Slashdot Mirror
Post-mortem of a DOS Attack
MartinB writes: "Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a network of compromised IRC bots being used to flood vulnerable targets. Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets, making it impossible to spoof IPs. However, he warns, even consumer versions of WinXP won't have this safety 'feature'. Is there time to prevent this? Is implementing the standard always A Good Thing?" Gibson uses too many exclamation points in his article. But it's still interesting, if only to note the number of exploited personal machines on cable modems.
That was hands down the coolest article on computer security I've ever read. :)
Everyone always writes about cracking in a condescending, "when-will-they-learn" tone, as if it's all a mildly amusing game (which it is to them, because the authors are rarely the ones being cracked). Gibson, who did get attacked himself, looks at cracking as the serious and dangerous problem that it really is. This article describes a real war, with first strikes, counterattacks, espionage, and so on.
This really opened my eyes to what a huge problem the internet's technological loopholes have and will become. More mainstream articles after this form would surely help raise the awareness about security issues that was sadly lacking in all the unknowing carriers of Zombies.
(And no, I do not consider this "fearmongering". Fearmongering does not offer solutions or point out that none of this would have happened if people would just GET A CLUE.)
It seems there's a confusion in the discussion below, because people are too dumb to read the part of the article where Steve talks about Spoofed attacks. Let me try to explain.
SG talked about two different attacks. The main one is the brute-force, fill-your-bandwidth, ping attack. This attack is based on known ports and data types that fall outside of what can be considered 'normal' traffic, since in no way should well over a gig of ICMP ping data per minute be considered normal. Because of this, the routers on the upstream side could be configured to disallow the passing of that data. This is what brought the servers back on the net each time.
The part he just briefly touches on is the spoofed attacks, like SYN attaacks and the like. These attacks require the source to manipulate the TCP stack outside of what would be considered 'normal' use. Like sending SYN packets and not sending the SYN-ACK in reply to an ACK that is required in the 3-way handshake. These attacks simulate normal data - SYN attacking the web server, for example. All connections to a web server start with a SYN. So there is no way to statelessly determine if any given SYN is valid or not. The only way to calcel out these attacks is to disable valid services running in your network.
The problem isn't necessarily that Windows will now be able to spoof - the number of machine on the 'Net that can spoof has increased dramatically since Linux appeared on the scene. However, people that run linux also tend to know more about the technical aspects of their computers, and understand how to look for the signs of your computer being taken over (1). The typical Windows consumer (2), however, has very little idea what goes on inside the case where all those wires are connected to, and half of the time, couldn't even get the computer set up right if the cables and ports weren't color-coded. These are the people that see a new Email from Aunt Maude that says "Re: Re: Re: Re: Re: Re: Funny! Open now!" and open the little attachment that drops the Sub7 pieces into their registry before dancing around on their computer and making them laugh. And the problem is stupid laws that keep the FBI from pursuing 13-year-old script kiddies because out laws prevent much of anything from happening to them. Kids that sell drugs and rape other kids go to Juvenille Detention until their 18, at which point they get out, do it again, and go away for a long time. The legal system needs to start treating the spoiled brats who have nothing better to do than DoS computers the same way. If they were picketing and physically blocking entrance to a Brick-and-Mortar store, the police would drag them away. This is the cyberspace extension of that very same idea.M
This space for rent. Call 1-800-STEAK4U
I thought the exchange with ^boss^ was funny as hell. You could almost read "Jesus, if this guy can fucking hack my bots, spy on my channel, know how many active bots I have, what targets I've hit in the past week, fuck! fuck fuck fuck! I'd better start staying over my friends' house and I'd probably better format and shred my harddrive! Fuck fuck fuck!"
If you were me, you'd be good lookin'. - six string samurai
Glad someone else is invading these bot nets like I did.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
The only way to calcel out these attacks is to disable valid services running in your network.
Actually your wrong. I wrote "Daemonic" when I was writing "Theories in DoS", a paper on higher network level based attacks such as BGP, OSPF based attacks. Now what Daemonic does is sends pseudo random garbage (spoofed) to any port you specify.
Simple lame little DoS attack right? Now even if you don't have the service running for the port your sending the data to, it'll still crap out your Windows2000 box with ease. Now if you send it with a multicast source address which is weirder (haven't benchmarked) things really get odd.
Either way it'll bang up your network. Now FYI sending data through to a port thats not running still has to get there which means the network can still amass latency, which is where you would want to nip it at the butt with your router or firewall.
Want Root?
So someone writes and says they're a 13 year old script kiddie who knows that the FBI will traceroute, etc, etc, etc., and this is believable? Highly doubtable. As for the attacks, I would say Mr. Gibson should have his uplink provider hire some clueful router administrators who would've fixed the problem in a heart beat.
Lack of understanding from those involved often create more harm than they help. UDP packets coming in to a website? And the admins couldn't think firsthand network skills SYN --> ACK --> SYN, 3 way TCP handshaking? They need to go back and study up using some Cisco Press material.
Anyways for those who haven't seen the page yet or are in charge of networking, and or firewall equipment, check out Stopping DoS which is a "do this now" tutorial to stop beating around the bush and cut DoS attacks at both the firewall, and network (router) level. It's not an rfc, not a write up of what a DoS attack is, simply a "fuck it's 3am and I'm getting DoS'ed now how do I stop this shit" paper.
Want Root?
I must thank Gibson for the article, and Slashdot for bringing it to my attention.
After I had finished reading I thought I'd check my machine (It's multi-boot, I don't use Windows that much). To my horror, I found out that my Windows partition was infected by the SubSeven bot.
So I kicked up my IRC client and connected to the IRC server that the bot was on. I entered the admin channel and just sat there. A little while later somebody messaged me. I explained that a hidden bot was connected to the server and asked how to remove it.
I was pointed at: http://www.moosoft.com
I downloaded the "Cleaner" application which did a fine job of finding the bot and removing it.
I had a little chat with (I assume) the person controlling these bots. The person seemed to be quite helpful, which supprised me.
From the IRC stats, there were over 900 infected machines connected.
After removing the bot, I disconnected from the IRC server. I'm now considering what to do next. The IRC server was hosted by a company offering UNIX shells, and IRC server hosting.
Do I just leave it at that, put it down to experience and move on. Or should I inform the hosting company, and possibly risk being DoSed myself? (I suspect that the person I talked to on the IRC server logged my IP, which is static)
--- I'm sure using a computer was fun back in the 80's. *sigh*
My favorite line was: Before you question Gibson's skill, or his "inside information" (as one poster suggested "he must have had the Windows source code") consider that this man downloaded and learned the RFC for IRC. That might seem alien to someone who relies on the work of others, or reading script FAQ's, but this fellow knows how to make proper use of the tools before him and relies on his own knowledge to craft solutions.
He did not have any help from Microsoft. He knows his tools and he knows his craft. By his own words he's not a magician, he's a scientist.
Be humbled kiddiez, for every dozen of you who "hax0rz" on IRC there's someone like Gibson who actually can hack and run circles around you. Notice that ^boss^ gave this guy respect?
That's very wise.
Get off my virtual lawn, you damned virtual kids!
Here!
/Svennis
---
Slagborr
Fortunately -- the attacking machines were all security-compromised Windows-based PC's. In a fluke of laziness (or good judgement?) that has saved the Internet from untold levels of disaster, Microsoft's engineers never fully implemented the complete "Unix Sockets" specification in any of the previous version of Windows. (Windows 2000 has it.) As a consequence, Windows machines (compared to Unix machines) are blessedly limited in their ability to generate deliberately invalid Internet packets.
It is impossible for an application running under any version of Windows 3.x/95/98/ME or NT to "spoof" its source IP or generate malicious TCP packets such as SYN or ACK floods.
As a result, Internet security experts know that non-spoofing Internet attacks are almost certainly being generated by Windows-based PC's. Forging the IP address of an attacking machine (spoofing) is such a trivial thing to do under any of the various UNIX-like operating systems, and it is so effective in hiding the attacking machines, that no hacker would pass up the opportunity if it were available
This has horribly changed for the worse with the release of Windows 2000 and the pending release of Windows XP. For no good reason whatsoever, Microsoft has equipped Windows 2000 and XP with the ability FOR ANY APPLICATION to generate incredibly malicious Internet traffic, including spoofed source IP's and SYN-flooding full scale Denial of Service (DoS) attacks!
So we are left with the vision of Loads of potentially insecure Windows boxes - open to the world - being used for more DDOS attacks.
None of which will be pleasing to the MS loyalists
thank you microsoft. This last point is kinda important:
I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity.
and we wonder about the future of the internet.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
slashdotted.
damned if you do, damned if you don't.
Alcohol, Tobacco and Firearms should be the name of a store, not a government agency.
Quoting today's popular quote:
"I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity."
While this is true, anyone who goes online should not set their system up like a 13 year old might either.
In other words: Don't leave your door open if you do not wish to be victimized. Unfortunately, the local cable company turns on MS file sharing for "support purposes" on all new installs, so one can see how easy it was for this person to gain control of so many systems.
I think the funniest part of the article for me is that he infects one of his machines with a Zombie, then tries different personal firewalls to see whether they catch it. ZoneAlarm works well, but BlackICE defender doesn't do anything to help. Then he says:
To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.
I love that last part, "I suggest prayer."
Check out Althea for a stable IMAP email client for X. Now with SSL!
In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.
I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.
There is a lot of accessible security information at SANS, though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.