrator' (and you have to be admin to spoof packets) but the shortcut is simply AMAZING!
A.D. 1517: Martin Luther nails his 95 Theses to the church door and is promptly moderated down to (-1, Flamebait).
I would expect winpcap to be very difficult to install remotely. And it requires a reboot.
... very fussy about what order the interface drivers and winpcap were installed in. Uninstalling and reinstalling tcp-ip was sufficient to render the machine unbootable.
:-)
Also when I was using it with ADSL before linux drivers were available for the USB modem we get in the UK windows was very very
Fortunately, I kept a low level snapshot of the windows partition so I just booted into linux, zcat windows-is-screwed.gz | dd of=/dev/hda1 and all was well again
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
Fortunately -- the attacking machines were all security-compromised Windows-based PC's. In a fluke of laziness (or good judgement?) that has saved the Internet from untold levels of disaster, Microsoft's engineers never fully implemented the complete "Unix Sockets" specification in any of the previous version of Windows. (Windows 2000 has it.) As a consequence, Windows machines (compared to Unix machines) are blessedly limited in their ability to generate deliberately invalid Internet packets.
It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods.
As a result, Internet security experts know that non-spoofing Internet attacks are almost certainly being generated by Windows-based PC's. Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available
This has horribly changed for the worse with the release of Windows 2000 and the pending release of Windows XP. For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability FOR ANY APPLICATION to generate incredibly malicious Internet traffic, including spoofed source IP's and SYN-flooding full scale Denial of Service (DoS) attacks!
So we are left with the vision of Loads of potentially insecure Windows boxes - open to the world - being used for more DDOS attacks.
None of which will be pleasing to the MS loyalists
thank you microsoft. This last point is kinda important:
I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity.
and we wonder about the future of the internet.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
Karma whorin' since 1999
This note is only 33 characters!
sulli
RTFJ.
this was a great article. Fascinating. I'll take the exclamation points and call-outs for the info. (I've run ZoneAlarm for 2 years now thanks to Steve...)
sulli
RTFJ.
The thing is, you can't stop people from getting fast connections, and you can't force them to secure their machines. So even if your system is set up well, you're still vulnerable to these types of attacks. It's not the people who have "left the door open" who are really being victimized - they probably barely notice the use of their bandwidth.
Of course, it is a competing product. He is hardly an independant opinion.
But yeah, the guy's a blowhard. Still his article documents a nice piece of work.
slashdotted.
damned if you do, damned if you don't.
Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
Quoting today's popular quote:
"I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."
While this is true, anyone who goes online should not set their system up like a 13 year old might either.
In other words: Don't leave your door open if you do not wish to be victimized. Unfortunately, the local cable company turns on MS file sharing for "support purposes" on all new installs, so one can see how easy it was for this person to gain control of so many systems.
Your a step ahead of me! That's an excellent idea! I'm sure alot of folks would bitch and moan about it, and even some might try to sue for 'Patching' their crappy system, but I think w/ enough Press & claiming the 5th under 'Good Samaritain act', you could probably get away w/ it (and boy could you imagine the movie deals?? the books?? interviews??....Wow..Makes me ALMOST want to put my beer down and do it..ALMOST..ROFL!)
LFS. Have you built your system today?
Why don't you stop with the 'Anonymous' postings and show you face??
You a teacher? probably of preschoolers...
LFS. Have you built your system today?
Yes, but the problem here is that average Joe Public doesn't want to hear the facts. They want to hear an over-dramatized version of events, where aircraft navigation systems are at the mercy of 13 year old kids. Gibson plays to this, and in doing so, serves to perpetuate the public's general misunderstanding of computer security.
Not only that, but he's also factually incorrect about Win98 machines being unable to spoof IP headers. Furthermore, his suggestion that this functionality should be removed to "protect" us all is ridiculous. Anyone who wants to spoof packets badly enough will be able to do so - it only takes one person to write a special device driver, et voila! DOS avoidance should be at the network/router level, and not rely on the ridiculous assumption that all hosts attached to the internet will behave themselves.
(and what's with the highlighting of certain random sentences all over his page?! It's like the guy desperately wants to be writing for a magazine)
"Wicked" and his IRC Bots communicate by logging onto an IRC server located at the domain "wkdbots.***.**". Hmm... could that be wkdbots.ath.cx ? [10:10] *** Now talking in #pines1 [10:10] *** jjqqr sets mode: +o aorie [N] [o: 28][v: 0][n: 0][t: 28][m: +sntk penile] I guess I now have a DDoS network at my disposal if the need ever arises :)
I think the funniest part of the article for me is that he infects one of his machines with a Zombie, then tries different personal firewalls to see whether they catch it. ZoneAlarm works well, but BlackICE defender doesn't do anything to help. Then he says:
To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.
I love that last part, "I suggest prayer."
Check out Althea for a stable IMAP email client for X. Now with SSL!
Come on now. We both know that this is NOT going to happen. Ever helped your mom or your neighbor or some other clueless individual with a Windows PC? Most of the people I talk to can barely figure out what an icon is much less understand at all how to secure their system. It sucks, but that's the reality. Computers are commodity, like VCRs and CD players. At this point, they're no different. That's the sad truth.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
Actually, I have friends that have played with Whistler (or XP-beta, I guess), and the firewall that comes with it is pretty good, at least from the usual "nmap Fred's_ip_address" standpoint. Heck, nmap coudn't determine the OS used (the signature is too new to be in the database).
Need a Linux consultant in New Orleans?
You're a business owner in a niche market. Hence, your primary revenue comes from your website. You're not well off, but you're surviving doing what you enjoy. Some kid takes your site down for no other reason than he's bored. You can't do business for days (it took Steve 18 hours the first time, and he knew who to call). And that's just the first attack, who knows if it will be sustained. It could go on for weeks. You lose thousands of dollars, maybe more. You can't pay your suppliers. You're forced to declare bankruptcy. Your credit is destroyed, your finances are destroyed. You lose your home, you can't provide for your family. It's entirely possibly you're forced to move to a shelter if you don't have friends or relatives who can take you in. That's right, you're literally starving on the street because some 13 year old found a cool bot on IRC. You don't think that's hurting someone? You don't think that's terror?
No, I'm really not. You're just operating under the mistaken assumption that terrorism must cause physical harm. It needn't. Terrorism is defined as commiting violence for the purpose of coercion. Violence need not be physical, that's why the term "acts of physical violence" even exists.
If your "life" depends on your internet run business, you'd better have the technological know-how to deal with any and all potential problems that come up, including script-kiddies.
Oh that's just utter bull. There are any number of events that could ruin your life no matter how well you prepare for them. You cannot prepare for all eventualities. It's the ultimate in either arrogance or naivete to believe you're invulnerable.
Oh, and your example is rather heavy on the side of exaggeration
Of course it is. I don't consider it a likely scenario, but it is a possible one. Dismissing any event that doesn't cause physical harm is just ignorant and sad.
Please explain how a person with a bankrupt company is unable to get a temp job somewhere in order to pay for food.
Have you ever declared bankruptcy? Sure you can get a job, so what? Could you support a family working at the local grocery store? My uncle was forced to declare bankruptcy after a divorce several years ago. He was reasonably well off, a successful real estate agent who lived in a "luxury village" condominium, bought a new car every few years, etc. After the divorce and bankrupty he was nearly penniless. Luckily they had no kids. He stayed in a friend's den for a few weeks before moving in with his sister (my mother) and was working at the mall selling cell phones and having to work his way back up life's ladder. If he didn't have that support network or if he'd had to be responsible for more than just himself he'd be living below the poverty level at least, if not worse.
I'm not saying people who have been subject to events like that deserve special treatment or privilege, I'm saying that your dismissing them as morons who got what they deserve is disgusting.
"Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets"
- Wasn't it the crappy security in windows that allowed the DOS attack to occur in the first place?
Within the first 14 hours I had witnessed 7 attacks-- three people from outside @home had attacked port 20 (ftp), one had attacked port 515 (lpd, known security problem), two were subseven trojan backdoor scans, and one was a netbus backdoor scan. All in all, over 100 packets were logged at that time, though most turned out to be benign (myself forgetting that I had blocked all pop3 access to the server, f. ex. and then trying to use a very restricted account to recieve system email remotely as well as dhcp broadcast traffic-- the rules are being updated to avoid confusion).
The home user should be taught basic computer safety and security, IMO. However, vendors don't want to scare their customers, so real security is next to impossible to attain....
LedgerSMB: Open source Accounting/ERP
I found myself almost reading his account like reading Cryptinomicon. It was very interestnig for me to read how he built bots for IRC and collected four days of data on the ^BOss^ person and all their activities. I bet they probably crapped their pants when he popped in and started talking to them and said what he'd been doing. I loved how ^Boss^ was very quick to point out that he didn't do it and wouldn't do it in the future. Ducking and covering there. All in all a great read. I highly recommend you spending the time to do so. Almost like reading a fiction novel.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.
I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.
There is a lot of accessible security information at SANS, though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.
I would hardly call a 13 year old with to much time on thier hands a "hacker". Punk ass maybe, but hacker no.
RA7
-
"Consistency is the hobgoblin of small minds" - RWE
What can you say when it rains it pores!
Apocalypse Cancelled, Sorry, No Ticket Refunds
Apocalypse Cancelled, Sorry, No Ticket Refunds
It seems that maybe some "script kiddies" have decided to tech Gibson a lesson. I have not been able to get grc.com all day. I am wondering if some hackers didn't read his article and take his advice and DDOS him on Windows 2000 or other OS's with a compliant TCP/IP stack. Perhaps someone even took the initiative to write a very efficient Zombie Bot in 100% pure assembly language.
'Same speed C but faster'
In May 2001 ....
DDOS was beginning.
^b0ss^: What happen ?
IRC: Somebody set up us the chat.
IRC: We get signal.
^b0ss^: What !
IRC: Main screen turn on.
^b0ss^: It's You !!
Gibson: How are you gentlemen !!
Gibson: All your bot are belong to us.
Giboson: You are on the way to prison.
^b0ss^: What you say !!
Gibson: You have no chance to survive make your time.
Gibson: HA HA HA HA
^b0ss^: Take off every 'bot' !!
^b0ss^: You know what you doing.
^b0ss^: Move 'bot'.
^b0ss^: Oh great crap.
The folk who are flailing arround condemining 'incomplete sockets implementation' should consider that the IETF never endorsed BSD sockets as a standard. The ability to forge packets is arguably a fault in the BSD sockets spec and Microsoft was arguably correct in implementing checks on the IP source packets it will generate.
Slashdotters who posted MSFT flames could do to repeat 100 times 'the UNIX way is not always the right way'.
In days of yore we VMS folk used to flame UNIX precisely because this sloppy type of programming was pervasive.
It would be interesting to know what facilities the firewall in Windows-XP provides for filtering and monitoring forged packets. It would also be interesting to know how difficult it is to disable the firewall.
As one poster has pointed out however the fact that most cable hookups tend to have source address checking probably saves the day. Also the fact that many home users have NAT boxes to share their cable connection arround the house probably provides some protection.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
First off, mirror here. It took me a while to get this one, his server is dead slow today.
My servers can't be easily DoSed off the Internet, as I have a (fairly) secure ISP. They know how to administer their routers and have professionals on the job. Does Steve's ISP have professionals on the job? Apparently not.
He has something technically wrong, too. He is always bragging about how he can ignore "ICMP packets completely," but unfortunately, that's kind of impossible. For you to ignore those packets of data, they have to reach your machine. Therefore, you've used the incoming bandwidth anyway. It's still just as effective.
I noticed that he ignored them using the ISP router, which is indeed possible. That way, he's right, he isn't DDoSed. But he's been talking about how he always ignores him at his machine! Blah.
Cat and mouse "guess the IP?" Was he changing his IP address? He might as well have left it to be DDoSed, as nobody's DNS records would have been refreshing fast enough to be able to easily access the site.
He's right though, the Internet wasn't designed to scale like this. It is, in fact, getting to the point where almost anyone could disable any site, large or small.
Do you like German cars?
from http://www.theregister.co.uk/content/4/19332.html According to top security expert Steve Gibson, Windows XP threatens to make the Internet unstable as it will allow large numbers of people to launch uncontrollable denial-of-service attacks to whichever IP address they see fit. Mr Gibson came across the flaw while doing an in-depth investigation into DoS attacks on his own site, grc.com. "In a fluke of laziness (or good judgement?) that has saved the Internet from untold levels of disaster," he wrote, "Microsoft's engineers never fully implemented the complete 'Unix Sockets' specification in any of the previous versions of Windows. (Windows 2000 has it.) As a consequence, Windows machines (compared to Unix machines) are blessedly limited in their ability to generate deliberately invalid Internet packets." These invalid Internet packets are what malicious Internet users fire at sites from a range of computers. So many are aimed at a particular site that all the bandwidth is used up and so the site disappears from view for all other Internet users as they get no information to or from the site's server. All Windows OSes until Windows 2000 and now Windows XP would not allow someone to "spoof" the source of such Internet packets. This means that a sysadmin can see where they are coming from and then block all data from that PC - freeing up bandwidth and letting others see the site. Spoof packets don't allow you to do that. Why, if Windows 2000 and all machines running on Unix can already spoof packets, do we need worry about Windows XP allowing the same thing? Simple: Windows XP is a consumer OS and so will be taken up by a huge number of technically illiterate consumers. These are precisely the people that hackers will target due to their limited understanding of security issues. They will allow Trojans, Zombie and other types of malicious program on their PCs, they will remain unaware of them and they won't be able to remove it, even if they do discover them. This means that the opportunity for hackers to control and direct others' computers as they wish will grow at an enormous rate as more and more people upgrade to Windows XP. Steve Gibson writes in his piece: "When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before." He calls on everyone to contact Microsoft senior execs and explain the potential problem, with the aim of removing this ability, possibly in the first service pack it knocks out. He's serious. ®
... you read this in that other site.
Traitor.
PS: I don't read "the other site". A friend told me about it, honest.
PS to PS: I hope the people of the other site reading this site realize how childish they look when they refer to this site as that other site. As far as we are concerned you can go back to that site and leave this site in peace.
Now smile please.
IANAL but write like a drunk one.
Windows' standard networking interface (WinSock) is based on BSD sockets.
This mean that windows' stack is interchangable by anyone that bother to implements it.
(Not many do, btw).
Win2K is the first version that actually takes the BSD stack code and uses it.
BTW, Linux, and most Unixes, also implements a BSD sockets system.
That is the de - facto standard to networking.
--
Two witches watched two watches.
Which witch watched which watch?
Lets see, he has never used IRC, but he knows all about the Windows TCP stack. There can be only one reason, Mr. Gibson has the Microsoft source code. Folks, this is just an elaborate scheme to get his fixes into the windows source.
What is pirate software? Software for inventory of stolen treasure?
Steve. My hat is off to you. You walked a very fine line with: respect, grace and (classic definition) hacker motives. I think that under the circumstance all the player and the community at large can learn something large from this. Steve has pointed out, quite correctly, that wicked is to be f3ar3d, because .... wicked did it. With the release of Unix-like TCP/IP ....how many wicked will appear?
trianglecat
Cable Modem users need to learn about firewalls if the cable guy doesn't tell them!
So let me get this straight, you discovered you box was HaXoReD, found the responsible party, and asked him about it. He instructed you to go to a 3RD party website, run a executible program, and you promptly did exactly what he said..... I hate to think what could have been in that code........
Nice article, indeed...
:-).
But please note that Gibson was NOT running circles around these kids. In fact, he is still vulnerable to their attacks, as are all of us.
He was also lucky that the hax0rz discussed their deeds in a "private" channel (and one for which the password was available from the bots or from channel conversations), and were not using private messages.
With all respect to Gibson, the RFC for IRC is quite simple, the FSM sounded quite cool to me though
Some weeks ago we had a discussion on the 13 yo hax0r suicide, and comments that he might have only done what he did out of curiosity. Now we've got this - even though Gibson is not attacked any more, it seems more as the exception to the rule of not being able to protect ourselves.
I too (vaguely remembering the TCP/IP RFCs) see no need for a TCP/IP stack to permit setting up a different source IP address than configured for that interface. But seems more the fault of IETF than Microsoft, for implementing the full specification.
Can anybody more knowledgable comment?
OK, enough ranting and best of luck to you all.
If I am not mistaken, in order to generate a fragmented IP Packet one must have root level access to the machine. Now, since it is generally explained that users not run their Linux Machines as the root account then there is a much lower chance of those machines becoming compromised.
Of course if there is a problem with a consumer-friendly *NIX running about then we would more than likely see it first with the latest iteration of the MacOS X. Since this OS does use a *NIX kernel as its core. It is quite possible that this OS would become rooted in time. If we watch how this happens perhaps an average-consumer-friendly release of Linux would be able to defend against such problems.
BTW, I would call an average-consumer-friendly version of Linux one that does not require the end-user to input a root password. One that is easy to administer for home use. Much like Windows 9x. The real challenge with a release like this would be making a remotely secure distribution without being locally secure.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
He should have coded a bot to sit on the kid's bot control IRC channel and automatically fire a DDoS at the kid whenever he got on the channel.
Great writing, very interesting and terribly unfortunate!
Hell, I count 9 exclamation points (not counting quotes or "commands") in a rather long and detailed analysis... and never more than one per sentence. Picky, picky, picky.
-"I seem to be having tremendous difficulty with my lifestyle." - Arthur Dent
http://homepage.mac.com/umbilicus/grcddos/