Slashdot Mirror
ISP Forced Out of Business by DoS
flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse.
The kids are getting more and more aggressive as time goes on and
it gets easier and easier to launch a large scale DoS. As any
techie knows, fixing the problem is far easier said then done... but
as a frequent recipient of the sharp end of the DoS stick, I sure
wish it wasn't an issue.
Judge Lynch never sleeps.
Best Slashdot Co
Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world? Do these kids need a hug? Why would you do this? Feeling "elite" because you can knock down an ISP? Take your energy and do something positive with it. IMO, this is petty and retarded. Maybe these script kiddies can go knock down a hospital or something next, hey why not, it doesn't hurt anyone right? RIGHT? forking iceholes.
Sent from your iPad.
They had to have been in a dire position to start with, or merely decided to sell out. This gave them a reason to explain dumping everyone's accounts over to another ISP. They didn't specify how much they made off the deal.
I can't see a healthy, competent ISP being put out of business by dos attacks. Yet.
IMHO the effort should be made to catch a few of the little bastards and see to it than an eXtreme example is made for all. Old enough to run a script, old enough to be tried as an adult and spend the next 20 years doing tech support for Pelican Bay in between visits from their new 'boyfriend'.
And there is a pretty clear difference between 'white hat' and 'black hat' hacking. Did anybody ACTUALLY SUSTAIN *PROVABLE* DAMAGE? (and not like the frame up where they claimed that Kevin stole $100,000 worth of info, or some such BS). These punks do more real damage each day than Mitnick EVER did.
"Everyone is entitled to their own opinion, but not their own facts."
One of the main reasons DoS attacks work is because of misconfiguration at ISP's. If the ISP's blocked outgoing packets with forged IP src addresses, and known bad packets, then the severity of the problem would greatly diminish.
ISP's don't do this, because either they don't understand it's a problem, or they don't know how, or their poor NAS boxes would collapse if they were asked to filter the traffic, instead of just forwarding it.
I know this is going to get modded down but this is what the community as a whole gets for having the luxury of being pseudo-anonymous.
There isn't much for accountability when it comes to the net and everyone knows this. Lawmakers are doing very little about SPAM and it's a form of DoS but people cry afoul when some kids were pissed off at someone on IRC and DoS multiple large networks.
If people aren't required to be accountable for ALL of their actions then this isn't going to stop anytime soon. Unfortunately it's not hard to get access to connections with a lot of bandwidth so it's easy to pound anyone into oblivion.
I don't know what the solution is but as more companies get DoS'ed while their livelyhood depends on the net, you'll see more being done.
My question is if it costs companies so much to deal with SPAM, why isn't more being done? Isn't this a similar issue?
I run a small ISP, and two of our clients decided to run fragmented DoS attacks and ping floods that consumed the entire 100mbit connection to our main server. Our ISP got royally pissed and cancelled our services with them because it was against their TOS/AUP.
I have moved on to a better ISP that actually filters attacks leaving and entering the network.
Now that the Internet has shown to be a useful medium and is rapidly becoming an utility, it's time to make it more secure and robust against DDos attacks. The technology exist already, the telco's need to take the initiative and make it happen. From this document on ietf.org site:
7. Security consideration
Any public proxy is inherently a source of DOS attack. Rate limiting packet emission as suggested in 3.5 is expected to lower the risks.
A solution to the DOS problem was posed at the Adelaide IETF meeting a couple years ago. Basically, some small percentage of packets randomly selected get ICMP notices from routers, with last and next hop information, that is forwarded to the destination. So if you are getting a large number of packets from a single source, you get proportionally more of these packets, and can use a heuristical engine to model the source, even for DDOS problems. This allows you to trace back to the offending network/ISP and shut off the DOS
Why did no one do this? It requires changes to router firmware, I'm not sure about Cisco firmware upgrades, but I thought they were at least possible. Besides, they could use this as a selling point and declare their old routers obsolete.
Admittedly, the model breaks down under MPLS, since it is difficult to track the cloud, but you can at least track entrance and exit points from the cloud.
The Register has a story on this as well, mostly a rehash of ISPReview. Link here.
From that article:
Speaking to The Register a dejected Mr Miszti said: "This is terrorism - pure and simple. I never want to relive the last seven days again.
You're thinking "terrorism? yeah right".
It's too bad (for them) they're in the UK... in the U.S., under the so-called "Patriot Act" this IS in fact terrorism. Read for yourself here.
In the UK, the Computer Misuse act is such a catchall, it would be easy to claim damages (less easy to collect though).
Slashdot is known for having a DOS effect, but at least it is people attempting to view a site for its content. Its tough if you pay your hosting company for bandwidth but, at least it's legitimate and its is coming from a lot of users.
The trouble is, so does a distributed DOS. This has a lot of unwitting users too. It is extremely difficult to trace who is giving the orders and the actual attack 'bots run on any suitably unprotected system that happens to have conveniant broadband access to the web. Even the Whitehouse was hit, liuckily the attack 'bot was dumb and a quick switch to a backup IP address solved the problem.
The only solution that I know is to use a private network (as done by several securities exchanges). You can block out all of an exchange's internet access, but you will not hit the private network. Users without a private network connection can fall back to switched circuit connections (i.e., ISDN) when the Internet is down.
See my journal, I write things there
Can't speak for the rest of the slashdotters, but I don't want them to be prosecuted... I want the insecurity to be repaired, which is what we've always wanted.
What happens in the business world with the DMCA, they would arrest who-ever pointed out that DDoSing was a possibility. Just the opposite of the solution.
Besides, it's a trivial fix... The only problem is that nobody takes the initative.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
As usual this is a question of ethics.
It has nothing to do with hackers, crackers, RIAAs, MPAAs or the color green - it has all to do with freedom of information:
- I support freedom of information, and by extension those that help make information free.
- I'm against restriction of information (any kind of information - bad, good, usefull or useless). Naturaly i am by extension against those that try to constrain that freedom.
- Which side of the law am i on?
Neither side. My ethics are independent of the law.
Going back to this specific case, i'm against however did the DDoS attacks because they went against other people's freedom to give and receive information.
I saw a comment in here blaming the Internet's end-to-end design for the ability for individuals to cause such interruptions to service. BUT...
With all the designs available to us today, as engineers, we should be able to employ traffic shaping devices to limit the amount of load any given site can generate on the net. Cache, throttle and filter. We build routers that can switch ungodly amounts of packets per second (obviously enough to flood the link to Cloud 9's boxes.
So why can't Cloud 9 invest in a few black box traffic shapers (I know they exist) to smooth out the requests?
Just where is the point of failure, anyway?
As long as we continue to design our edge devices to be layover victims, we'll always have these problems. The network delivers, the computer abides. Well, perhaps the computer shouldn't be so quick to respond.
-b-
Although the news item does not justify saying that the ISP was going out of business because of DOS attacks (they were still financially solvent), perhaps the owner decided he had had enough of the problems from vandals. A well-run business will shut down and leave the neighboorhood when windows get broken repeatedly before they loose all of their money.
Computer vandalism -- This will not decrease until we (as the technical community -- including management) decide to make some changes. Without changes, it will only get worse.
1) Although technological solutions are useful and necessary, they are not enough. The trusted network model does not work in the real world. There must be rules, accountabilty and penalties (without penalties, nothing stops me from continuing to break the rules).
2) Many network rules exist, some are poorly enforced.
3) Because of packet-spoofing. Some (D)DOS attacks can be nearly impossible to shutdown. We need to make sure only legitimate packets can Internet at large. Without this rule, tracking down the vandal and applying the penalty is not practical. If packet spoofing were eliminated, it would be possible to identify culprits at a modest cost.
4) Accoutability needs to be improved by everybody. If Nimba2002 is released tomorrow, Microsoft should be expected to make it well known, and supply a fix. Network servers should be patched. People running compromised server should be cut-off until they get fixed. These things happen by and large in a haphazard fashion today. The problem needs to be addressed at the source whenever possible.
4) Penalties need to be commensurate with violation. A hand-slap for vandalism does not deter, a death-sentence for jaywalking deters, but it not justice either.
5) Then maybe we should get rid of junk email for an encore.
/.
Back in the day, before the Internet went commercial, if you abused your connection your upstream provider (typically a bunch of long-hairs at a land-grant university) would cut you off. If they didn't do it, their upstream provider would cut them off.
Currently, there is no real penalty for large ISPs who do not implement egress filtering (which prevents IP source spoofing) and/or refuse to co-operate in tracking down DOS sources.
The anti-spam vigilantes have been partially effective in cutting off ISP service to the worst spammers; perhaps something similar is needed to influence the ISPs who refuse to implement egress filters.
--Charlie
I find it hard to believe that it's really THAT easy to drive an ISP out of business. Maybe it wasn't perpitrated by some script kiddy but actually some corporate competitor. I wonder how much off-the-record corporate-funded hacking actually occurs?
The same could equally apply to software piracy, some of those protections are pretty techy but still apparently get hacked by groups of such low intelligence that they can't spell or write gramatically correct text.
...Or perhaps Cloud 9 were having problems anyway and found it easier to put the blame on an a fictitious DoS than actually admit they've gone bust due to their own bad management.
Finding a scapegoat is the first lesson of Upper Management 101.
Niz.
You are on that side, but not everyone is. I've seen stories about companies that Slashdot criticizes fill up with comments along the lines of "I'm DoS'ing them now, and here's the script I'm using." Never heard a word of protest about this from the Slashdot editors before.
Rant mode on:
The majority of DDOS attacks could be tracked if only more ISP's would put outbound packet filtering on. I am not a transit ISP, so there is never a reason for me to send a packet with a source IP address that doesn't belong to one of our assigned address blocks. There is no way for that packet to get back to me. The problem is that it requires a more powerfull router to support the filtering. If more ISP's implemented filtering, at least you could track exactly where DDOS attacks are comming from.
In the post the C9 said that they had 1000s of business offline for days. Now with commercial customers many ISPs give some type of compensation for down time. If they had 1000s of commercial customers down for that long some of them may have been banks, hospitals, government agencies and other companies that need there feed. It is very possible that this attack causing all service to be down for a long time could have caused a lot of underlining problems
http://www.theregister.co.uk/content/6/23770.html
"...What followed was first a Firewall password brute force attack resulting in successful hash and destruction of the firewall,"
If they leave their firewall accessible to any sort of brute force password attack, its a good bet they don't know what their doing and would have no idea how to stop a DoS attack.
I agree with some of the other posts suggesting that this DoS was just a handy beard, and that they were in some sort of financial difficulty.
Fsck the millennium, we want it now.
Millennium Crisis Line: 0890 900 2000 [calls cost 50p/min]
Legal action has largely been considered the only way to use force on the Internet. To do this you need to know who someone is and it is very costly. If you know who they get their Internet connection through there are laws in effect that you can use to shut them down. I think this is the latest proof that non-legal force is a reality on the Internet and it is directed towards the weak link in the legal chain. ISPs have to co-operate with law enforcement or legal copyright bullies to shut down attackers like this and they are likely to be attacked in this way. Let it be known: There's a new sheriff in town and he can force you off the net.
How we know is more important than what we know.
If there are 1-2 scans a week, it's easy and worthwhile to track down these people. If there are 1-2 scans a second, there's nothing you can do.
My domain (a fourth-level '.ca') gets 300K+ spams a day. I'm ignoring them. I don't report them to anti-spam lists. I can't afford to waste my time tracking down 5 spams per second. And any automated anti-spam notification would double or triple the bandwidth I use.
When I tell many anti-spam people my reasons for ignoring these attacks, they get *angry* at me, and say I'm "pro-spam" because I won't do everything to stop it.
They conveniently ignore me when I tell them "Sure, I'll report all the spam! Just pay my expenses!" At a tenth of a cent per spam, I can afford to quit my day job.
Losers.
Of course there is: to test the robustness of a piece of equipment against such attacks.
There are ways to deal with DDOS attacks, but, unfortunately, they require the cooperation of most parties involved in the aggregation of "hostile" traffic toward a given target. It does no good for the target to simply drop "hostile" packets, because upstream "friendly" traffic might still get congested. The upstream routers need to be told to stop forwarding the "hostile" traffic.
And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?
There are techniques for guessing what traffic is actually hostile, based on packet signatures (often the source address is spoofed, the attack is distributed, or otherwise useless), without dropping too much friendly traffic. It is better, though, to lose some friendly traffic, rather than all of it -- failing gracefully, as it were.
But retrofitting a standard DDOS defense will prove to be difficult, given the diversity of players involved (and this is one area where IP carrier consolidation would be a good rather than a bad thing) -- just look at the difficulty in bootstrapping IPv6 in the network.
You could've hired me.
Do they really need to go out of business? Heck, if the company is "solvent", it seems to me they could find a way to survive
Maybe they just thought, it's not worth it. Why work your ass off to build a company if people, maybe even some of your own customers, are just going to pointlessly destroy it? There are easier, saner ways to earn a living.
If you block incoming ICMP at your gateway routers, then DoS attacks should not be a possible attack. Without the target being able to send a ping back to the reflector because of ICMP filtering, DoS will fail. And if your network is the target, the reflector will not be able to attack either. As far as I know, DoS is simply ICMP floods to the whole subnet, and ICMP access lists in Cisco equipment is a piece of cake. Just my $.02
The problem with the hacker situation is that "we" define good hackers as those who steal music and software, and bad as those who steal bandwidth via DOS attacks.
"All representatives are busy. The estimated hold time is one..hundred..sixty..four..minutes." Detroit Edison, 02/01/02
I don't want to come off as cold hearted or nothing, this is just a wild guess, but what if the company wasn't doing too well, they just weren't profitable anymore. Wouldn't it be a good idea to shut it down with this excuse?
This way, they come off as the good guys who got mistreated, an undeserved faith. Their customers feel sorry for them and move along, keeping their name and reputation intact.
Anyway, this is just speculation and I apologize if I'm totally off but is seems companies or corporations (the ones we hear about that is) always have "evil" intents behind everything they do.
#2881725: "Can't speak for the rest of the slashdotters, but I don't want them to be prosecuted..."
#2881950: "Certainly they should be prosecuted..."
Not exactly an airtight argument, wouldn't you say? Frankly I believe your first statement, and I have no problem with that as long as you can defend your stance. Apparently you decided you couldn't, because you later reversed your original statement.
"Ask not what your country can do for you." --John F. Kennedy
Seeing a isolated snapshot of the situation doesn't provide alot of information, so I'm a little confused. How is it possible that a DOS alone could drive an ISP out of business. Was it really a healthy business that was destroyed by a DOS, or was this the straw that broke the camel's back. It was mentioned that they did have insurance, but that the insurance wouldn't cover "rebuilding their network". "[A] Firewall brute force attack [resulted in] successful hash and destruction of the firewall" = bad password, no backups. I'm just trying to figure out what kind of DOS can lead to the destruction of an otherwise healthy network and company. The press release paints the picture of a smoking crater, but of course, it's all just data. There's no defense against the various flood attacks, but they should be easiest to trace, and temporarily filtering the flooding IP's should prevent widespread damage. Any ISP admins care to comment.
Other than saving face, ("Hackers did it" vs. "unchecked spending did it"), is there any practical advantage to claiming that evil hackers destroyed the business. Something just doesn't add up.
> If 1000 people walk down a backstreet past an empty building, 998 will just pass by. 2 will throw a rock through a window and spraypaint the walls
One impact of the internet is that the 0.2% of the population can find and talk to each other, swap ideas, and build a sufficient sense of community that they no longer feel the pressure to conform to the morals of mainstream society.
Scary - but unstopable ?
As someone who was put in this same situation at the end of '99. I can only say -- if the big boys were concerned -- it would not be a problem. Although its not a trivial problem, dynamic blocking rulesets on bordergate routers who get a rush of ICMP (or other sorts) of traffic to a single target would not be hard to block.
.ca. After the attack our ISP was quick to disconnect us with no alternatives we closed our doors (noone else in town wanted to touch us).
My small ISP which had been doing okay had been stranded without an uplink after a 150Mbit attack took out sprint links in our part of
After the attack we were quick to contact the NOC of a few schools with unused 'open' blocks who refused to claim responsibility (of the DDoS packets) or fix the problem. About a month and a half later they had FBI knocking on their door after the ebay/yahoo etc attacks.
The question --
Do you think DDoS could be a tool for the bigger ISP's and players to squeeze smaller guys (ISP/ASP) out of business? I know that one quite is a stretch.
What other reasons have kept ``Tier-1'' networks from implementing fixes?
You know, for a while I thought this would be a good idea. First, I set up MySQL with a DB and some tables to store information on portscans. Then, I downloaded portsentry, and hacked it slightly to make entries in the database whenever I was scanned. Then, I wrote some PHP to let me look at the results via a webpage.
The result? I have learned that I'm scanned anywhere from 3 to 50 times per day, from all over the world. I tried emailing abuse@... as you suggest, many many times, with no results.
Now, I have learned some interesting things by doing this:
- Most scans are on ports 21 (ftp) or 23 (telnet). It's hard to prosecute someone, or even get them in trouble with their ISP, simply for trying to ftp to you.
- Most scanners are scanning from hacked accounts. ISPs are unwilling to shut down these accounts for lack of proof, and to avoid pissing off a customer.
- All the scanners are quite easily blocked by portsentry.
I no longer try to do jack sh*t about portscanners. My pleas have gone unanswered, and I simply don't care anymore. Once I have a true firewall, I'll care even less. Let them scan me.Let's start with the awful customer service, unreliable connections, awful customer service, immoral and possibly illegal business practices, awful customer service and awful customer service.
Her firm had a problem with the mail relay, it's only a small firm and they'd left the relay open and some spammers had found it. Cloud 9 terminated their connection without notice of any kind, and when finally they found a human being to talk to (they like to do their tech support by fax) they basically tried to blackmail her firm into handing over control of their domain, hosting etc etc to Cloud 9 before they'd reinstate the service. Needless to say, they got dumped very quickly indeed and went to Demon.
Frankly they're a shitty outfit and they've got their just rewards.
Never email donotemail@WeAreSpammers.com
>Not that I'm saying the sysadmins would stoop to
>anything illegal, but there's lots they can do
>legally if they find out who's behind the attack.
I wouldn't be so sure. Here in the UK it would seem that the Data Protection Act would stop the hacker's ISP from handing over details. See this recent story from Silicon where a UK ISP has refused to cooperate over hacking allegations.
Yet another case of UK law helping the miscreant & not the victim.
Matt
Well from the sounds of the "script Kiddie" seems to be safe in this one. If the sysadmins were able to go through the logs to find him/her/theim then do you night think they would have spent every hour they could stay awake doing this before they had to go home with a box in hand.
It seems that the wrong person is getting blamed here (kind of at least). Yes what the kiddie's did was bad, but the admins should have had half a brain to stop this, or at least slow it down (DDos attachs are much harder to just stop).
man
No manual entry for
One solution to the problem would be to establish randomly distributed honey pot computers which act as if they're infected by one of the various script-kiddie trojans. Log everything that happens to those computers, but do not allow those computers to actually perform DoS attacks (the script-kiddie probably won't know the difference).
After collecting evidence, the perpetrator should be fined and prosecuted. It would likely cost nothing to the tax payers since it could fund itself from the fines imposed on the perpetrators. If it's just a kid, then hold the parents responsible.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Hmm, if we setup a mechanism on the net where upsteams sites can be told to stop forwarding "hostile" traffic (with some means of identifying it), then it seems to be that the next stage in DoS would be to forge these "stop flooding me" requests so that nothing is sent or recieved from your servers - basically dropping you off the net, at "your" request.
(anon - posting on the office side of the firewall)
Being a previous business customer of Cloud Nine in the UK it wouldn't suprise me if they were already in dire financial problems. The service was awful and expensive.
We had to get Nominet (UK internet name registra) to wrestle our domain away from the money grabbing oiks when they refused to change the tag to another ISP:
"We don't deal with ex-customer problems" was the snotty reply from their helldesk.
Bankrupt by a DoS???! sounds like an 21st Century insurance scam!