Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Forced Out of Business by DoS

Posted by ryuzaki0 on from the sucky-reality dept.

flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse. The kids are getting more and more aggressive as time goes on and it gets easier and easier to launch a large scale DoS. As any techie knows, fixing the problem is far easier said then done... but as a frequent recipient of the sharp end of the DoS stick, I sure wish it wasn't an issue.

13 of 535 comments (clear)

  1. I wonder why? by Em+Emalb · · Score: 5, Interesting

    Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world? Do these kids need a hug? Why would you do this? Feeling "elite" because you can knock down an ISP? Take your energy and do something positive with it. IMO, this is petty and retarded. Maybe these script kiddies can go knock down a hospital or something next, hey why not, it doesn't hurt anyone right? RIGHT? forking iceholes.

    --
    Sent from your iPad.
    1. Re:I wonder why? by Thomas+M+Hughes · · Score: 5, Interesting

      Part of me thinks it has a lot to do with the online mentality of a lot of people who are powerless in the real world, but feel empowered when online. I'm most likely pulling this out of my ass, but its something I've seen fairly often when hanging around EFnet in years past.

      In real life, you can't just take something from someone else, unless you're much bigger than them. When you're online, you just need to have the ability to access a lot of bandwidth. So, if someone has a channel on IRC that I want, I DoS the server, split it and take the channel. Now, supposedly this doesn't happen as much these days, but it used to happen fairly often back in the day.

      There's also online cliques, who for lack of better explaination seem to act as online gangs. Loose groups of friends who associate, talk, and dislike the same people. Thus, much like real life gangs, if one gets ticked off at another, they get their friends to make their life hellish for the opposing party. I wouldn't be suprised if they DoS'd a dialup user just in an attempt to knock him offline and went a little overboard. Or were trying to DoS an IRC bot. Or even a webpage.

      Of course, I really have no idea what caused this incident. This is mostly just speculation. But I'm fairly certain at least one script kiddie has had similar motives in mind during his mischief. Kids will be kids, and that involves doing stupid stuff that they don't understand the consequences of. That doesn't mean we should string them up, but it does mean we should make efforts to make it more difficult for them to do damage.

    2. Re:I wonder why? by eXtro · · Score: 4, Interesting
      I've had experience with a couple of little bastards that have done this as well as other things. It's not all that complicated to understand why after talking with one of them at length. They're fairly safe from prosecution, they enjoy the fact that it pisses people off, and revel in the fact that you can't really do anything about it. There are also people who look up for them for their ability to blindly execute a script somebody else wrote.


      I don't think writing software of any type should be a crime, but I think in cases where there is clear damage (like this company that went under) the usage of the script should be treated as a criminal matter. This could easily involve conspiracy, vandalism etc. charges.


      I was originally tempted to start releasing poisoned scripts, scripts that would work as intended when pointed at local machines but would have undesired consequences (hard disk corruption, file deletion etc) if used against external domains. I'd hate to see somebody harmed through legitimate use of the scripts though (auditing a site you have permission to audit from a remote location for instance).

      --

      Chris Kuivenhoven is a thief, beware

  2. must have been the straw... by Hollins · · Score: 4, Interesting

    They had to have been in a dire position to start with, or merely decided to sell out. This gave them a reason to explain dumping everyone's accounts over to another ISP. They didn't specify how much they made off the deal.

    I can't see a healthy, competent ISP being put out of business by dos attacks. Yet.

  3. Why hasn't this been solved? by DotComVictim · · Score: 5, Interesting

    A solution to the DOS problem was posed at the Adelaide IETF meeting a couple years ago. Basically, some small percentage of packets randomly selected get ICMP notices from routers, with last and next hop information, that is forwarded to the destination. So if you are getting a large number of packets from a single source, you get proportionally more of these packets, and can use a heuristical engine to model the source, even for DDOS problems. This allows you to trace back to the offending network/ISP and shut off the DOS

    Why did no one do this? It requires changes to router firmware, I'm not sure about Cisco firmware upgrades, but I thought they were at least possible. Besides, they could use this as a selling point and declare their old routers obsolete.

    Admittedly, the model breaks down under MPLS, since it is difficult to track the cloud, but you can at least track entrance and exit points from the cloud.

  4. Obstruction? by hughk · · Score: 4, Interesting
    As far as I can see, the script k1dd13z, are intentionally interfering with a business. Treat it as any other kind of commercial blockade and if they persist, let them be sued.

    In the UK, the Computer Misuse act is such a catchall, it would be easy to claim damages (less easy to collect though).

    Slashdot is known for having a DOS effect, but at least it is people attempting to view a site for its content. Its tough if you pay your hosting company for bandwidth but, at least it's legitimate and its is coming from a lot of users.

    The trouble is, so does a distributed DOS. This has a lot of unwitting users too. It is extremely difficult to trace who is giving the orders and the actual attack 'bots run on any suitably unprotected system that happens to have conveniant broadband access to the web. Even the Whitehouse was hit, liuckily the attack 'bot was dumb and a quick switch to a backup IP address solved the problem.

    The only solution that I know is to use a private network (as done by several securities exchanges). You can block out all of an exchange's internet access, but you will not hit the private network. Users without a private network connection can fall back to switched circuit connections (i.e., ISDN) when the Internet is down.

    --
    See my journal, I write things there
  5. Ethics by Aceticon · · Score: 5, Interesting

    As usual this is a question of ethics.

    It has nothing to do with hackers, crackers, RIAAs, MPAAs or the color green - it has all to do with freedom of information:

    - I support freedom of information, and by extension those that help make information free.

    - I'm against restriction of information (any kind of information - bad, good, usefull or useless). Naturaly i am by extension against those that try to constrain that freedom.

    - Which side of the law am i on?
    Neither side. My ethics are independent of the law.

    Going back to this specific case, i'm against however did the DDoS attacks because they went against other people's freedom to give and receive information.

  6. Slave to our own inadequate design? by Wanderer1 · · Score: 4, Interesting

    I saw a comment in here blaming the Internet's end-to-end design for the ability for individuals to cause such interruptions to service. BUT...

    With all the designs available to us today, as engineers, we should be able to employ traffic shaping devices to limit the amount of load any given site can generate on the net. Cache, throttle and filter. We build routers that can switch ungodly amounts of packets per second (obviously enough to flood the link to Cloud 9's boxes.

    So why can't Cloud 9 invest in a few black box traffic shapers (I know they exist) to smooth out the requests?

    Just where is the point of failure, anyway?

    As long as we continue to design our edge devices to be layover victims, we'll always have these problems. The network delivers, the computer abides. Well, perhaps the computer shouldn't be so quick to respond.

    -b-

  7. This will never stop until ... by gewalker · · Score: 5, Interesting

    Although the news item does not justify saying that the ISP was going out of business because of DOS attacks (they were still financially solvent), perhaps the owner decided he had had enough of the problems from vandals. A well-run business will shut down and leave the neighboorhood when windows get broken repeatedly before they loose all of their money.

    Computer vandalism -- This will not decrease until we (as the technical community -- including management) decide to make some changes. Without changes, it will only get worse.

    1) Although technological solutions are useful and necessary, they are not enough. The trusted network model does not work in the real world. There must be rules, accountabilty and penalties (without penalties, nothing stops me from continuing to break the rules).

    2) Many network rules exist, some are poorly enforced.

    3) Because of packet-spoofing. Some (D)DOS attacks can be nearly impossible to shutdown. We need to make sure only legitimate packets can Internet at large. Without this rule, tracking down the vandal and applying the penalty is not practical. If packet spoofing were eliminated, it would be possible to identify culprits at a modest cost.

    4) Accoutability needs to be improved by everybody. If Nimba2002 is released tomorrow, Microsoft should be expected to make it well known, and supply a fix. Network servers should be patched. People running compromised server should be cut-off until they get fixed. These things happen by and large in a haphazard fashion today. The problem needs to be addressed at the source whenever possible.

    4) Penalties need to be commensurate with violation. A hand-slap for vandalism does not deter, a death-sentence for jaywalking deters, but it not justice either.

    5) Then maybe we should get rid of junk email for an encore.

  8. Egress filtering and ISP responsibility by Medievalist · · Score: 5, Interesting

    /.
    Back in the day, before the Internet went commercial, if you abused your connection your upstream provider (typically a bunch of long-hairs at a land-grant university) would cut you off. If they didn't do it, their upstream provider would cut them off.

    Currently, there is no real penalty for large ISPs who do not implement egress filtering (which prevents IP source spoofing) and/or refuse to co-operate in tracking down DOS sources.

    The anti-spam vigilantes have been partially effective in cutting off ISP service to the worst spammers; perhaps something similar is needed to influence the ISPs who refuse to implement egress filters.

    --Charlie

  9. Re:which side of the law is our community on? by renehollan · · Score: 5, Interesting
    "...as far as I can tell there is no legitimate use for a tool designed specifically for DoS attack.

    Of course there is: to test the robustness of a piece of equipment against such attacks.

    There are ways to deal with DDOS attacks, but, unfortunately, they require the cooperation of most parties involved in the aggregation of "hostile" traffic toward a given target. It does no good for the target to simply drop "hostile" packets, because upstream "friendly" traffic might still get congested. The upstream routers need to be told to stop forwarding the "hostile" traffic.

    And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?

    There are techniques for guessing what traffic is actually hostile, based on packet signatures (often the source address is spoofed, the attack is distributed, or otherwise useless), without dropping too much friendly traffic. It is better, though, to lose some friendly traffic, rather than all of it -- failing gracefully, as it were.

    But retrofitting a standard DDOS defense will prove to be difficult, given the diversity of players involved (and this is one area where IP carrier consolidation would be a good rather than a bad thing) -- just look at the difficulty in bootstrapping IPv6 in the network.

    --
    You could've hired me.
  10. Not fixing DDoS problems a tool for big business? by netsplit · · Score: 5, Interesting

    As someone who was put in this same situation at the end of '99. I can only say -- if the big boys were concerned -- it would not be a problem. Although its not a trivial problem, dynamic blocking rulesets on bordergate routers who get a rush of ICMP (or other sorts) of traffic to a single target would not be hard to block.

    My small ISP which had been doing okay had been stranded without an uplink after a 150Mbit attack took out sprint links in our part of .ca. After the attack our ISP was quick to disconnect us with no alternatives we closed our doors (noone else in town wanted to touch us).

    After the attack we were quick to contact the NOC of a few schools with unused 'open' blocks who refused to claim responsibility (of the DDoS packets) or fix the problem. About a month and a half later they had FBI knocking on their door after the ebay/yahoo etc attacks.

    The question --

    Do you think DDoS could be a tool for the bigger ISP's and players to squeeze smaller guys (ISP/ASP) out of business? I know that one quite is a stretch.

    What other reasons have kept ``Tier-1'' networks from implementing fixes?

  11. Re:No technical solution, it's an apathy thing... by pclminion · · Score: 4, Interesting
    The problem is that sysadmins see the scans from these kiddies and ignore them (those that even have a portsentry or similar application in place). If you saw someone walking around your house and trying the doors and windows, you'd call the police right away, wouldn't you?

    You know, for a while I thought this would be a good idea. First, I set up MySQL with a DB and some tables to store information on portscans. Then, I downloaded portsentry, and hacked it slightly to make entries in the database whenever I was scanned. Then, I wrote some PHP to let me look at the results via a webpage.

    The result? I have learned that I'm scanned anywhere from 3 to 50 times per day, from all over the world. I tried emailing abuse@... as you suggest, many many times, with no results.

    Now, I have learned some interesting things by doing this:

    1. Most scans are on ports 21 (ftp) or 23 (telnet). It's hard to prosecute someone, or even get them in trouble with their ISP, simply for trying to ftp to you.
    2. Most scanners are scanning from hacked accounts. ISPs are unwilling to shut down these accounts for lack of proof, and to avoid pissing off a customer.
    3. All the scanners are quite easily blocked by portsentry.
    I no longer try to do jack sh*t about portscanners. My pleas have gone unanswered, and I simply don't care anymore. Once I have a true firewall, I'll care even less. Let them scan me.