Slashdot Mirror

← Back to Stories (view on slashdot.org)

Post-mortem of a DOS Attack

Posted by ryuzaki0 on from the DOS@Home dept.

MartinB writes: "Following a recent spate of DDoS attacks on his grc.com (home of Shields UP!), Steve Gibson investigated, finding a network of compromised IRC bots being used to flood vulnerable targets. Surprisingly, the thing which saved him is Win 9x's non-standard implementation of Sockets, making it impossible to spoof IPs. However, he warns, even consumer versions of WinXP won't have this safety 'feature'. Is there time to prevent this? Is implementing the standard always A Good Thing?" Gibson uses too many exclamation points in his article. But it's still interesting, if only to note the number of exploited personal machines on cable modems.

7 of 242 comments (clear)

  1. Wow by Have+Blue · · Score: 5

    That was hands down the coolest article on computer security I've ever read. :)

    Everyone always writes about cracking in a condescending, "when-will-they-learn" tone, as if it's all a mildly amusing game (which it is to them, because the authors are rarely the ones being cracked). Gibson, who did get attacked himself, looks at cracking as the serious and dangerous problem that it really is. This article describes a real war, with first strikes, counterattacks, espionage, and so on.

    This really opened my eyes to what a huge problem the internet's technological loopholes have and will become. More mainstream articles after this form would surely help raise the awareness about security issues that was sadly lacking in all the unknowing carriers of Zombies.

    (And no, I do not consider this "fearmongering". Fearmongering does not offer solutions or point out that none of this would have happened if people would just GET A CLUE.)

  2. To spoof or not to spoof... by TBone · · Score: 5

    It seems there's a confusion in the discussion below, because people are too dumb to read the part of the article where Steve talks about Spoofed attacks. Let me try to explain.

    SG talked about two different attacks. The main one is the brute-force, fill-your-bandwidth, ping attack. This attack is based on known ports and data types that fall outside of what can be considered 'normal' traffic, since in no way should well over a gig of ICMP ping data per minute be considered normal. Because of this, the routers on the upstream side could be configured to disallow the passing of that data. This is what brought the servers back on the net each time.

    The part he just briefly touches on is the spoofed attacks, like SYN attaacks and the like. These attacks require the source to manipulate the TCP stack outside of what would be considered 'normal' use. Like sending SYN packets and not sending the SYN-ACK in reply to an ACK that is required in the 3-way handshake. These attacks simulate normal data - SYN attacking the web server, for example. All connections to a web server start with a SYN. So there is no way to statelessly determine if any given SYN is valid or not. The only way to calcel out these attacks is to disable valid services running in your network.

    The problem isn't necessarily that Windows will now be able to spoof - the number of machine on the 'Net that can spoof has increased dramatically since Linux appeared on the scene. However, people that run linux also tend to know more about the technical aspects of their computers, and understand how to look for the signs of your computer being taken over (1). The typical Windows consumer (2), however, has very little idea what goes on inside the case where all those wires are connected to, and half of the time, couldn't even get the computer set up right if the cables and ports weren't color-coded. These are the people that see a new Email from Aunt Maude that says "Re: Re: Re: Re: Re: Re: Funny! Open now!" and open the little attachment that drops the Sub7 pieces into their registry before dancing around on their computer and making them laugh. And the problem is stupid laws that keep the FBI from pursuing 13-year-old script kiddies because out laws prevent much of anything from happening to them. Kids that sell drugs and rape other kids go to Juvenille Detention until their 18, at which point they get out, do it again, and go away for a long time. The legal system needs to start treating the spoiled brats who have nothing better to do than DoS computers the same way. If they were picketing and physically blocking entrance to a Brick-and-Mortar store, the police would drag them away. This is the cyberspace extension of that very same idea.M

    --

    This space for rent. Call 1-800-STEAK4U

  3. who are you kidding by joq · · Score: 5


    So someone writes and says they're a 13 year old script kiddie who knows that the FBI will traceroute, etc, etc, etc., and this is believable? Highly doubtable. As for the attacks, I would say Mr. Gibson should have his uplink provider hire some clueful router administrators who would've fixed the problem in a heart beat.

    Lack of understanding from those involved often create more harm than they help. UDP packets coming in to a website? And the admins couldn't think firsthand network skills SYN --> ACK --> SYN, 3 way TCP handshaking? They need to go back and study up using some Cisco Press material.

    Anyways for those who haven't seen the page yet or are in charge of networking, and or firewall equipment, check out Stopping DoS which is a "do this now" tutorial to stop beating around the bush and cut DoS attacks at both the firewall, and network (router) level. It's not an rfc, not a write up of what a DoS attack is, simply a "fuck it's 3am and I'm getting DoS'ed now how do I stop this shit" paper.

    --

    Want Root?
  4. I was infected by one of these bots. by powelly · · Score: 5

    I must thank Gibson for the article, and Slashdot for bringing it to my attention.

    After I had finished reading I thought I'd check my machine (It's multi-boot, I don't use Windows that much). To my horror, I found out that my Windows partition was infected by the SubSeven bot.

    So I kicked up my IRC client and connected to the IRC server that the bot was on. I entered the admin channel and just sat there. A little while later somebody messaged me. I explained that a hidden bot was connected to the server and asked how to remove it.

    I was pointed at: http://www.moosoft.com

    I downloaded the "Cleaner" application which did a fine job of finding the bot and removing it.

    I had a little chat with (I assume) the person controlling these bots. The person seemed to be quite helpful, which supprised me.

    From the IRC stats, there were over 900 infected machines connected.

    After removing the bot, I disconnected from the IRC server. I'm now considering what to do next. The IRC server was hosted by a company offering UNIX shells, and IRC server hosting.

    Do I just leave it at that, put it down to experience and move on. Or should I inform the hosting company, and possibly risk being DoSed myself? (I suspect that the person I talked to on the IRC server logged my IP, which is static)

    --
    --- I'm sure using a computer was fun back in the 80's. *sigh*
  5. He blasts BlackICE defender. by wmulvihillDxR · · Score: 5

    I think the funniest part of the article for me is that he infects one of his machines with a Zombie, then tries different personal firewalls to see whether they catch it. ZoneAlarm works well, but BlackICE defender doesn't do anything to help. Then he says:

    To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.

    I love that last part, "I suggest prayer."

    --
    Check out Althea for a stable IMAP email client for X. Now with SSL!
  6. good analysis by plcurechax · · Score: 5
    It is nice to see someone take the time to dissect a DDoS attack.

    In a previous life I was the green (read: my first month on the job) sysadmin who had a unix machine trojan'ed to become a zombie for a DDoS attack. It saturated our measy internet connection and proved how useless our security (policy) guy was.

    I didn't have time to look into it at the time, busy fixing that and a dozen other problems. So I was enlighted to know more about what had happened.

    There is a lot of accessible security information at SANS, though they get annoying at times by trying to sell their conferences and course; which I understand are worth going to.

  7. Re:Writing Style by ocbwilg · · Score: 5

    I have found that while Steve Gibson has had a taste for a melodramatic writing style, that the technical detail in his writing is fairly solid and is certainly above average. So with that grain of salt the article is worth looking at:

    But the thing that I find great about Steve Gibson is that he writes things in a compelling storylike format and in plain english that even the clueless could understand. We techie types already know most of what he had to say in this article to begin with. It's the non-techies who need to read this stuff and learn how to protect themselves, and I think that he does an excellent job at targetting areas of his site to that particular audience.