ISP Forced Out of Business by DoS

flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse. The kids are getting more and more aggressive as time goes on and it gets easier and easier to launch a large scale DoS. As any techie knows, fixing the problem is far easier said then done... but as a frequent recipient of the sharp end of the DoS stick, I sure wish it wasn't an issue.

whoops

[magicslax]

of course a nice healthy slashdotting right now doesn't help anybody's case. :grin:

Re:whoops

[Tipsy+McStagger]

The Register have the text of the announcement at the moment.

Re:whoops

[Alan+Partridge]

it's kind of ironic that it's really the ISPs that are to blame for the proliferation of DDOS attacks anyway, they are the ones allowing their users machines to send out ping floods and nasty UDP crap in the first place. ISPs seem eager enough to bump users off for exceeding their (usually unpublished) bandwidth limits, but they couldn't care less about virus and DDOS traffic.

Re:whoops

[ahde]

If you call the major phone (DSL) and cable companies "ISPs"

Re:whoops

[Alan+Partridge]

well they are, aren't they? In the UK, you HAVE TO have a BT 'phone line to get anyone's ADSL, so all ADSL services are just BT's being resold by someone else. The same thing is predominantly true of unmetered dial-up access (surftime) in the UK. It's a total stitch-up, really. And BT's general policy towards their customers makes MS look caring and responsive.

Re:whoops

[Cramer]

WHAT!?

How the hell can you blame the ISPs? Their job is to deliver packets. You aren't paying them to be a firewall, intrusion detection system, or "lameness filter". You have a packet that needs to get to some other host; it's handed to the ISP and expected to get there. ISPs that block or filter traffic receive conciderable negative feedback.

Yes, there are things ISPs can do better. There are things that can be done to reduce the impact of stupidity. However, the landscape is constantly changing and I've yet to meet an ISP employee who gives much of a damn about filling all the cracks -- and even fewer who know how. (at best a bandaid is placed over problems when they become serious.)

Re:whoops

[Alan+Partridge]

but surely it's ONLY the ISPs who ever really have a hope of dealing with abusive users, as it's only them that can break the problem down into manageable chunks. Even a spoofed packet can be sourced if it's coming via an authenticated modem/cable modem/ADSL connection.

Re:whoops

[ahde]

That's what I was talking about. But if the RBOCs here in USA are ISPs they should really take the S, and often the P, out of the name. (and the I, for Qwest at least, thanks to their MSN deal)

which side of the law is our community on?

[davejenkins]

It's very sexy to support programmers who fight 'bad' encryption routines, 'ludicrous' copyright schemes, and the like, but when it comes to skript k1ddi5 hacking OUR stuff, we want to string them up by thier fingernails.

The tough part of this issue is that it begs the question (from the general population's viewpoint): "Which side of the law are we (slashdot community) on?" The unwashed masses out there see both of these as the same thing...

Re:which side of the law is our community on?

[BgJonson79]

If the scrupt kiddies buy the hardware like we buy the DVDs maybe you have a case, otherwise it seems to me like apples and oranges to me.

Re:which side of the law is our community on?

[berzerke]

The unwashed masses out there see both of these as the same thing...

That is the problem. I always try to explain it this way: There are good doctors, and there are bad doctors. There are good lawyers, and there are bad lawyers. There are good cops, and there are bad cops. (etc.) And there are good hackers, and bad hackers.

Re:which side of the law is our community on?

[jas79]

the same side as always.
the 'slashdot community'is against unfair laws , but in favour of good laws.

destroying something without a good reason is just wrong.

Re:which side of the law is our community on?

[bwt]

We're on the side that says information is not a crime, but attacking someone is.

Writing a DoS tool is not a crime. Using it on someone else is. What's so hard to understand?

Re:which side of the law is our community on?

[evilviper]

Can't speak for the rest of the slashdotters, but I don't want them to be prosecuted... I want the insecurity to be repaired, which is what we've always wanted.

What happens in the business world with the DMCA, they would arrest who-ever pointed out that DDoSing was a possibility. Just the opposite of the solution.

Besides, it's a trivial fix... The only problem is that nobody takes the initative.

Re:which side of the law is our community on?

[oyenstikker]

We (the slashdot community) (except for the trolls) don't cause inconvience to innocent bystandars/consumers, and we don't cause headaches for those who actually do something, only to the lawyers and politicians and freeloaders (RIAA, MPAA, et cetera).

Re:which side of the law is our community on?

[(H)elix1]

Or in this case...

Programs don't kill servers, malformed packets kill servers.

Re:which side of the law is our community on?

[ergo98]

Can't speak for the rest of the slashdotters, but I don't want them to be prosecuted... I want the insecurity to be repaired, which is what we've always wanted.

Taking this to an absurdly inappopriate analogy: If some pranksters fire bombed an old age home killing all inside, is the solution to call for old age homes to be built with fireproof walls and armed guards out front? Where does the responsibility of the criminal end and the responsibility of the victim begin?

Re:which side of the law is our community on?

[ReelOddeeo]

Writing a DoS tool is not a crime. Using it on someone else is.

I agree. In support of that viewpoint, I would give the following example counter argument.

Guns are bad. Nuclear weapons are bad. Let's remove them both from the military. Studying how these things are built and used is not a worthwhile endevor. Since we don't believe in attacking someone for no reason, we don't need any weapons. We also don't need to study how offensive weapons might be used against us. Therefore there is no reason for their existance. Let's just pass a WMCA (Weapons Millenium Contraband Act) law and outlaw anyone even thinking about how weapons work or how reinforcements might be vulnerable to weapons.

(Disclaimer: I don't own anything which was designed to be used as a weapon; lest someone pigenhole me into a certian group.)

Re:which side of the law is our community on?

[-brazil-]

Besides, it's a trivial fix...

Technically trivial, perhaps. Administratively, it is extremely non-trivial, and that's just as big a factor. Please get off the "If I can do it in my home network of three machines, it must be just as easy to do for the whole internet" horse.

Re:which side of the law is our community on?

[3am]

I want them arrested, and to suffer.

The one wrong (ISPs with bad security) doesn't mitigate the other (socially stunted little idiots making other people suffer for kicks).

It seems to me that you are making exactly the same argument used by firearm opponents - who blame Colt, Smith&Wesson, et al. for violent crime, neglecting to blame the criminals for their part.

Re:which side of the law is our community on?

[perrin_harkins]

We're on the side that says information is not a crime, but attacking someone is.

You are on that side, but not everyone is. I've seen stories about companies that Slashdot criticizes fill up with comments along the lines of "I'm DoS'ing them now, and here's the script I'm using." Never heard a word of protest about this from the Slashdot editors before.

Re:which side of the law is our community on?

[Bert64]

Testing...
It`s quite reasonable to test o/s`s, servers, network card drivers and such, in a controlled environment by trying to overload them.

However, people will use devices NOT designed as weapons (airlines anyone?) to cause destruction.

Re:which side of the law is our community on?

[fatphil]

You're far to direct to get any attention, alas. You deserve an upmod for sure.

To reiterate and expand:

The DoS-ers are causing material and practical harm to the equipment of others.

The LiVid guys etc. are doing something useful and practical with something that they own.

The two situations are _diametrically opposed_.

FP.
(I don't mind being redundant if it helps some people get the point!)

Re:which side of the law is our community on?

[Decimal]

Writing a DoS tool is not a crime.

This is true, if you know your boundries. You would get an "illegal operation" message if you tried to access more than 640K of memory.

Re:which side of the law is our community on?

[Flower]

Taking the article at face value, a business has had to close because it was being deliberately assaulted by vandals. I can point out people who are now out of work, customers who have lost a service they wanted, resources wasted, etc., etc.. This wasn't "our" stuff that was being abused. It was a bunch of regular Joes and Janes out their being deprived of a service they purchased.

Compare this to stuff like DeCSS, Felton's work on SDMI and the rest. Showing why something doesn't work or getting additional functionality out of a product just isn't the same as maliciously depriving a business of the resources it requires to survive.

It isn't hard to explain but what is hard is getting the message out when Disney and the like are spouting their propaganda at 11 and with the simple fact that this isn't a bullet issue for the proverbial Joe Average.

Re:which side of the law is our community on?

[evilviper]

First I'd like to say I'm a member of the NRA, so you can put your analogy to rest.

A DDoS attack is essentially no more than a kid breaking in to your house. Unfortunately, with the network in it's current state, it's like the door is unlocked and wide open.

Certainly they should be prosecuted, BUT NOT in lieu of resolving the problem.

Does that help express my point?

Re:which side of the law is our community on?

[Ioldanach]

Writing a DoS tool is not a crime. Using it on someone else is.

I agree. In support of that viewpoint, I would give the following example counter argument.

Guns are bad. Nuclear weapons are bad. Let's remove them both from the military. (etc...)

How is that 'in support of that viewpoint'?

How about: Guns are bad. Nuclear weapons are bad. We'll build them and see how they work and could be used against us, because someone else might do it to us, and we need to know how to defend against and handle such a situation.

Building a DoS tool isn't a crime. Using it against another machine in a cleanroom environment to see how the overall system responds is not only acceptable, but critical if you want to defend & respond appropriately.

Re:which side of the law is our community on?

[Catiline]

Counterargument to your very silly counterargument:

Doctors study illness not to cause it, but to cure it.

I know that politicians, when dealing with computer technology, like to follow your facetious argument. The problem is that the general public has a hard time realizing programs are more like a leatherman multitool (wide purpose) and less like an EEG machine (one purpose). I've used Word to doodle, or play games (it's quite fun mangling the program using VBScript). Is it a crime for me to do so? After all, the same skills have been used to write virii or munge the security of a LAN.

I understand the twin concepts of responsibility and accountability: those are what keep me from considering any hacking. I've almost always known how to break security on any computer system I used; those two ethical precepts kept me from actually doing it (despite often strong temptation to the contrary). And if they were taught in public schools- and made to stick- script kiddies probably would be managable.

This is not to absolve network admins of their responsibility (to have a good firewall, practice proper security, etc). I just think that maybe we need consider the possibility that where the slashdot community stands isn't pro or con, but a sensible and logical medium.

Re:which side of the law is our community on?

[renehollan]

"...as far as I can tell there is no legitimate use for a tool designed specifically for DoS attack.

Of course there is: to test the robustness of a piece of equipment against such attacks.

There are ways to deal with DDOS attacks, but, unfortunately, they require the cooperation of most parties involved in the aggregation of "hostile" traffic toward a given target. It does no good for the target to simply drop "hostile" packets, because upstream "friendly" traffic might still get congested. The upstream routers need to be told to stop forwarding the "hostile" traffic.

And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?

There are techniques for guessing what traffic is actually hostile, based on packet signatures (often the source address is spoofed, the attack is distributed, or otherwise useless), without dropping too much friendly traffic. It is better, though, to lose some friendly traffic, rather than all of it -- failing gracefully, as it were.

But retrofitting a standard DDOS defense will prove to be difficult, given the diversity of players involved (and this is one area where IP carrier consolidation would be a good rather than a bad thing) -- just look at the difficulty in bootstrapping IPv6 in the network.

Re:which side of the law is our community on?

[mpe]

Guns are bad. Nuclear weapons are bad. Let's remove them both from the military. Studying how these things are built and used is not a worthwhile endevor. Since we don't believe in attacking someone for no reason, we don't need any weapons. We also don't need to study how offensive weapons might be used against us. Therefore there is no reason for their existance. Let's just pass a WMCA (Weapons Millenium Contraband Act) law and outlaw anyone even thinking about how weapons work or how reinforcements might be vulnerable to weapons.

Whilst I think this was intended as satire, there is a historical parallel. Japan actually banned firearms, because their use made a nonsense of their highly trained swordsman. Effectivly their whole way of doing war and the industry supporting it would have been obsolete. This worked until the US navy turned up and enguaged in "gunboat diplomacy". Having realised that they had made a mistake the Japanese actually learned from it (and decided to pay a return visit on the US Pacific fleet some time later.)

Re:which side of the law is our community on?

[3am]

That does do a lot to clarify it - thanks for the additional info. I agree that there should be a form of penalty for ISPs that allow this to continue.

I would only respond to 1 point. I would say DOSing is more like assault than breaking and entering (which I would equate more with (h|cr)acking). And in this case, where people lost there jobs, it is even worse.

Re:which side of the law is our community on?

[mpe]

as far as I can tell there is no legitimate use for a tool designed specifically for DoS attacks

Testing that something intended to prevent such attacks working is a perfectly legitimate use. In the same way that it's perfectly legitimate to test an armoured vehicle by shooting at it. (Or if it's being sold to the government of Georgia firing anti tank weapons at it.)

Re:which side of the law is our community on?

[Tassach]

Of course, we reserve the right to define what are "good laws" and what are "bad laws", and in what cases a particular law that we consider "bad" is suddenly "good" or vice versa...

It's pretty easy to tell good laws from bad ones, using objective standards:

Good laws protect individual freedoms and provide a level playing field for everyone.

Bad laws destroy liberty and favor special interests over the good of the whole.

Re:which side of the law is our community on?

[goldspider]

evilviper, please choose a stance.

#2881725: "Can't speak for the rest of the slashdotters, but I don't want them to be prosecuted..."

#2881950: "Certainly they should be prosecuted..."

Not exactly an airtight argument, wouldn't you say? Frankly I believe your first statement, and I have no problem with that as long as you can defend your stance. Apparently you decided you couldn't, because you later reversed your original statement.

Re:which side of the law is our community on?

[PlaysWithMatches]

Okay, whoever modded the parent "troll" is an idiot. It's an important point - DoS/cracking/whatever tools should not be illegal, but using them to attack someone (aside from instances where one has permission - say, for security stress-testing) should be.

Doing otherwise would be the same as saying we should make anything sharper than a butter knife illegal to make or possess, even if all you're going to do is slice bread with it.

Re:which side of the law is our community on?

[evilviper]

I don't think assault quite applies. No one is physically injured, and it isn't like robery because the losses are subjective.

It's say it would equate to throwing a handful of nails on the road.

It does little more than delay the inevitable. When amazon.com and others were DDoSed, they claimed it cost them X millions of dollars, but it could just as easially be assumed that the profits were merely delayed, While with yahoo, some of it's services are easially replaced by other sites (search, news, stock quotes) and others (mail, homepage) would not be lost, but delayed.

So, I believe that analogy accurately describes the phenomenon in that aspect, but the fact that a simple technological solution to the problem applies to one but not the other leads me back to the burglary analogy.

Analogys can somethimes be perfectly matched, but in most cases you simply need to pick the analogy for that piece of the subject you wish to address.

Hacking for example, does not equate to thef as what is stolen is never missing... Merely coppied in most cases.

Re:which side of the law is our community on?

[mpe]

Taking this to an absurdly inappopriate analogy: If some pranksters fire bombed an old age home killing all inside, is the solution to call for old age homes to be built with fireproof walls and armed guards out front? Where does the responsibility of the criminal end and the responsibility of the victim begin?

If this happened you'd have both people investigating how to cach the arsonists and people investigating how to make buildings which didn't burn so well, didn't produce so much toxic smoke, more effective warning and evacuation systems, etc.

Re:which side of the law is our community on?

[Tim+C]

No, a terrorist probably wouldn't, but a hobbyist chemist might, just to see if they can.

Likewise, no a cracker probably wouldn't write a cracking tool/DoS tool/whatever unless they were intending for it to be used, but I might. Maybe I want to see what's involved, maybe I want to gain some sort of insight into how they're developed and how they work, the better to secure my own system(s). Hell, maybe I just have some time to kill, and can't think of anything better to do with it.

Knowledge should not be illegal. The use of that knowledge to the detriment of others is an entirely different matter, and should not be confused with the mere possesion of that knowledge.

Cheers,

Tim

Re:which side of the law is our community on?

[uid8472]

Programs don't kill servers, malformed packets kill servers.

Er, no. Malformed packets kill only badly written, insecure servers.

Re:which side of the law is our community on?

[david+duncan+scott]

Then again, I come from a family where my dad didn't let me dodge responsibility. I paid for my actions.

But he did teach you to post anonymously!

But, obvious ironies aside, I agree with you. In fact, I don't see why you feel this should stop with computer people.

It's time that the so-called "victims" of armed robbery, rape, and murder be brought to justice. It's shocking that people leave their homes without taking adequate precautions. I propose a minimum sentence of 5 years for all those injured in violent crimes, with the sentence to be served by a member of the immediate family in the case of the murder victims.

As for the so-called "thieves" and "killers" -- clearly they have done society an enormous favour and should be rewarded accordingly.

Re:which side of the law is our community on?

[Sloppy]

Imagine an alternate universe, which isn't really very different from our own. In that universe, the other davejenkins (whose has_beard property has the opposite value as yours) just said:

It's very sexy to support people who manufacture screwdrivers in defiance of the Anti-Screwdriver Law, but when someone starts stabbing people with screwdrivers, we want to string the stabbers up by their fingernails.

Re:which side of the law is our community on?

[ReelOddeeo]

Writing a DoS tool is not a crime. Using it on someone else is.

Did you understand my silly counterargument? The reason I wrote it was because it was so stupid. I thought I made this obvious.

Doctors study illness not to cause it, but to cure it.

And hence, we should study weapons and attacks to defend against them. And hence we should be able to study DOS tools, packet sniffers, etc. I did start my post explaining that I completely agreed with the parent post, and than gave a very silly counter argument to it.

Re:which side of the law is our community on?

[ReelOddeeo]

as far as I can tell there is no legitimate use for a tool designed specifically for DoS attacks

Like the absurdity of the counter argument (I gave above) to my point of view, there is no legitimate use for guns other than to murder people. Obviously, this is wrong. Aren't guns a great way to test bullet proof vests?

Re:which side of the law is our community on?

[bwt]

Oh, B.S.

Please post a link to one of these posts.

Re:which side of the law is our community on?

[ahde]

there is no legitimate use for a nuclear bomb

Re:which side of the law is our community on?

[Shimbo]

It's pretty easy to tell good laws from bad ones, using objective standards:...

Yes, but essentially arbitrary ones. However, they are uninteresting cases; the interesting ones are where the good of the whole conflicts with individual freedoms.

Lots of laws need to set dividing lines: for example, how drunk or short-sighted can I be and still be allowed to drive? If I proposed a law changing the current values either way by a factor of 10 it's pretty clearly bad law. But the principle of the law is unchanged, thus applying your 'objective' test would surely fail to distinguish between them.

I must say I am distinctly unimpressed with the idea that human laws have a certainty that doesn't even exist in the world of mathematics (Church-Turing and all that). It seems to me just another form of political correctness, with its implication that there are provably bad and good laws, and that people with other viewpoints are in some way irrational.

Re:which side of the law is our community on?

[perrin_harkins]

Here's one: http://slashdot.org/comments.pl?cid=1483822&sid=27 42

There are plenty more like that. Some use lynx in a loop, some use Python, some use fancier Perl. There are also lots of comments saying "let's DoS them."

Re:which side of the law is our community on?

[renehollan]

Item 6 is actually hard to do, whether manually, or automatically, given a DDoS and spoofed source addresses.

Re:which side of the law is our community on?

[renehollan]

That is good news, though I'd think that the obvious way to try to shut down traffic to a public service would be to attack it through it's open ports.

Re:which side of the law is our community on?

[susano_otter]

This is a ludicrous comparison - as far as I can tell there is no legitimate use for a tool designed specifically for DoS attacks.

Maybe you missed the part where the parent post said that studying such tools may provide useful information about how to protect against them.

How is that not a legitimate use for such a tool?

Re:which side of the law is our community on?

[DavidJA]

Writing a DoS tool is not a crime. Using it on someone else is. What's so hard to understand?

How about writing a DoS tool and releasing it to all these script kiddies?

How about giving a mass-murderer a machine gun?

How about creating a nuclear weapon and giving it to Osama-Bin-Laden?

But Sir, I only created the nuclear weapon, Bin Ladan was the one that aimed it at the USA....

Re:which side of the law is our community on?

[evilviper]

If the solution to preventing rape was as simple as solving this problem is, I would then believe that the victim would be to blame.

Just think, a terrorist smuggles a gun/knife/bomb on to a commercial jet... Is the terrorist to blame, or the FAA?

While the terrorist deserves what he/she gets, it's the FAA that could have and should have prevented the opportunity from arising.

And on the same note, 3,000 people die in New York city from terrorist take-overs of airliners. Who is to blame? The terrorists that took advantage of the situation? or perhaps the FAA, who's regulations disallow stronger cockpit doors, who did not train the crew to handle the situation, who did not have any air marshals on ANY of the jets, and ignored the thwarted conspiracy in 1999 by Al Quada members to crash a fully fueled commercial jet into CIA headquarters?

Of course the terrorists are to blame! but there's always going to be terrorists willing to take advantage of the wide-open opportunities that present themselves.

Re:which side of the law is our community on?

[mpe]

It's very sexy to support programmers who fight 'bad' encryption routines, 'ludicrous' copyright schemes, and the like, but when it comes to skript k1ddi5 hacking OUR stuff, we want to string them up by thier fingernails.

Actually its called supporting "freedom of speach". Which includes freedom from having speach interfered with and restricted and freedom to choose to listen or not listen to what someone has to say.

Re:which side of the law is our community on?

[mpe]

And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?

There is also the nastier version of the second "How do you stop this mechanism being used for creating a DOS?"

Re:which side of the law is our community on?

[mpe]

there is no legitimate use for a nuclear bomb

Militarily it works very well to deter some one else from attacking your country. Especially if their base of operations is something like a naval task force. Also it's prefectly legitimate to blow your own stuff up.

Re:which side of the law is our community on?

[Tassach]

interesting ones are where the good of the whole conflicts with individual freedoms

What is the whole other than a collection of individuals? I would maintain that what is good for the individual is by definition good for the whole. The basic premise that keeps getting lost is that with personal freedom comes personal responsibility and accountability -- you cannot have one without the other. Most laws that are allegedly for the public's benefit are in fact for the GOVERNMENT'S benefit -- not at all the same thing

Lots of laws need to set dividing lines: for example, how drunk or short-sighted can I be and still be allowed to drive? If I proposed a law changing the current values either way by a factor of 10 it's pretty clearly bad law. But the principle of the law is unchanged, thus applying your 'objective' test would surely fail to distinguish between them.

Personally, I have some problems with drunk driving laws as written. I feel that it would be far better to hold people strictly accountable for any damage or injury they caused while driving drunk. If a person is unable to operate a vehicle in a safe manner, it's irrelevant what their actual BAC level is -- they shouldn't be driving, and it is in both their own interest and in the interest of the public for them to be removed from the road. Setting an arbitrary BAC level ignores the fact that everyone has a different tolerance of alcohol: one person could be completely unimpared with a BAC level of .081, while another could be unable to walk, let alone drive, at a BAC of .079. However, given the laws of my state, the former person would be guilty of DWI and the latter would not, even though the latter would be much more dangerous on the road. Reaction time and judgement are the important factors in operating a motor vehicle, and these are what should be tested (to whatever extent it is possible to assess someone's judgement). The sad fact is that far too many people lack the reflexes and judgement to drive sober.

Traffic laws are all too often passed not on the basis of actual public safety but for how much revinue the fines will generate and for how well it will help the politicians get re-elected.

I must say I am distinctly unimpressed with the idea that human laws have a certainty that doesn't even exist in the world of mathematics (Church-Turing and all that). It seems to me just another form of political correctness, with its implication that there are provably bad and good laws, and that people with other viewpoints are in some way irrational.

Perfect certianty is not possible nor required: just as we know that classical Newtonian physics contains subtle inaccuracies when viewed from the standpoint of General Relativity, it is still a workable approximation that provides satisfactory solutions for everyday usage.

Just as Euclidian geometry rests on an unprovable (and arguably arbitrary) set of axioms, any given system of Government requires an unchallenged set of basic assumptions to define it's framework. In the USA, (and by extention, all Constitutional Democracies) we accept a set of axioms for our Government, which are (roughly):

• that every person is equal in the eyes of the law; that no group or individual is above the law or entitled to special privilidges
• that the people possess certian basic Rights which Government may not deny them under any circumstance
• that Governments derive their just powers from the consent of the governed
• that any Government possesses only those powers and responsibilities that have been explicitly granted to it by the people, as expressed by it's Constitution

The word "good" is abiguous at best. There are at least two variables which contribute to a given law's "goodness": justice and effectiveness. I would propose that a "good" law must be both just and effective. In order to be just, a law must not excede the Government's Constitutional authority nor may it infringe on the Rights of the People; in order to be effective it must provide a measurable, positive benefit to the People and must be enforcable in a fair and impartial manner.

I would submit that any unjust law is, by definition, a "bad" one; a just but ineffective law is neutral at best. Laws which do not work or cannot be enforced erode the People's faith in and respect of the principle of Law.

DoS and Spam

[wiredog]

I have become convinced that spam, and script kiddy idiocy such as this, will only stop when Bad Things(TM) start happening to the abusers. Bad Things(TM) would hopefully be legal, in that the abusers go to jail. But that may not happen until after the victims, seeing no help coming from the law, take things into their own hands.

Judge Lynch never sleeps.

Re:DoS and Spam

[Sobrique]

Problem is, legal or not, electronic crime is _so_ hard to gather evidence and prosecute.
A skript kiddy is pretty safe, as are spammers. It's hard to prosecute, difficult to gather evidence (a compromised machine is fundamentally 'contamintated' evidence, an uncompromised machine hasn't been hacked and therefore is rarely worth prosecuting). Computer forensics have been around for a while, but the kiddiez are protected by 2 things.
Corporate inertia - the cost of admitting a break in and the damage it does to the share price is often more than any damage an intruder can do.
Sheer numbers. There's an awful lot of idiots with net connections, who think its l33t to DoS, skript etc. Computer literacy isn't always a good thing :)

Re:DoS and Spam

[mpe]

A skript kiddy is pretty safe, as are spammers

Depends, if a spammer is trying to sell a real product they should be perfectly possible to track down.

Re:DoS and Spam

[BlueUnderwear]

Depends, if a spammer is trying to sell a real product they should be perfectly possible to track down.

Exactly. Just ask their credit-card processing company, they must have some place where they credit the money to.

And even without this, on most spams, you have a sender IP to work with, which leads to an ISP, which theoretically has logs about who used that IP at the time the spam was sent. However, the problem is, many, ISPs don't really care, and consider it more cost efficient to just file mails to abuse into /dev/null .

But I imagine, a court order would really help to encourage them to act, unless of course they didn't keep any logs in the first place. However, spam is often such a minor offense that nobody bothers to intend legal action against the offenders.

Re:DoS and Spam

[mpe]

spammers should go to jail? Why is it that information wants to be free

Most spam involves some degree to fraud (which people can go to jail for.)

I wonder why?

[Em+Emalb]

Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world? Do these kids need a hug? Why would you do this? Feeling "elite" because you can knock down an ISP? Take your energy and do something positive with it. IMO, this is petty and retarded. Maybe these script kiddies can go knock down a hospital or something next, hey why not, it doesn't hurt anyone right? RIGHT? forking iceholes.

Re:I wonder why?

[jlower]

Can someone please clue me into why people do this?

Because they can.

Sad, but true - that is the long and short of it. DoS attacks are modern vandilism.

Re:I wonder why?

[sphealey]

Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world?

If 1000 people walk down a backstreet past an empty building, 998 will just pass by. 2 will throw a rock through a window and spraypaint the walls.

This just seems to be part of human nature; I haven't seen much change in the percentage of people who behave this way since my childhood (1960's) anyway. The problem is that the world today is so interconnected, and also dependent on technologies whose webs of interconnection are more fragile than we like to think, that the 2/1000 with the desire to damage can do a lot more damage to a lot more people than ever before.

I am a bit discouraged myself about whether or not this can be stopped on the Internet, personally.

sPh

Re:I wonder why?

[Thomas+M+Hughes]

Part of me thinks it has a lot to do with the online mentality of a lot of people who are powerless in the real world, but feel empowered when online. I'm most likely pulling this out of my ass, but its something I've seen fairly often when hanging around EFnet in years past.

In real life, you can't just take something from someone else, unless you're much bigger than them. When you're online, you just need to have the ability to access a lot of bandwidth. So, if someone has a channel on IRC that I want, I DoS the server, split it and take the channel. Now, supposedly this doesn't happen as much these days, but it used to happen fairly often back in the day.

There's also online cliques, who for lack of better explaination seem to act as online gangs. Loose groups of friends who associate, talk, and dislike the same people. Thus, much like real life gangs, if one gets ticked off at another, they get their friends to make their life hellish for the opposing party. I wouldn't be suprised if they DoS'd a dialup user just in an attempt to knock him offline and went a little overboard. Or were trying to DoS an IRC bot. Or even a webpage.

Of course, I really have no idea what caused this incident. This is mostly just speculation. But I'm fairly certain at least one script kiddie has had similar motives in mind during his mischief. Kids will be kids, and that involves doing stupid stuff that they don't understand the consequences of. That doesn't mean we should string them up, but it does mean we should make efforts to make it more difficult for them to do damage.

Re:I wonder why?

[eXtro]

I've had experience with a couple of little bastards that have done this as well as other things. It's not all that complicated to understand why after talking with one of them at length. They're fairly safe from prosecution, they enjoy the fact that it pisses people off, and revel in the fact that you can't really do anything about it. There are also people who look up for them for their ability to blindly execute a script somebody else wrote.

I don't think writing software of any type should be a crime, but I think in cases where there is clear damage (like this company that went under) the usage of the script should be treated as a criminal matter. This could easily involve conspiracy, vandalism etc. charges.

I was originally tempted to start releasing poisoned scripts, scripts that would work as intended when pointed at local machines but would have undesired consequences (hard disk corruption, file deletion etc) if used against external domains. I'd hate to see somebody harmed through legitimate use of the scripts though (auditing a site you have permission to audit from a remote location for instance).

Re:I wonder why?

[Skinny+Rav]

Why asking?

It is an old thing. Always and everywhere some young males have an urgeing desire to destroy something just for destroing it. Today if they have muscles they go and smash windows, destroy park benches or just bully others. If they don't - they rund DoS attacks.

Let us say it straight: there is no difference between a script kiddy and a brainless thug who ie. cuts bus seats with a knife.

Raf

Re:I wonder why?

[MaufTarkie]

It's also a lot easier to be "anonymous" on the Internet than in real life. An innocent bystander can't happen by and notice a crime taking place on the 'Net due to the nature of the structure, so there's a sense of "I won't get caught if I DDoS". Because of this, I believe the ratio is more than 2/1000 on the 'Net -- probably more like 50/1000. Due to the anonyminity, people feel they can get away with more than they would normally feel comfortable with in meat space.

Re:I wonder why?

[cxreg]

If 1000 people walk down a backstreet past an empty building, 998 will just pass by. 2 will throw a rock through a window and spraypaint the walls.

But this isn't throwing a rock and spraypainting. That's more like trolling Slashdot. This is setting the building on fire. The difference between what these kids do and an arsonist is the FBI actually cares about arson.

Re:I wonder why?

[Tim+C]

auditing a site you have permission to audit from a remote location for instance

If someone is being paid to audit a site in this manner, I'd hope that they'd do a little more than just download a few randon hack scripts from the internet and run them.

Sure, that's what most of the real attackers will be doing, but if I were paying for an audit, I'd like it to be just a little more thorough and professional than that...

Cheers,

Tim

Re:I wonder why?

[sphealey]

But this isn't throwing a rock and spraypainting. That's more like trolling Slashdot. This is setting the building on fire. The difference between what these kids do and an arsonist is the FBI actually cares about arson.

I don't disagree, but keep in mind two things: (i) if you have ever done long-term maintenance on a building, you know there is only one real enemy: water. A building can stand for several hundred years if the roof and windows are intact. One broken window that goes unrepaired means the inevitable destruction of the building (ii) "broken windows" is Jane Jacobs' shorthand for what starts a neighborhood, as well as a single building, on the path to destruction.

sPh

Re:I wonder why?

[overunderunderdone]

Can someone please clue me into why people do this?

This is a somewhat larger question than I think you realise and one that people have been struggling to understand for as long as there have been people. Why do people do bad things? Why are they selfish, cruel, malicious? Why do even good people not have the self control to always follow their better instincts? Why do some people not even seem to have those better instincts?

I'll be up front and mention that I am a christian (Now THAT is a statement to start a flame war on this board - not my intention but my experience is that there are a lot of people that are quite indignant with me for what I believe. But since it IS what I believe [I'm not making it up to start a flame war] & is relevant to your question I don't feel particularly compelled to keep silent.) Anyway, christians (and therefore, I) believe that every single person is 'fallen' and inclined to be 'bad' (or evil to use the old-fashioned term) and do 'bad things' (or sin to use the old-fashioned term). 'Bad' (or evil) ultimately being defined by christians as being selfish - living for oneself rather than for God & your fellow man. Though we are all the same in this regard it is expressed differently in each of us as individuals. The behaviour of these kids doesn't have any particular appeal to me but I think for them it is a way of selfishly having "power" they don't otherwise have. They are probably incapable of doing something positive that would have as much impact or bring them as much or notoriety. But here they are a few, or maybe even one immature kid that brought an entire company staffed by mature, technically astute adults to bankruptcy. Excersising power, having an impact, feels good, feels like importance - and in their self-absorbed state of mind the plight of the people affected does not enter in.

Re:I wonder why?

[psin+psycle]

Do these kids need a hug?

Actually, this is probably closer to the truth than most people realize. If you think about it, you realize it is only possible to hurt someone else (or their property) if you feel like you are hurting yourself. The really sad thing is, when we find someone who is hurting, and has demonstrated this to us by hurting someone else, we hurt them more by punishing them. Thats a human approach, but it will only result in larger problems. When someone hurts us we should help them by giving them a hug... or something :)

much metta

Re:I wonder why?

[isaac_akira]

One broken window that goes unrepaired means the inevitable destruction of the building

But the kid who broke the window doesn't know that. He or she just wanted to mess something up, leave a mark, "I did that!".

DoS is like squirting epoxy into the locks of a (non-empty) building or a car. It takes a little forethought and planning, and it is primarily designed to annoy other people.

Re:I wonder why?

[Technician]

Nothing has changed. It's the new CB radio of the 1970's. If they didn't like what their neighbor said, and he couldn't identify him, he got a 1KW linear amplifier (not leagal) and ran that on the 5 watt band to deny him the ability to carry on a conversation with anybody. We used to refer to these abusers as being 10 feet tall behind the microphone. Their mission was to dissrupt someone elses conversation in an airwaves ownership battle. Radio direction finding equipment was rare and expensive. Most people couldn't find one and take the time to track someone down. Many times by the time you got close to finding an antagonist, they would finish the flame war and go silent. I had a RDF (homebuilt) and used it against the worst nearby offenders that were overly perseitant at being a pain to somebody. The element of supprise announcing the address of the offender on the air was worth the hunt. Most people were so used to being un-trackable, they got quite bold at being abusive. A positive ID came as a major blow to them. Suddenly they had to worry about angry neighbors attacking and destroying their car, windows, etc. (this happened to an abuser trolling for flame wars on air, his car was totaly destroyed by parties unknown) They were no longer able to hide when the source of the attacks were revealed. With distributed DOS attacks, it is harder to track the offender. Unfortunately this ability to hide the true identity allows abuse to reach further and disrupt more communications than it used to while being harder to track.

Re:I wonder why?

[pclminion]

When I was a stupid teenager, one of my friends and I took over a particular IRC channel. Man, the rush that gave. Yes, like I said before, stupid.

Some people really get a kick out of it. It's hardly even malicious intent -- they're just trying to get a fix. I think most of them don't understand that what they are doing is damaging businesses, hurting peoples' livelihoods, and ruining lives. It's like their drug, but in this case you inject it into someone else instead of yourself.

Possibly, it's an act similar to scientific discovery, in that moment when you are the only one who knows something new: "Buahaha, Ebay just went down, and I'm the only one on Earth who knows who did it." Except with scientific discovery, you get recognition and possibly a Nobel prize. When you DDOS or otherwise f*ck up somebody's system, you get no public recognition unless you are caught.

I think for the most part these kiddies are neglected children, probably not physically abused, who feel hopeless in their daily lives and use the Internet as their means to exert "power" over other people. God knows I was the same way for a while, until I woke up and realized how f*cking stupid I was.

Re:I wonder why?

[HiThere]

I, personally, would not put it as high a 0.001. The problem is, it doesn't need to be.

There are two main possible solutions. The legislative and the technical. I would really prefer that a techincal solution were created, though I don't know what form it would take. It would need to avoid any centralized control point. And it would need to be low overhead.

Unfortunately, any real answer would probably involve a redesign of the TCP/IP protocols. And even then ... It's sort of like trying to listen to a conversation at a cocktail party. It may be that the only feasible solution is to reduce the noise. Somehow.

All I can come up with is using one port to receive non-session messages, and only echoing back session cookies to valid addresses. On a second port only accpeting messages with a valid session cookie in the header. This would aid in dropping bad messages quickly, but doesn't do much else for a DDOS.
.

Re:I wonder why?

[HiThere]

Possible. That's the reason that I play games at a level where I can always win.

OTOH, there's always going to be a relatively powerless group. Always. Even if the playing field were absolutely level, people have different levels of need. So any solution will need to take that into account.

Actually, a purely technical solution is probably not feasible. What's needed it something that will reduce the level to an acceptable value.

It helps to give people acceptable ways to feel empowered. It helps to enhance group cohesion among acceptable groups, and to decrease group cohesion among unacceptable groups. And it helps to increase the amount of effort required to perform unacceptable behavior. Threats are of dubious value. Not only are they difficult to carry out, many of the major offenders don't exhibit that much foresight.

And there's a certain tendency to find some safe group to vent all of ones frustrations on. Safe here means "not emotionally threatening". This means that sometimes legally acceptable behavior will not discharge the anger. If the group perceived as treating one unfairly is identified with "society", then a socially approved releif valve will have minimal utility.

So a technical (partial) solution is at least a major component of the total solution that will work with the fewest adverse side effects. Probably.
.

Re:I wonder why?

[overunderunderdone]

Do these kids need a hug?

Actually, this is probably closer to the truth than most people realize.

I will agree with this. These kids are doing this to make themselves feel powerful. They want to feel important, significant. If they were made to feel their significance by the people to whom they should be significant - their parents - perhaps they would be less likely to seek a feeling of power in mindless destruction. Though there is no guarantee - even a person without excuse, loved, cared for, etc. can lack the self-control to tame their baser desires.

If you think about it, you realize it is only possible to hurt someone else (or their property) if you feel like you are hurting yourself.

Now I have to disagree - sort of. Their indulgence in malice and cruelty, their seeking after the thrill of power does them harm. But in their self absorbtion they are only aware of how good it feels to wield that power - to feel important. They do not feel hurt, they feel powerful.

The really sad thing is, when we find someone who is hurting, and has demonstrated this to us by hurting someone else, we hurt them more by punishing them. Thats a human approach, but it will only result in larger problems. When someone hurts us we should help them by giving them a hug... or something :)

Here I have to disagree - for several reasons. First: If someone cannot exersise enough self-control to refrain from hurting others they must be externally controlled by someone else (the state or their parents) - either by actual physical restraint or by the credible threat of punishment. Also, while they still need "a hug" love and acceptance from those from whom it is due - now that is not enough. I don't think their can be healing without honest regret (not just regret for being caught but for being *wrong*) - that is up to the criminal, no one can either force them through punishment or manipulate them through compassion to arrive at that repentance. There also can't be healing without suffering real (depending on the crime even harsh) consequences. Even kids have an inate sense of justice (that I believe is valid) and that even criminals will acknowledge. It does not do the do the victim or society at large - but especially the criminal - any favors by bypassing the requirements of justice. A penitant criminal who has been punished for his crimes can start again. A penitant criminal who has escaped punishment will feel the unfairness of that escape and a continued sense of guilt. He will be crippled in his ability to begin anew. An unrepentant criminal will take either scenario as an excuse to continue in their crime.

Re:I wonder why?

[Sentry21]

Now I personally don't give one whit who you worship, why, or in what building, and frankly it's none of my business, even if I did care. On top of that, I'm not going to get into some pathetic argument over the nature of humanity and sins and all that crud.

However, you are correct (whether by logic or coincidence) - this IS a power trip for them. It's a testosterone thing, it's being a jackass, it's kicking the world in the crotch because they hate school, but whatever it is, it's the chance for pathetic little rodents to lash out at the world. Jocks beat people up, skids do drugs, thugs steal cars, B&E, whatever, preps fill their vacuous lives with sporting and school events.

But what about the people that don't fall into that category? The loners, the persecuted with no outlet? They turn to the internet, and find groups of friends. In fact, I once spent some time with a group online, a few years back, and they were easily the most accepting, friendliest, nicest IRC channel I have ever met in my life, and I've been to a lot.

So they gain acceptance, and thus feel a need to impress their friends and attack their friends' enemies. They fancy themselves part of an 'army', lamer groups waging war, they take down EFnet servers or entire IRC networks because other groups use them, they take out ISPs to demonstrate their power.

It's a social issue, and if we prevent DDoS attacks, they'll come up with something else (I fonud an amusing log of a VB 'virus' writer - who actually used Visual Basic, his virus needed runtimes - backed up on CD). What we need to do is solve this problem socially. Either give these teens something to do, or beat them unrecognizable so no one will know if they are who they say they are, and thus cannot get recognition.

This is my rant on the subject, anyway.

--Dan

Re:I wonder why?

[Tsujigiri]

Anyway, christians (and therefore, I) believe that every single person is 'fallen' and inclined to be 'bad'

How dare you make that stupid statement and claim it represents the view of all Christians. Christianity goes far beyond whatever sect you're a part of.

Christianity is a blanket term for all people who follow the various religions based on the belief in the existence and teachings of Christ (Jesus).

Jesus never preached that people were "'fallen' and inclined to be 'bad'". Rather, his teachings were based on the idea that people were inherently good.

Most of the teachings that you talk about come from the Old Testament, and the post Gospel New Testament, all of which were written with goals other that recording the direct teachings of Christ.

Now I'm a Christian too (raised Roman Catholic, but much more eclectic since then) and I must say that your blanket description of my faith could not be more wrong. You can keep believing the Old Testament's fire and brimstone message, I'll stick with Christ's real message, the eleventh commandment.

Re:I wonder why?

[mpe]

I have seen FAR TOO MANY channel/server operators kicking/banning users and throwing abuse around simply because they can, often because they feel inadequate and have no kind of power in any real life forum.

It's a variation of the theme also explored in THHGTTG that those most attracted to "power" are those least suited to use it wisely.

Re:I wonder why?

[mpe]

Back in the day, the net (before it became internet) was the domain of techies. Now it's the internet and techies are the minority, like some great inclusive society it's got a little of every demographic in it, including spoilers.

I don't think there ever no "spoilers", just that you also didn't have a large number of apathetic people who took an SEP line if something went wrong. With the boom in CIA and FBI hiring I expect quietly there's growing an effort to track down how these things happen and then throttle the ISP's who don't do their own policing, universities or companies with an insecure server.

Remember that these same "spoilers" would jump at the chance for official sanction and immunity.

Re:I wonder why?

[Tsujigiri]

And if any Christian sect believes in the "original sin' bit its the catholics.

My point exactly. It's the Catholic sect that believes in "original sin" (as well as anglicans, baptists and many other sects) but that it is not a part of being a "Christian".

Think of it this way:

Christian -> Quadralateral
Catholic -> Rectangle
Baptist -> Square
Anglican -> Trapizoid
Jahovas Witness -> Rhombus

So they all relate in the fashion that rectangles, squares, trapizoids and rhombus are all quadralaterals, in that they all have four sides, but not all quadralaterals have all the features of, say a rhombus. In this respect all Christians belive in the existance of Christ and Christ's basic message (ie treat others the way you want them to treat you), but the rest of their beliefs can, and do, vary enourmously. And no, not all Christians believe in the "original sin" thing, that is a very Chatholic (and Catholic descended) based belief.

Extreme?

[Shimmer]

IANAS(ysadmin), but this doesn't quite add up for me. Do they really need to go out of business? Heck, if the company is "solvent", it seems to me they could find a way to survive. In the worst case, they switch upstream providers, get new IP addresses for all their boxes, and even change domain names. Yes this is huge pain in the ass for everyone (especially customers), but I can't imagine that shuttering is any more convenient.

-- Brian

Re:Extreme?

[arkanes]

They get charged through the nose for all the bandwidth the attack takes. Theres a certain amount of money budgeted for bandwidth, but the a DoS attack hits and suddenly you're running at 100x normal bandwidth cost for however long it takes you to break the attack - that kind of fee can certainly break a company that already lives on the edge.

Re:Extreme?

[sql*kitten]

Do they really need to go out of business? Heck, if the company is "solvent", it seems to me they could find a way to survive

Maybe they just thought, it's not worth it. Why work your ass off to build a company if people, maybe even some of your own customers, are just going to pointlessly destroy it? There are easier, saner ways to earn a living.

Copy of article

Today looks set to be a sad and frustrating one for anybody who was ever a customer of the once popular unmetered dialup and broadband ISP Cloud-Nine.

At precisely 10:16am a few minutes ago Emeric Miszti (CEO) and John Parr (Operations Director) of the C9 ISP posted what's likely to be their final announcement on our forums. C9 is now the latest ISP to close, although it's the first we've ever seen to go from a hack attack!:

Cloud Nine regret to announce that at 7:45 this morning the decision was taken to shut down our Internet connections with immediate effect.

We tried overnight to bring our web servers back online but were seeing denial of service attacks against all our key servers, including email and DNS. These were of an extremely widespread nature.

We felt we had a moral duty not to expose our customers to possible attacks as well.

We must thank BT for all the help they provided us with in trying to bring these attacks to an end. We worked with them for the last few weeks to investigate this problems but ultimately we did not believe that we could survive these attacks and that it would be in the best interests of both ourselves and our customers to close our Internet service and seek a transfer of our services to another ISP.

We now wish to initiate a speedy transfer of servers, domain names, etc to interested Surftime ISP's and NT portfolio hosters since this would be the quickest way to get the affected customers online again. Please contact John Parr on 07740 423993 if interested.

We want to thank our customers for all the support over the last few days. Ultimately these attacks denied the service not to us but to many thousands of British businesses and ordinary people - this was an attack against everyone with no consideration for anyone!

The company is solvent but if a sale of assets cannot take place quickly then an administrator will be appointed. We have had to pay our excellent staff to the end of the month and we feel really sorry for them as well and would like to thank them for all their efforts over the years and the commitment shown over the last few difficult days.

All the directors are feeling absolutely gutted since we have all spent nearly 6 years building this company and its reputation to see it destroyed by a brazen act of cyber terrorism - well at this moment we can think of no words to express our true feelings.

Emeric Miszti
CEO

John Parr
Operations Director

We're extremely sorry to see them go, not least because they often provided a very important insight into the internal wrangling that goes on between ISP and operator, it often goes unmentioned.

However the fact that such a long standing ISP was forced out of business by hackers is also of great concern and will no doubt be picked up on by the media. We can only hope they catch the people involved.

WHAT!!

[BryceH]

but as a frequent recipient of the sharp end of the DoS stick, I sure wish it wasn't an issue

ha ha ha.. this comming from the kingpen of DOS .. no /. has never DOS-ed a site... really i swear..

Re:WHAT!!

[TheAwfulTruth]

And what if the /.ing causes a buisness to go a couple of days without it's real customers being able to access the site because of the millions of lookie-loos and rubber-neckers? Merely running a /. article can cost a person (With rate charges on their small hosted web site) or a buisness hundreds or thousands of dollars. And just because Joe Blow has something cool on his web site doesn't mean that he HAS to pay for unimited bandwidth just in case he gets /.ed now does it? SO then. Posting a /. story IS frequently harmful and could easily be described DoS "attack".

Why let them win?

[SID*C64]

It seems kind of silly to shut down your business because of some little hax0rs. Granted, in this economic climate it could certainly hurt business... however it simply doesn't make sense unless there are some underlying problems.

This isn't like 31337 warez d00d shutting down his FTP server and crying to his mommy because someone did a DELE on all his pr0n files. Closing down a business due to hacking attempts or DoS seems rather harsh action to take.

Got to be something more to this than is reported

[johnburton]

First they go offline for days with no information available about why. Then they say they are coming back on line after a "hack" but that they will have to put their prices up. Finally they just appear to just give up and shut down.

It all seems very strange to me.

must have been the straw...

[Hollins]

They had to have been in a dire position to start with, or merely decided to sell out. This gave them a reason to explain dumping everyone's accounts over to another ISP. They didn't specify how much they made off the deal.

I can't see a healthy, competent ISP being put out of business by dos attacks. Yet.

Re:must have been the straw...

[ameoba]

Back in '95 a guy I knew decided to run a small ISP off a single T-1. He mostly did email & web hosting for small busineses, so bandwidth was never a problem for him.

That is until he pissed off the wrong script kiddie on IRC. The irate kiddie made sure that all of his bandwidth was saturated for 2wk straight. It wasn't a true DDOS in the sense that hundreds of computros simultainiously attack the target but the attack was comming from multiple sites with seriously fat pipes, making blocking the attack imposible.

His customers got fed up with the 2wk loss of service and left for greener pastures causing the business to fold.

Sadly, Laws Won't Do It

[tarsi210]

Sadly enough (and I certainly feel for the ISP), new laws concerning these attacks aren't going to help anyone. For laws to be effective, you actually have to catch the person in question, and with DDOS that's darn tough.

I'm not sure what the real answer is, though. I find myself reading these stories and articles and feeling helpless myself, even though I'm not directly involved. But I am a programmer, and we're supposed to have brilliant solutions to these issues....but I can't come up with one. The underlying structure of the 'net itself is to blame for allowing these attacks, and you know to change that will be like getting all cars to convert to bacon fat gas.

How does one instigate a major industry shift in how we do things? Would it even be worth it, or will we just see these random business fold due to stupid fucking kiddies?

Re:Sadly, Laws Won't Do It

[berzerke]

While I agree that catching the person behind this, and giving them real punishment, is the best solution, it is not the only one.

There have been a couple stories on /. already about those with insecure networks being sued and forced by the courts to shutdown until they can secure their networks. This (and others) ddos is probably coming from insecure computers. Yet, if you track down some of these computers, all but the smallest ISP's could care less that their network is being used to attack someone.

Perhaps some laws that make it easier and cheaper to shutdown the insecure computers will help put a stop to that. Perhaps something similar to the DMCA with regards to copyright infrigement, where if the ISP pulls the plug, they have legel liability protection, only with strong penalities for making a false report.

Re:Sadly, Laws Won't Do It

[redcliffe]

We don't need any new laws or anything to stop attacks.

All that needs to be done is for EVERY ISP to not allow any packet to leave their network that has a source address that they don't own. This would stop the script kiddies from being able to cover their tracks as easily.

Make an example of them

[Tri0de]

IMHO the effort should be made to catch a few of the little bastards and see to it than an eXtreme example is made for all. Old enough to run a script, old enough to be tried as an adult and spend the next 20 years doing tech support for Pelican Bay in between visits from their new 'boyfriend'.

And there is a pretty clear difference between 'white hat' and 'black hat' hacking. Did anybody ACTUALLY SUSTAIN *PROVABLE* DAMAGE? (and not like the frame up where they claimed that Kevin stole $100,000 worth of info, or some such BS). These punks do more real damage each day than Mitnick EVER did.

One ISP is punished for another ISP's mistakes...

One of the main reasons DoS attacks work is because of misconfiguration at ISP's. If the ISP's blocked outgoing packets with forged IP src addresses, and known bad packets, then the severity of the problem would greatly diminish.

ISP's don't do this, because either they don't understand it's a problem, or they don't know how, or their poor NAS boxes would collapse if they were asked to filter the traffic, instead of just forwarding it.

Anonymity vs. Accountability

[beamz]

I know this is going to get modded down but this is what the community as a whole gets for having the luxury of being pseudo-anonymous.

There isn't much for accountability when it comes to the net and everyone knows this. Lawmakers are doing very little about SPAM and it's a form of DoS but people cry afoul when some kids were pissed off at someone on IRC and DoS multiple large networks.

If people aren't required to be accountable for ALL of their actions then this isn't going to stop anytime soon. Unfortunately it's not hard to get access to connections with a lot of bandwidth so it's easy to pound anyone into oblivion.

I don't know what the solution is but as more companies get DoS'ed while their livelyhood depends on the net, you'll see more being done.

My question is if it costs companies so much to deal with SPAM, why isn't more being done? Isn't this a similar issue?

Re:Anonymity vs. Accountability

[Bishop]

In her novel, Tea from an Empty Cup, Pat Cadigan predicted a world with 2 Internets. One was 100% accountable. It was the main network used for real bussiness. There was no annonymity. The second network was designed to allow for anonymity. It was an "any thing goes" network where spoofing was the rule not the exception. I would like to see these networks. When I need to get work done I would use the accountable network. When I want to view pr0n I would use the other network. I think having two distinct networks like this would be a good compromise for the privacy advocats, and those tired of DOS attacks.

Ofcourse there are a *few* (as in many) technical difficulties to resolve first.

Re:Anonymity vs. Accountability

[Sycraft-fu]

It may just end up happening. Already there are other large scale netowrks being built. A great example is Internet 2. It's a research network that connects a bunch of universities and places like the JPL together. It's private, nation wide, and fast. IT is concevable that things like this will be come more common, and then begin to interconnect. You being to have an elite network where the security is generally high and crap is not tolerated.

Register coverage

[Zocalo]

The Register is an effective mirror of the article too, but they also have a *tiny* bit more information.

Same thing happened to me

[gabeman-o]

I run a small ISP, and two of our clients decided to run fragmented DoS attacks and ping floods that consumed the entire 100mbit connection to our main server. Our ISP got royally pissed and cancelled our services with them because it was against their TOS/AUP.

I have moved on to a better ISP that actually filters attacks leaving and entering the network.

Re:Same thing happened to me

[Cygnusx12]

Huh... But what did you do about the clients running fragmented DoS attacks, and using ping flood tools on YOUR network? Don't you have a terms and coditions of service?

Mod me down for this, or forgive me if I'm missing something here, but it seems like you passed the problem on to someone else instead of dealing with the source offenders yourself.

Dos for weeks

[f00zbll]

According to the article, the attack was been going on for a couple weeks. Part of me finds this very disturbing and alarming. Considering how many times IPv6 has been posted on /. and the possibility of mediating the problem of distributed denial of service attacks with the new features of IPv6, why hasn't adoption been more rapid? If a group of vandals can bring down an ISP, what's to stop them from repeating it?

Now that the Internet has shown to be a useful medium and is rapidly becoming an utility, it's time to make it more secure and robust against DDos attacks. The technology exist already, the telco's need to take the initiative and make it happen. From this document on ietf.org site:

7. Security consideration
Any public proxy is inherently a source of DOS attack. Rate limiting packet emission as suggested in 3.5 is expected to lower the risks.

Re:Dos for weeks

[gorilla]

IPv6 is suffering the usual problem that any new enabling technology has. No-one will adopt it until there is some advantage in doing so, eg websites they cannot access. No-one will require IPv6 until there is a sufficent percentage of people using it.

This deadlock will be broken either when IPv4 becomes unsubstainable, or when someone creates a large number of IPv6 only resources which attract people (and therefore funds) to build the networks.

Why hasn't this been solved?

[DotComVictim]

A solution to the DOS problem was posed at the Adelaide IETF meeting a couple years ago. Basically, some small percentage of packets randomly selected get ICMP notices from routers, with last and next hop information, that is forwarded to the destination. So if you are getting a large number of packets from a single source, you get proportionally more of these packets, and can use a heuristical engine to model the source, even for DDOS problems. This allows you to trace back to the offending network/ISP and shut off the DOS

Why did no one do this? It requires changes to router firmware, I'm not sure about Cisco firmware upgrades, but I thought they were at least possible. Besides, they could use this as a selling point and declare their old routers obsolete.

Admittedly, the model breaks down under MPLS, since it is difficult to track the cloud, but you can at least track entrance and exit points from the cloud.

Re:Why hasn't this been solved?

[InsaneGeek]

Same reason why IP6 hasn't been rolled out.

Re:Why hasn't this been solved?

[DotComVictim]

Try this

Two Quick Points

[NickV]

1) I wonder how likely is it that the DoS attacks were an excuse to find a reason other than the "we're really not profitable anymore thanks to big national ISPs" reason for bankruptcy (which is why lots of ISPs are going under lately.) I hate to say it, but after hearing all these companies blame the 9-11 attacks on going bankrupt, I've grown a bit cynical. I really wouldn't be surprised to find out that Could 9 was financially hurting already (regardless of their claim that they weren't.) The DoS attacks allow them to make a nice "good guy being bullied" exit.

2) This is awful news for other ISPs, since this will give the script kiddies incentive to do it again. Not only did you get an ISP to shut down ("Wow, isn't that cool" must be running through their heads) but they also got featured on /. This will just embolden these kiddies to do it again. sigh

3) (yep, one more just came to me) Can you say serious implications for the future of Corporate Espionage?

The whole story...

[routerwhore]

I suspect there is more to this story. They may just be checking out due to DOS attacks as an excuse for their investors. There are many ways to combat a DOS attack and BT could have played a large part in that respect. The tools and techniques are available, even to mitigate a DDOS from multiple real hacked hosts.

Calling it "terrorism"

[prophecyvi]

The Register has a story on this as well, mostly a rehash of ISPReview. Link here.

From that article:

Speaking to The Register a dejected Mr Miszti said: "This is terrorism - pure and simple. I never want to relive the last seven days again.

You're thinking "terrorism? yeah right".

It's too bad (for them) they're in the UK... in the U.S., under the so-called "Patriot Act" this IS in fact terrorism. Read for yourself here.

Obstruction?

[hughk]

As far as I can see, the script k1dd13z, are intentionally interfering with a business. Treat it as any other kind of commercial blockade and if they persist, let them be sued.

In the UK, the Computer Misuse act is such a catchall, it would be easy to claim damages (less easy to collect though).

Slashdot is known for having a DOS effect, but at least it is people attempting to view a site for its content. Its tough if you pay your hosting company for bandwidth but, at least it's legitimate and its is coming from a lot of users.

The trouble is, so does a distributed DOS. This has a lot of unwitting users too. It is extremely difficult to trace who is giving the orders and the actual attack 'bots run on any suitably unprotected system that happens to have conveniant broadband access to the web. Even the Whitehouse was hit, liuckily the attack 'bot was dumb and a quick switch to a backup IP address solved the problem.

The only solution that I know is to use a private network (as done by several securities exchanges). You can block out all of an exchange's internet access, but you will not hit the private network. Users without a private network connection can fall back to switched circuit connections (i.e., ISDN) when the Internet is down.

Re:Obstruction?

[tomblackwell]

Have you tried recently to sue a 14-year-old in Singapore or Russia or South America?

Re:Obstruction?

[hughk]

If the kid isn't so important (think who Daddy is), think about $1K or less in Russia!!!!

I would make such an annoucement

[Florian+Weimer]

if my business plans didn't work out.

(Read the final paragraphs of the announcement. Why do they stress that they are solvent?)

Simple filtering should stop this?

[Twylite]

I could be a little out of date (maybe even a lot ;) ), but last time I checked you could do a lot of calming of DoSing by implementing proper packet filtering on routers.

IIRC most DoSing relies on the kiddie hiding their source address (so that they can't be traced). So ensure that the router closest to the kiddie knows all the IPs it is allowed to accept, and rejects (and logs) all others.

This puts an onus on ISPs to handle the situation. Any ISP which doesn't react immediately to a DoSer from it or a downstream stands to lose (all of) its uplink(s).

Most port handling equipment can handle quite complex filtering on its own, knowing the IP allocated to a port and filtering all packets without that as its source. Port handlers typically forward to a router anyway, so its easy for an ISP to say "that interface talks to that rack, which can use IP range X to Y, so filter everything else". Immediately your script kiddie is limited to faking addresses of other users in the range.

This screws up a number of DDoS attacks I know of (where the reply to an unwitting host causes shit for the replier), and makes it a lot easier to trace the kiddie at least to within a limited number of possibilities.

If the ISP supplies a link to another ISP it must ensure it toes the line. Bulk links to corporate customers or anyone with a range of IPs (rather than just one) at the other end of the link can usually be handled like dial-ups: port handlers filter out bad source IPs.

Does anyone know of technical and/or political reasons why this can't work? If there are no technical problems then maybe an IETF policy committee needs to make it a standards issue.

Re:Simple filtering should stop this?

Actually i find most script kiddies don't bother to spoof the source IPs. Why should they? Unless it's to break a crappy IDS like port sentry...but generally i find most DoSes are not spoofed. If you check out where the packets are coming from usually it is a redhat 6.2 box at an ISP or NT 4.0 box at an insurance company or some such thing...there are a lot of misconceptions about DoS attacks based on sites like grc.com speaking as if they are some authority on the subject and people believing them. If you have ever been hit with multiple DoSes you know the claim that all the attackers use cracked residential boxes on cable/DSL is false. Both at work and at home i have been on the recieving end of DoS attacks and only once did it come from compromised residential hosts. Of course getting hit by a few DoSes does not make one an authority so don't take my word for it. Still i think the kiddies have many different techniques...some go for creating armies of residential connection zombies and others just go for the ISPs and other companies with plentiful bandwith.

Sure stopping spoofed packets is nice, but that's not gonna come close to solving it. I have sent e-mails to several listed contacts at the hosts that attacked my systems and never got any response...what am i supposed to do? Sue the company who got their bandwith stolen? what good does that do? Demand to see their logs? If they didn't notice a massive DoS launched from their systems what chance do they have of having unmolested and accurate logs?

Really the only way i see to put a dent in DoS activity is don't let your boxes get cracked. Easier said than done. That's the only way that's really gonna work, don't let these kids take control of your boxes.

As for why was I such a frequent target, was it my fault for attracting the attacks? I refuse to go down that path. That is like saying to a battered wife "well you must have done something to piss off your husband!". There is no justification for DoS attacks.

Ethics

[Aceticon]

As usual this is a question of ethics.

It has nothing to do with hackers, crackers, RIAAs, MPAAs or the color green - it has all to do with freedom of information:

- I support freedom of information, and by extension those that help make information free.

- I'm against restriction of information (any kind of information - bad, good, usefull or useless). Naturaly i am by extension against those that try to constrain that freedom.

- Which side of the law am i on?
Neither side. My ethics are independent of the law.

Going back to this specific case, i'm against however did the DDoS attacks because they went against other people's freedom to give and receive information.

Re:Ethics

[Em+Emalb]

I think a lot of people are like this.... until someone comes along and does something horrible to them. Then they change their toon fast. I am not saying this against you Aceticon, but you know it's true. People scream for freedoms until they get abused by it and then the song changes. Just a thought.

We're in the grey area.

[phathead296]

There is a world of difference between trying to maintain our fair use rights or exposing bad "security" methods and launching a DDoS attack against ANYONE.

This is not a black and white issue. A DoS attack is both illegal and imoral, as what you are doing hurts a large group of people. Exposing bad security in e-book files will help people in the long run. (Although it will help the copyright holders and not us :( )

As for the general population, it depends entirely on what the media reports. They can report that "hackers" have cracked a protection scheme, or they can report that a digital protection scheme was proven inadequate. Both are technically true, but each favors one group as the good guy. Unfortunately, since news is an entertainment forum, the first is more likely to be reported.

Until the general population is tech savvy enough to understand these issues, the media will have complete control over their opinions.

Cheers,
Phathead

Re:We're in the grey area.

[mpe]

This is not a black and white issue. A DoS attack is both illegal and imoral, as what you are doing hurts a large group of people. Exposing bad security in e-book files will help people in the long run.

It can be a very grey area. e.g. the equivalent of someone smuggling a weapon onto an airliner to deomonstrate that the security arangments arn't fully effective.

Slave to our own inadequate design?

[Wanderer1]

I saw a comment in here blaming the Internet's end-to-end design for the ability for individuals to cause such interruptions to service. BUT...

With all the designs available to us today, as engineers, we should be able to employ traffic shaping devices to limit the amount of load any given site can generate on the net. Cache, throttle and filter. We build routers that can switch ungodly amounts of packets per second (obviously enough to flood the link to Cloud 9's boxes.

So why can't Cloud 9 invest in a few black box traffic shapers (I know they exist) to smooth out the requests?

Just where is the point of failure, anyway?

As long as we continue to design our edge devices to be layover victims, we'll always have these problems. The network delivers, the computer abides. Well, perhaps the computer shouldn't be so quick to respond.

-b-

Re:Slave to our own inadequate design?

[mpe]

With all the designs available to us today, as engineers, we should be able to employ traffic shaping devices to limit the amount of load any given site can generate on the net.

However the way a Distributed denial of service attack works is that the stuff comes from programs installed on machines without the users knowlage. Unless the attacks have some kind of identifiable signature how do you identify them?
Traffic shapping approachs are more applicable with something like spamming.

This can't be the whole story...

[technopinion]

Steve Gibson was able to deal with a DoS and it didn't put him out of business, so surely an ISP could too.

Unless of course, it was a mom-and-pop shop ISP who didn't know an ethernet jack from a phone jack (hey, I only did that once!), and I've certainly seen plenty of those...

Re:This can't be the whole story...

[3am]

yeah, but that was before the release of Windows XP. This would never have happened if raw socket access was unavailable!

Knock on their door

[CDWert]

We had a DOS issue once,
Kinda funny actually, poorly done, we tracked down who it was, Unknown to the dimwit on his dads T1 (at home his dad was playing hosting provider) The admin at his upstream was a friend of mice accross town, I called paul up and said hey what you trying to pull here, he chuckeled and said I know, I know, I just saw the traffic, you wanna know who it is, you want me to cut him off ?, I said nah, leave him up, I dont want him to know I know, My friend kindly gave me his name and address,

I showed up at around 3:30 since I figured it was they guys kid, and he should be out of school by then, I took a friend(witness along) I didnt want this punk saying I beat him up or anything. I had a cell phone in one hand and rang the bell with th other, he came to the door and I said, right now the Police number is on this phone, I am good friends with a detective there(true) now, you either pull the plug on your end or I press send and well see how long it takes for them to come and pull the plug permanetly, although I dont think you dad would be real happy, I thought this kid was going to wet his pants, Ive only seen somebody so scared a few times, he fell back over a chair in the foyer and took off ? I looked at my friend and it was all we could do to keep a srtaiht face.

He came back 20 seconds later and said its off, and the n stared to enquire about if I was going to tell his dad, I said no but Im sure the bill from your provider will, He was on a transfer pricing plan and this had been going on over 2 weeks while I was on vacation.

I have "Knoked on doors" twive one was a 2 hour drive but I had other business in that area , most certainly the most effective DOS stoppages Ive ever had.

Maybe we should form an allicance of Administrators geographically dispersed to start knocking on their doors, sort of an Administrators Militia , you knock on his in BFI and Ill knock for you when you need it. Police scare the shit out of most of these script kiddies, probably more the fear of knowing being arrested is not something easy to hide from the parents that pay for their computers and bandwidth.

Re:Knock on their door

[Salsaman]

The admin at his upstream was a 'friend' of mice accross town...

Aren't there laws against things like that...? :-)

Hold on there...

[Shoten]

Now, I don't doubt that Cloud 9 was/is a great ISP, but I have to take their statements with just a wee grain of salt. I don't see anything there that indicates that they came under any worse of a DoS attack than scores of ISPs before them...why is it, then, that this particular ISP decided to just pack up and die over it? Something smells a little funny here, and I can't just take their attribution of the business failure to hackers as gospel.

No technical solution, it's an apathy thing...

[anthonyclark]

The problem is that sysadmins see the scans from these kiddies and ignore them (those that even have a portsentry or similar application in place). If you saw someone walking around your house and trying the doors and windows, you'd call the police right away, wouldn't you?

So why do the kiddies get off free? Sheer apathy from most of the sysadmins in the world.

When you get scanned, you have the address (if it's not spoofed), you can send a mail to abuse@domain. But most people don't, because It's too much hassle or we can't be bothered or no harm was done.

Script Kiddies will have a far harder time when admins start practising zero tolerance.

Re:No technical solution, it's an apathy thing...

If there are 1-2 scans a week, it's easy and worthwhile to track down these people. If there are 1-2 scans a second, there's nothing you can do.

My domain (a fourth-level '.ca') gets 300K+ spams a day. I'm ignoring them. I don't report them to anti-spam lists. I can't afford to waste my time tracking down 5 spams per second. And any automated anti-spam notification would double or triple the bandwidth I use.

When I tell many anti-spam people my reasons for ignoring these attacks, they get *angry* at me, and say I'm "pro-spam" because I won't do everything to stop it.

They conveniently ignore me when I tell them "Sure, I'll report all the spam! Just pay my expenses!" At a tenth of a cent per spam, I can afford to quit my day job.

Losers.

Re:No technical solution, it's an apathy thing...

[Legion303]

The authorities won't do anything to offending script kiddies unless you can show a certain dollar amount of damages. Most admins probably don't bother calling the feds because they know the feds won't do a thing.

-Legion

Re:No technical solution, it's an apathy thing...

[macemoneta]

Even on home cable, it's not feasible. I had done this when I had gotten 1-2 scans a day. I never received a response to the report. A few trojans ago, the scan rate picked up (now over a dozen a day). It's gotten to the point where I just turn the monitoring for scans off (still watch for unauthorized access). This is just me at my home PC; it would be a full time job to keep up with this. It's just not feasible.

We need an automated tool for collecting the scan data, and depositing it in a repository. The respository can perform the correlations to track these to the source nodes. Higher level (towards core) IPSs can take the lower level (towards edge) ISPs off net until the DoS is terminated.

If done properly, but still mostly manual operation, a DoS would last at most an hour. The problem is getting cooperation between companies and organizations that are business competitors. You need a third party independant organization (jointly or government funded) to manage the repository and request the service deactivation.

Of course, then the repository would itself become the target for attack...

Re:No technical solution, it's an apathy thing...

[anthonyclark]

Well, I'm not naive enough to think that the police will arrest every kiddie out there for every time they scan port 21 looking for wu-ftpd vulnerabilities on my servers.

But if I send an email to the offending ISP and they phone the kiddie saying 'this is unacceptable, don't do it again' then at least a start will be made.

If you broke into a neighbours garden to retrieve a ball and that neighbour then complained to your parents, there was a high likelyhood that you wouldn't break in again, correct?

Re:No technical solution, it's an apathy thing...

[Lumpy]

sorry but sysadmins that go screaming because I pinged their machine are power freak idiots. I can ping your machine, and I will ping your machine... it's part of being on the internet... YOU GET PINGED! if you cant secure your servers and network then you need to be taken off the internet as a hazard to everyone else.

sorry, but if you think that the sysadmins need to be screaming and holding a ZERO tolerance, then we need to hold a ZERO tolerance for sysadmins that dont have secure systems.

Re:No technical solution, it's an apathy thing...

[Howie]

My experience of this as an end-user with BT Internet (not anymore) is that they weren't really interested if the attack wasn't successful.

The fact that the attack was unsuccessful partly because I was able to see it and block it with BlackIce Defender didn't seem to persuade them that their users were doing bad things by portscanning BTs network for Wingate, BackOrifice etc.

Re:No technical solution, it's an apathy thing...

[BadBlood]

True story:

During the first few days with a cable modem and my linux machine, I installed portsentry. Every now and then I looked through the history file to see the myriad of scans. I traced one IP to a specific user at Penn State.

I fired off an email about noticing his portscan and asked him if his administrator would care to know about it. His response was almost laughable.

"I don't know how this happened. All I know is when I went to sleep last night my computer was on. When I woke up this morning I was in a heap of trouble."

Needless to say, he didn't scan me again (at least not under his account at PSU).

Re:No technical solution, it's an apathy thing...

[pclminion]

The problem is that sysadmins see the scans from these kiddies and ignore them (those that even have a portsentry or similar application in place). If you saw someone walking around your house and trying the doors and windows, you'd call the police right away, wouldn't you?

You know, for a while I thought this would be a good idea. First, I set up MySQL with a DB and some tables to store information on portscans. Then, I downloaded portsentry, and hacked it slightly to make entries in the database whenever I was scanned. Then, I wrote some PHP to let me look at the results via a webpage.

The result? I have learned that I'm scanned anywhere from 3 to 50 times per day, from all over the world. I tried emailing abuse@... as you suggest, many many times, with no results.

Now, I have learned some interesting things by doing this:

1. Most scans are on ports 21 (ftp) or 23 (telnet). It's hard to prosecute someone, or even get them in trouble with their ISP, simply for trying to ftp to you.
2. Most scanners are scanning from hacked accounts. ISPs are unwilling to shut down these accounts for lack of proof, and to avoid pissing off a customer.
3. All the scanners are quite easily blocked by portsentry.

I no longer try to do jack sh*t about portscanners. My pleas have gone unanswered, and I simply don't care anymore. Once I have a true firewall, I'll care even less. Let them scan me.

Re:No technical solution, it's an apathy thing...

[Lumpy]

sorry but I can ping whatever I want. It's part of the rfc's and the basic design of the internet. Hell I just pinged 5 servers out on the internet. you know what I just did? I verified that they were still responding. The internet is NOT your home or meatspace. if you have a port open you are offering it up to the entire world to connect to it. if you dont want the world to connect to it then utilize rudimentary security to block access to it. A ping is the same as driving down your street and verifing that the house is in fact still there. A silly thing to do in meatspace but a very sane thing to do in internet space as houses vaporize and re-appear at different addresses all the time.

I would call a full out portscan suspect. but most of these sysadmins that bitch and whine the loudest do sao bacause the lack the basic skills to secure their hardware and there fore expect others to just not try and access it.

The best thing to do is to fix the problem instead of complaining about it.... and a fix has been long overdue, (1995 is when this crap started getting out of hand, so cisco,3com, and all the others had 7 years to add basic security to the routers, thery didn't because they dont care to, it doesnt affect them so why should they?)

Re:No technical solution, it's an apathy thing...

[Todd+Knarr]

Simple: you don't report everyone. You look at the logs for patterns: people who try the same port several hundred times, people who send suspicious data repeatedly to the same port, people who hit a large range of ports in a short time. You report them, and ignore the guys who make 3 attempts at the FTP port and go away. Any decent log analysis tool should make this easy.

As far as not caring, that's why nobody answered you. They know that, if they ignore you, you'll give up and go away. The only solution is to not go away. If every admin who got scanned for real reported it every single time, and didn't quit, and escalated it to the upstreams if the scans continued without abating, then the sources of the scans couldn't just ignore the mail anymore. Yes it eats more of your time than just ignoring the problem, until of course your ISP calls you telling you you've been cut off because that DDoS you've been ignoring is eating up too much of their bandwidth.

Re:No technical solution, it's an apathy thing...

[Dr.+Awktagon]

Script Kiddies will have a far harder time when admins start practising zero tolerance.

Oh lord no. Don't use the words Zero Tolerance. That simply means Zero Thought.

Pinging a machine is NOT the same as trying the doors and windows. It's more like driving by and looking at them. Actually it's not like anything in the physical world. In the physical world you can "see" things. On a network the only way to see things is to send packets to them.

Please, don't use these flawed analogies. We don't need a world where accidentally leaving ping runnning in another window is a crime.

I just recently had to deal with Zero Tolerance admin who saw Port Unreachables from a nameserver I admin and he apparantly had to fill out paperwork, make phone calls, track down the packets, do all this bullshit "escalation procedures", all because of what turned out to be normal internet traffic.

Re:No technical solution, it's an apathy thing...

[Erasmus+Darwin]

"You look at the logs for patterns: people who try the same port several hundred times, people who send suspicious data repeatedly to the same port, people who hit a large range of ports in a short time."

You've pretty much described none of the people pounding at the door to my machines. Someone who's attacking a random machine (as opposed to something high profile) is generally looking for a single vulnerability across a wide number of IP addresses. Lately, for example, I've noticed people hitting the ssh port when before there was nothing. Not surpisingly, there were an ssh security advisory recently.

Re:No technical solution, it's an apathy thing...

[Todd+Knarr]

If they're looking, they'll be back. Maybe not in 2 seconds, but the next day trying a new vulnerability. The guy who typo'd an IP address won't be. That's what I did when I was watching Code Red scans: built a history of IP addresses and the number of times they'd probed me per day. The random hits sank to the bottom of the list, a couple-three hits on one day and nothing the rest of the time. The infected machines rose to the top, a dozen or so hits a day every day for a week. Easy to track, easy to spot, all done with a little program I hacked up in about 2 hours to parse the logs and record the data.

Re:No technical solution, it's an apathy thing...

[AaronW]

I agree that it's apathy. A couple of years ago I was running a Perl script that emulated a PC infected with Back Orifice. The script would simulate everything the user would normally do and log everything.

I once caught a user attempting to launch massive DoS attacks against other users by sending ping storms. Unknown to the attacker, nothing actually was going out. I notified the attacker's ISP (Quest) and the target's ISP. The target ISP was very thankful and said that they had noticed very high bandwidth directed to that user. The originating ISP could care less and refused to do anything, even after several more attempts by the same user.

I became frustrated and sent all the information on to the FBI.

Sadly I can no longer find the simulator script on the net (it was called Boobie).

Re:No technical solution, it's an apathy thing...

[Arandir]

You have your metaphors all messed up.

Pinging is like driving by a house to see if its lights are on. This is a legitimate activity. No use parking the car and walking across a wet yard in the pouring rain to ring the doorbell if the lights are off.

Re:No technical solution, it's an apathy thing...

[Fastolfe]

I agree.. if you are connecting a system to the Internet, there is a certain expectation that that system will be on the receiving end of Internet traffic, be it ICMP echo requests, or whatever.

If you don't like it, use packet filtering or authentication at the application level to keep the general public out. Attempts to circumvent that are a crime and should be pursued.

Re:No technical solution, it's an apathy thing...

[j7953]

If you saw someone walking around your house and trying the doors and windows, you'd call the police right away, wouldn't you?

Yeah, but my house is private, I don't want anyone to get in there (unless invited).

On the other hand, when you put a server onto the internet, you usually want others to connect to it. And you can't really blame anyone for asking you what kind of services you provide. Having a server is more like having a shop. It's not illegal to look at what products a shop offers, even though that might be in preparation for shoplifting.

I don't think port scans are a good thing, as they're mostly done to prepare some sort of attack. However I am very opposed to making them illegal, because it would mean making the attempt to connect with a port that the admin didn't want you to connect with a criminal act. But how can you know (before trying to connect) if the admin would allow you to connect? An activity should never be a crime if before doing it you cannot know whether it will be legal or not.

Sysadmins are, of course, free to refuse connections form computers that portscan their systems. The real problem is not that they don't report portscans -- the real problem is that many admins don't even notice them! While it's not essential to notice port scans, it certainly is essential to protect your system from real attacks, and many admins don't even do that. This is where they are to blame.

This will never stop until ...

[gewalker]

Although the news item does not justify saying that the ISP was going out of business because of DOS attacks (they were still financially solvent), perhaps the owner decided he had had enough of the problems from vandals. A well-run business will shut down and leave the neighboorhood when windows get broken repeatedly before they loose all of their money.

Computer vandalism -- This will not decrease until we (as the technical community -- including management) decide to make some changes. Without changes, it will only get worse.

1) Although technological solutions are useful and necessary, they are not enough. The trusted network model does not work in the real world. There must be rules, accountabilty and penalties (without penalties, nothing stops me from continuing to break the rules).

2) Many network rules exist, some are poorly enforced.

3) Because of packet-spoofing. Some (D)DOS attacks can be nearly impossible to shutdown. We need to make sure only legitimate packets can Internet at large. Without this rule, tracking down the vandal and applying the penalty is not practical. If packet spoofing were eliminated, it would be possible to identify culprits at a modest cost.

4) Accoutability needs to be improved by everybody. If Nimba2002 is released tomorrow, Microsoft should be expected to make it well known, and supply a fix. Network servers should be patched. People running compromised server should be cut-off until they get fixed. These things happen by and large in a haphazard fashion today. The problem needs to be addressed at the source whenever possible.

4) Penalties need to be commensurate with violation. A hand-slap for vandalism does not deter, a death-sentence for jaywalking deters, but it not justice either.

5) Then maybe we should get rid of junk email for an encore.

Re:I'd like to know

[RC514]

The slashdot effect has been analyzed:

Traffic increase from slashdot effect
Increase in hits and bandwith requirements of a Linux related story being featured on Slashdot
Analysis of several stories making it to the frontpage of Slashdot and other newslogs.

Especially the second link shows that the Slashdot effect can look very much like a DDoS attack. The severance depends on the story, probably on the time of day and of course on the link and hardware powering the /.ed site.

If you pay by the gigabyte for your webtraffic (who doesn't), the /. effect can be a financial DoS attack much more than a technical DoS.

Egress filtering and ISP responsibility

[Medievalist]

/.
Back in the day, before the Internet went commercial, if you abused your connection your upstream provider (typically a bunch of long-hairs at a land-grant university) would cut you off. If they didn't do it, their upstream provider would cut them off.

Currently, there is no real penalty for large ISPs who do not implement egress filtering (which prevents IP source spoofing) and/or refuse to co-operate in tracking down DOS sources.

The anti-spam vigilantes have been partially effective in cutting off ISP service to the worst spammers; perhaps something similar is needed to influence the ISPs who refuse to implement egress filters.

--Charlie

Re:Egress filtering and ISP responsibility

[Medievalist]

/.
As you say, by itself egress filtering will not solve the DoS problem.

What it does is prevent most forms of IP source address spoofing.

When the source of a (D)DoS is known, the problem is half solved. The other half is action on the part of ISP to actually cut off customers who abuse other netizens.

Egress filtering is an Internet "Best Current Practice" according to the RFCs. Performance considerations are a red herring thrown up by ISPs who want an excuse to continue doing shoddy work; any link can be egress filtered with current technology in a properly architected WAN.

But obviously, if they can't be bothered to conform to Internet BCP RFCs, they are unlikely to take action against net abusers either - until somebody makes them, perhaps?

Another thought: if clueless nimda/trinoo/tribe/stahldracht zombies were unceremoniously kicked off the net, Microsoft would suddenly have to get a lot more proactive with security issues.

--Charlie

Anti-DOS into routing protocols?

[Jeppe+Salvesen]

I realize that there are problems with this approach, but is it more fundamentally flawed than the alternatives?

Would it not be possible to build anti-DOS features into routing protocols? If you detect a DOS attack from a link, wouldn't it be possible to push a block-list towards the router on the other side of the link? It needen't propagate, because you just want to get far enough out to block before the DOS packets reach high "density". Think avoiding them from entering the bottleneck. So if a router detects a problem, it will do a simple push in the direction.

The goal in approaching the problem like this, would be to avoid having the anti-DOS solution become an indirect DOS.

The block should only be temporary, too, and possibly protocol-specific, so we'll need a TTL, along with optional port numbers.

Whaddya think, fellow geeks? Has this been done? Should it be done?

Wouldn't want to be the script kiddie who did this

[Bloody+Peasant]

Think about it: you've just brought down a major ISP, sent their sysadmins to the unemployment lines, and now they have plenty of time on their hands, probably have copies of all the logs, and nothing better to do than go through them with a fine tooth comb to find who messed up their lives.

Nosiree, I would not want to be in those script kiddie shoes. Not that I'm saying the sysadmins would stoop to anything illegal, but there's lots they can do legally if they find out who's behind the attack.

Who should we get mad at?

[Ankou]

Perhaps we are putting our resources out to the wrong people? Who are we actually mad at? What we should be doing is stopping people from creating the tools that these "script kiddies" are using. Take that away and those lame unknowledged kids will be helpless. Not to mention if you are hosting a site that is giving these programs away or if you give internet service to those who compromise systems then you are partly to blame as well. Its time that we take responsibility for our little islands in the Internet and discipline those who live there.

Re:Who should we get mad at?

[mpe]

Perhaps we are putting our resources out to the wrong people? Who are we actually mad at? What we should be doing is stopping people from creating the tools that these "script kiddies" are using.

Starting a "war on hacker tools" is as futile as a "war on drugs/terrorism/etc".

Take that away and those lame unknowledged kids will be helpless.

Except that it's impossible. You'd be trying to in effect "uninvent" these tools, which has actually been tried (with firearms in Japan).

This will only serve to fuel DDoS's

[cetan]

Now there's a couple hundred 13 year olds at home masturbating to the idea that they actually can close an ISP down for good with actions like this.

That's rather worrisome.

Re:Wasn't Cloud9...

[complex]

you're thinking of cloud9.net, the nyc-area isp. cloud 9 is stil going strong. check out aol sucks too. (still a cloud 9 page, though now redirects to a different url, dunno if cloud 9 hosts that new domain, too busy to look it up.)

complex

Re:a potential way to stop them

[TBC]

Rant mode on:
The majority of DDOS attacks could be tracked if only more ISP's would put outbound packet filtering on. I am not a transit ISP, so there is never a reason for me to send a packet with a source IP address that doesn't belong to one of our assigned address blocks. There is no way for that packet to get back to me. The problem is that it requires a more powerfull router to support the filtering. If more ISP's implemented filtering, at least you could track exactly where DDOS attacks are comming from.

Reason for going out of business.

[chrispe]

In the post the C9 said that they had 1000s of business offline for days. Now with commercial customers many ISPs give some type of compensation for down time. If they had 1000s of commercial customers down for that long some of them may have been banks, hospitals, government agencies and other companies that need there feed. It is very possible that this attack causing all service to be down for a long time could have caused a lot of underlining problems

Re:Why hasn't this been solved w/egress filters?

[swb]

Clearly DoS attacks like this don't work as well when you spoof source addresses. When are ISPs going to start filtering for source addresses at their border routers?

I know the old argument was that there wasn't enough CPU, but is that still true?

Re:Got to be something more to this than is report

[spazimodo]

http://www.theregister.co.uk/content/6/23770.html

"...What followed was first a Firewall password brute force attack resulting in successful hash and destruction of the firewall,"

If they leave their firewall accessible to any sort of brute force password attack, its a good bet they don't know what their doing and would have no idea how to stop a DoS attack.

I agree with some of the other posts suggesting that this DoS was just a handy beard, and that they were in some sort of financial difficulty.

DDOS?

[hughk]

Would this be adequate for a distributed denial of service attack?

There may be hundreds of attack 'bots involved. Each one is run by a user who has no knowledge of the attack and probably very little technical knowledge. To mask all of these and hunt them down would be non-trivial (even if you just pass the info to their ISP).

Re:DDOS?

[mpe]

There may be hundreds of attack 'bots involved. Each one is run by a user who has no knowledge of the attack and probably very little technical knowledge. To mask all of these and hunt them down would be non-trivial (even if you just pass the info to their ISP).

Which wouldn't do much good, since you really want to find whoever is controlling them. Which involves first identifying then keeping a watch on what they do, especially when they are not in "attack mode".

Re:DDOS?

[hughk]

According to the description of one attack, the bots got their orders via IRC. This means there is no direct link between the person giving orders and the bots. This is kind of hard to follow up.

There's a new sheriff in town

[QuantumG]

Legal action has largely been considered the only way to use force on the Internet. To do this you need to know who someone is and it is very costly. If you know who they get their Internet connection through there are laws in effect that you can use to shut them down. I think this is the latest proof that non-legal force is a reality on the Internet and it is directed towards the weak link in the legal chain. ISPs have to co-operate with law enforcement or legal copyright bullies to shut down attackers like this and they are likely to be attacked in this way. Let it be known: There's a new sheriff in town and he can force you off the net.

Brute-forced firewall password?

[bad-badtz-maru]

Am I reading this right?

=====
"Firewall tightening prevented further intrusion beyond the firewalls. What followed was first a Firewall password brute force attack resulting in successful hash and destruction of the firewall," it said.
=====

The firewall password was brute-forced? Kind of makes you wonder about the security of the rest of the network...

maru

Re:Brute-forced firewall password?

[autocracy]

Should have turned off outside access to the firewall itself too. So much for tightening it!

Re:Why hasn't this been solved w/egress filters?

[swb]

Er, "don't work as well when you can't spoof source addresses." My Bad.

So what?

[MemeRot]

That seems like a pretty snobby attitude to me. First off so you don't get the wrong impression, I'm a programmer by trade and not a script kiddie, cracker, etc. of any kind.

Does a soldier understand an M-16? Not can they do field maintenance on it, but could they design or build it themselves? How about an ICBM? That seems like a good analogy. Online weapons will be much like real world weapons, those who build them won't necessarily be the ones using them, and also won't necessarily be the most skilled in their use. Those who use them will become the most skilled in their use. That's what technology, especially software, is all about - one person figures out how to do it once and grants that ability to everyone else, who then don't need to bother to figure out how it works. And it's a good thing that you don't have to figure it out. I am uninterested in the mathematics and sound theory used to compress .wav files to .mp3 files, I just want to know how to use the codec to make good sounding small files. I couldn't write an mp3 or ogg vorbis codec myself. And I wouldn't try. But I'm glad someone did since I want that functionality. I don't need any DoS tools. But if I did, I wouldn't know how to write them, I would just use something someone else wrote. The bad part would be using those tools. It wouldn't be any worse because they weren't my hand-written tools. It wouldn't be any better if they were my hand-written tools.

Re:Got to be something more to this than is report

[Salsaman]

They are using NT. Maybe they just got audited by M$...

Kill the martians!

[leonbrooks]

i came upon an interesting article that talks about a reverse firewall

*All* of my servers block all traffic to/from private IPs - except subnets they know - and block outbound traffic not from an externally visible IP that they own; they've done this for years, it's a fairly simple set of ipchains/iptables rules. The 2.4 kernels have a heap more options such as automatic martian (alien packet, ``it can't have come from there'') assassination.

Oh, and they complain in the logs, which are monitored. They also use tools like portsentry to temporarily block all traffic from IPs that sniff them.

And they all stay updated (thanks Mandrake, even if it's not quite as simple as Debian).

These things are all easy under Linux, presumably most BSDs, and probably not that difficult under Solaris, HP-UX, OS/X et al. But Windows? Hmmm...

Shortlist of private IP subnets to drop: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.127.0.0/16; there are a few others you could use as well.

Do a traceroute 192.168.99.99 from your box (try a few other private IPs as well) and see what happens. From here, RadioWAN don't filter, EfTel don't filter, Paradox don't filter, and AlterNet only drop private IPs after a few hops into their LAN (hey, at least they don't route it!), which is all very sad from a bullshit-deterring POV.

Re:Kill the martians!

[leonbrooks]

True. Oops.

Script Kiddies? Really?

[zhrike]

Why? Sure, its possible, but I think it far more plausible that the attacks originated by someone with something to gain.

Why target this ISP? To what end?

There are valid reasons why crackers would take this action, most likely the ages-old motivation for many nefarious activities: Because they can.

I just think it is very suspicious. There seems to be an attempt from the large ISPs to control access to the net by squashing the smaller guys. Can this be part of that? Sure.

Seems awful convenient that such an attack is attributed to 'script kiddies' without even the mention of other possibilities.

Re:Wouldn't want to be the script kiddie who did t

[Legion303]

I expect the former admins will be looking at said script kiddie through a scope PDQ.

-Legion

It's stop some...

[Greyfox]

But these days all I have to do to accumulate a list of hosts which I can use to launch a DDOS is look at my snort logs. I'm still getting a couple of dozen CMD.EXE scans a day. One of the first things someone looking to break systems will do is accumulate a list of attack hosts to hide his tracks, and it's never been easier.

Shutting those machines down would be pretty straightforward for the ISPs that host them -- snort on their side would detect the scan as easily as snort on my side will. But the profit margin for ISPs is so low that most of them can't (or don't want to) afford technically competent people who would actually set up such a solution. Even if such things were mandated in one country, that still leaves the rest of the world to launch an attack from, as well.

If you want to make a big impact on all this, hold a company (ANY company) accountable for damages stemming from misuse of their network unless they've made "reasonable" efforts to lock the network down. Some thought would have to be put into what "reasonable" comprises. I'd think at the very least it'd require hiring a number of information security people based on the number of machines you had exposed to the network.

Slashdotting

[noda132]

On the other hand, /. has probably been one of the biggest DoS mechanisms on the 'net, in a manner of speaking. Can you think of anything more bandwidth-destructive than being slashdotted? :)

Re:Slashdotting

[leuk_he]

On the other hand, /. has probably been one of the biggest DoS mechanisms on the 'net, in a manner of speaking. Can you think of anything more bandwidth-destructive than being slashdotted? :)

Declaring you cannot be hacked. (and offer money for it)

This is not the first time!

[wackysootroom]

CP/M Was also forced out of business by DOS.

Martial Law. . ?

[Fantastic+Lad]

I recently watched one of the high-end news shows which ran an hour documentary on hackers and the net.

For one section, they had cameras sit in on a bunch of young military techies studying the logistics of combating a huge hack-attack; like nuclear power plants being shut down or hacked into danger zones. Airlines losing planes. That kind of thing.

I've been pondering just how exactly the developed nations could be whammied into a state of martial law. The current world situation doesn't have enough momentum to actually put thousands of Americans in prison camps. And the forces which drove the Nazis just aren't there. ("We are descendants of superior Aryans from space!" -No joke.) People today, while easily manipulated, haven't been sold that kind of propaganda, but it remains quite clear that a form of undeclared fascism (That is, "freedom", so long as you eat shit, breath shit, think shit, absorb shit media, and work too hard, and don't mind being overseen by Shirow-style O.R.C.S. with machine gunes, in order that you be reduced to the position of Zombie-like Serfdom), this it seems to me, will be the natural conclusion given the forces of greed and corporate evil moving in the world today.

Choice means that people might not buy your product. Remove choice, while maintaining the illusion of a free society, and bingo! You have the perfect consumer; driven because s/he still believes in the American Dream, but a serf nonetheless, whose task it is to pour wealth into the coffers of the powerful. And to be miserable for those who eat misery. . .

Anyway, it was interesting; the documentary basically said the following:

1) Security basically doesn't exist and isn't getting any better. Information systems are open to those who understand how.

2) The possibility of a huge disaster is ever-present and continues to grow as we become more dependant on I.T.

One military analyst basically said, with a straight & serious face, that in the event of a huge digital attack, "Declare martial law. Shut everybody down and take control of the situation. That'd be my recommendation."

Hmmm.

I don't know how true the above is, but the fact that it was being sold by a respected authority voice, indicates that they're trying to soften people up for just such a turn of events.

-Fantastic Lad

Disable ICMP at border routers?

[dkedrowi]

If you block incoming ICMP at your gateway routers, then DoS attacks should not be a possible attack. Without the target being able to send a ping back to the reflector because of ICMP filtering, DoS will fail. And if your network is the target, the reflector will not be able to attack either. As far as I know, DoS is simply ICMP floods to the whole subnet, and ICMP access lists in Cisco equipment is a piece of cake. Just my $.02

Re:Disable ICMP at border routers?

[autocracy]

DoS attacks can be anything really. Ping floods, Syn floods, X-mas tree packets, HTTP requests that overload a daemon rather than the whole server, or just plain bandwidth flooding... Besides, turning off ICMP is not good, it has the potential to break shit.

It's not evil

[MemeRot]

It's monkey nature. Everyone needs to remember we're monkeys at heart. We hurl shit at other monkeys to mark our territory and make us feel good about ourselves.

We only refrain from hurling shit when we're afraid of a bigger monkey. This is the role of law and punishment, to restrain our inherent monkey behavior. The little script monkey who wouldn't do this in real life because the other meat monkeys will see him destroying their property and beat his meat monkey ass is overjoyed to find himself the biggest cyber monkey on the block.

uh...no?

[MemeRot]

They're monkeys hurling feces. They will stop if they think a bigger monkey will kick their ass. That's why they're not firebombing people, because if they did that they'd get caught. But the cop monkeys don't understand DoS attacks so there is no fear of reprisal. Look at how monkeys deal with the issue. Do you really think humans have any better a handle on it?

SecurityFocus / ARIS

[sbeitzel]

Check out SecurityFocus, particularly the ARIS. You can set up a cron job to submit snort reports. This is exactly the thing you're talking about, and it's been around for a while. Why don't people use it? Because it costs money (to subscribe -- submitting reports is free), because they don't know how, because they don't care...

Obvious solution!

[SysKoll]

sPhealley has given us the obvious solution.

Let's build lots of empty buildings and equip them with deadly traps. Chances are that the script kiddies and the vandals are the same. When the 1 in 500 perp walks in with a spray can, ZZAAAP! Followed by the CLUNK of the spray can hitting the ground and the WOOSH of the collective sigh of relief from the other 499 people.

Whaddya mean, inhumane? Only the spray can industry will suffer, and just a tad at that.

-- SysKoll

P.S. In France, the government recently reversed its stance on security. Rampant crime was "right-wing propaganda", they know admit it is a "major concern". The change occured shortly after the son of an important minister was mugged outside a movie theater in Paris. See how if works? So let's all give our Congresscritter's email addresses to as many spammers as possible!

I hate this

[MemeRot]

Kids don't need to be smacked. Hitting is not good discipline. Training a kid is a lot like training a dog, and I don't hit my dogs, why would I hit my kids? Of course, a lot of s.o.b.'s abuse their dogs.

This said, anyone old enough to launch a DoS attack is not a little kid. Maybe not an adult, but hardly a toddler. As moral agents they need to realize there are consequences for their actions, and the lack of consequences is the biggest reason people are more likely to launch DoS attacks, start flame wars, etc. online rather than in real life. In real life you're always wondering if you're going to get your ass kicked, this is missing right now online. It will eventually evolve though, the tools will get easy enough to use that everyone will have them and your group of online friends will stick together to DoS people that mess with you. Primitive societies. Eventually evolving their own police, 'local' laws, etc.

What is an 'abuser'

[Convergence]

What is a bad thing?

You should *really REALLY* be careful about what you say, or you might get what you claim you want.

Look at past history. Do you want to be personally sued for bitching about a company?

Do you want to be potentially subject to hundreds of thousands of dollars in fines for installing, say, distributed.net on a cluster you administrate. (When there's nothing in the computing policy that says you cannot do that.)

Do you want to be held responsible if you write software that gets misused by someone else. Right now, they're going after napster/kazaa, but will they go after IRC? Have you ever coded an IRC robot, server, or client?

Ever worked on a packet sniffer? Ever downloaded DeCSS? Ever tried to reverse-engineer?

Be careful.. 'abuser' is frequently defined to be anything that a monied interest doesn't like. Or, it is defined as any random arbitrary thing that an ignorant person randomly chooses as bad.

Re:One ISP is punished for another ISP's mistakes.

[Rain]

I'm the sysadmin at a small ISP, so I figured I'd weigh in here.

Firstly, the worst DoS attacks we've been hit with recently (only a couple over the last year, which I'm thankful for) were large ICMP packets from legitimate addresses (appeared to be ping -s 65000 -f), and large UDP packets from legitimate addresses (appeared to be Sub7 or something similar on IIS-compromised hosts).

Secondly, I'm leery of doing egress filtering as there are legitimate reasons to send a different source IP (one-way tunnels being a prime example). It's interesting that the /. crowd who often calls foul when an ISP puts any sort of restrictions on their traffic seems to be calling for the opposite here, but as /. is very diverse, I'll assume that it's not the same people. Unfortunately, with Windows XP spreading throughout our userbase, I fear that such filtering will become necessary. Many DoS attacks originate from compromised Windows boxes, and the first person to use WinXP's ability to create a raw socket and spoof addresses is going to suck.

Someone mentioned mailing abuse reports whenever they see portscans and the like--while this is good in theory, almost all of the connections I see get stopped at the firewall are from Korea, China, etc. In these cases, I don't bother--do you know where mail in a language that I can't read and can't find a translator for goes? Besides, whenever they get a mail in English, they probably just say something like Damn SPAM! I do not want to make my penis larger, thanks! <delete>

Anyway, like I said, the DDOS weapon of choice seems to be compromised Windows boxes these days--this has the benefit of both hiding the attacker's IP address while still sending legitimate packets. This problem will be around until people are educated enough to not open attachments when they shouldn't, and until there haven't been any major security holes in MSIE/OE for a long enough time that most people have upgraded.

Does this seem suspicious?

[foofboy]

Seeing a isolated snapshot of the situation doesn't provide alot of information, so I'm a little confused. How is it possible that a DOS alone could drive an ISP out of business. Was it really a healthy business that was destroyed by a DOS, or was this the straw that broke the camel's back. It was mentioned that they did have insurance, but that the insurance wouldn't cover "rebuilding their network". "[A] Firewall brute force attack [resulted in] successful hash and destruction of the firewall" = bad password, no backups. I'm just trying to figure out what kind of DOS can lead to the destruction of an otherwise healthy network and company. The press release paints the picture of a smoking crater, but of course, it's all just data. There's no defense against the various flood attacks, but they should be easiest to trace, and temporarily filtering the flooding IP's should prevent widespread damage. Any ISP admins care to comment.

Other than saving face, ("Hackers did it" vs. "unchecked spending did it"), is there any practical advantage to claiming that evil hackers destroyed the business. Something just doesn't add up.

Re:Does this seem suspicious?

[praedor]

If you are a small ISP, and thus have a rather smallish customer base, and you get heavily DoSed (perhaps again and again), you could easily start hemorrhaging customers to others. Depending on what damage was done to what data, what damage was done by loss of connectivity to small businesses among your customers, you could lose your business shorts.

If 1000 people walk down a backstreet ....

[tomcounsell]

> If 1000 people walk down a backstreet past an empty building, 998 will just pass by. 2 will throw a rock through a window and spraypaint the walls

One impact of the internet is that the 0.2% of the population can find and talk to each other, swap ideas, and build a sufficient sense of community that they no longer feel the pressure to conform to the morals of mainstream society.

Scary - but unstopable ?

Not fixing DDoS problems a tool for big business?

[netsplit]

As someone who was put in this same situation at the end of '99. I can only say -- if the big boys were concerned -- it would not be a problem. Although its not a trivial problem, dynamic blocking rulesets on bordergate routers who get a rush of ICMP (or other sorts) of traffic to a single target would not be hard to block.

My small ISP which had been doing okay had been stranded without an uplink after a 150Mbit attack took out sprint links in our part of .ca. After the attack our ISP was quick to disconnect us with no alternatives we closed our doors (noone else in town wanted to touch us).

After the attack we were quick to contact the NOC of a few schools with unused 'open' blocks who refused to claim responsibility (of the DDoS packets) or fix the problem. About a month and a half later they had FBI knocking on their door after the ebay/yahoo etc attacks.

The question --

Do you think DDoS could be a tool for the bigger ISP's and players to squeeze smaller guys (ISP/ASP) out of business? I know that one quite is a stretch.

What other reasons have kept ``Tier-1'' networks from implementing fixes?

News: Than murders Then out of jealousy.

[Groovy+Aardvark]

In what appears like a twisted love triangle ending in a bloodbath, Conjuction Than murdered Adverb Then out of pure jealousy.

Both long-time residents of the English Language neighborhood - though they are not living on the same street - Than and Then were caught fighting in front of Then's house. Witnesses heard murderer Than screaming and sobbing at Then: "You're a fraud! I'm so much more adequate, so much more fitting than you! I can't believe he would choose you over and over again! And I just can't stand seeing you with him all the time! Argh!!!" Four gunshots were then heard.

Apparently, the two belligerants were fighting over the love of a certain CmdrTaco, whom never hid his preference for Then. When asked about the tragedy, CmdrTaco swore to the investigators that he had no recollection whatsoever of Than.

Re:News: Than murders Then out of jealousy.

[talks_to_birds]

Wonderful!

...but, sad to say, it's a lost cause: Taco has no clue.

t_t_b

Re:a potential way to stop them

[mpe]

The majority of DDOS attacks could be tracked if only more ISP's would put outbound packet filtering on.

Or rather compromised machines used to launch them identified. Especially if dynamic IP assignment was also minimised.

I am not a transit ISP, so there is never a reason for me to send a packet with a source IP address that doesn't belong to one of our assigned address blocks. There is no way for that packet to get back to me.

It is possible for someone to be doing this for legitimate reasons(some kind of load balancing or redundant connections), just highly unlikely.

Re:My conspiracy theories....

[mpe]

Or perhaps Cloud 9 were having problems anyway and found it easier to put the blame on an a fictitious DoS than actually admit they've gone bust due to their own bad management.

Dosn't need to be fictitious. Consider airlines blaming all their troubles on September the 11th. Even though some of them had been in trouble for years.

tell me what is wrong with this solution to DDOS

[e40]

If the source address is usually (always?) spoofed in a DDOS attack,
the solution is simple: ISP's should never let a packet out of their
routers that has a source address that is spoofed. If I have DSL, and
I'm connected to a router owned by my ISP, they KNOW what my source
address is and they could prevent me from spoofing.

In my mind, the ISPs are all lazy. They could prevent a lot of this,
but they don't care.

OK, what's wrong with my argument?

Re:Alternative to Imprisonment

[autocracy]

Doesn't stop bandwidth flooding, which sounds like it's the case here. Once the firewall fell, rate limiting quit working as well so...

You can't see how this could shut down an ISP?

Stage One: ISP is under attack.

Stage Two: Floods of e-mail from customers, whining and screaming about the terrible lag on 'their internet'.

Stage Three: Techies figure out that they're being attacked. Inform management, attempt countermeasures.

Stage Four: Customers continue to complain, whining about taking their business elsewhere, how they should get refunds, free service, a new car, etc.

Stage Five: Someone up their has a clue and figures out they should try to limit damage to customers. Hey, if they're going after the ISP's servers.. They might start picking off random customers who are connecting. *yank cords*

Stage Six: Customers continue flooding ISP with angry letters.

At this point, people want refunds and free service, or they'll be jumping ship. In most areas, there's an abundance of ISP's. Many aren't huge, and many can't afford to give a large percentage of their customers 'free service'.

I don't know exactly how huge this ISP is, or if this could've happened to them - but it could easily happen to a small ISP.

Remember, kids, the average ISP user still bitches to their tech support people when, say, www.microsoft.com gets Slashdotted and is unresponsive, as if their ISP can do anything about it. Explain to them that the ISP was under attack, and they'll go into paranoid ramblings of 'being hacked', all while screaming for handouts of free service and refunds.

Re:Mod Points!

[Bryan+Andersen]

If it were possible to impose some small fine on every system involved (or worse yet, if the suystem's ISP were fined, encouraging them to shut down offending systems), then people would start to take notice. Hopefully, people would start to realize that it is everyone's responsibility to maintain safe systems.

One also needs to go after the software venders that ship insecure systems. Security is not a single step, it is a process that needs to be applied at all levels and continiously. Untill M$ and all the other venders really implement security in their products, the user of those products can only secure them so much. When you have a program automatically execute untrusted code, what can you do? Not much. Your screwed.

DoS my arse

[Dynamoo]

DoS my arse - Cloud 9 were the ISP for my wife's company, and if their experience is anything to go by it's not suprising they went bust.

Let's start with the awful customer service, unreliable connections, awful customer service, immoral and possibly illegal business practices, awful customer service and awful customer service.

Her firm had a problem with the mail relay, it's only a small firm and they'd left the relay open and some spammers had found it. Cloud 9 terminated their connection without notice of any kind, and when finally they found a human being to talk to (they like to do their tech support by fax) they basically tried to blackmail her firm into handing over control of their domain, hosting etc etc to Cloud 9 before they'd reinstate the service. Needless to say, they got dumped very quickly indeed and went to Demon.

Frankly they're a shitty outfit and they've got their just rewards.

Re:DoS my arse

[autocracy]

Wait, so you messed up and left your relay open allowing hords of spam to be sent that had to travel through their system on the way out. So in order to stop spam from flowing all throughout their system, they shut you down. Because you've now made a very foolish mistake and did something that is heavily frowned upon, they're not in the mood to risk letting somebody who makes that mistake do the same thing on their network. They're willing to provide service, but want to their problems down so they give you a second chance on their terms. And you think that's inappropriate?

This obviously has nothing to do with dropped connections, etc.; but I hope that it's not your main reason for calling them shitty...

Re:DoS my arse

[mpe]

Her firm had a problem with the mail relay, it's only a small firm and they'd left the relay open and some spammers had found it.

More likely they had a problem with the person who misconfigured their software. For quite a while the default has been that third party relaying is off by default (AFAIK there has never been a requirement in the RFCs to support this anyway. Indeed if it wasn't for software which demanded third party relays there would probably be less spam anyway. But some "smart alec" decided that it was too difficult to implement a queue.)

Cloud 9 terminated their connection without notice of any kind,

Probably their terms of service said something to the effect of "don't run a third party relay for anyone not at your site".

Re:Wouldn't want to be the script kiddie who did t

[matt_wilts]

>Not that I'm saying the sysadmins would stoop to
>anything illegal, but there's lots they can do
>legally if they find out who's behind the attack.

I wouldn't be so sure. Here in the UK it would seem that the Data Protection Act would stop the hacker's ISP from handing over details. See this recent story from Silicon where a UK ISP has refused to cooperate over hacking allegations.

Yet another case of UK law helping the miscreant & not the victim.

Matt

Denial of service attacks

[Animats]

There are basically two problems:

• DoS attacks directly from an attacker. Solution: find attacker, apply large hammer.
• DoS attacks from large numbers of insecure Microsoft clients captured by attacker. Solution: sue Microsoft for reckless endangerment and make them fix their vulnerable clients.

Meanwhile, mandate that cable modem and DSL providers must validate outgoing IP addresses. Turn on fair queueing at major bandwidth drop points.

Re:Wouldn't want to be the script kiddie who did t

[Rubbersoul]

Well from the sounds of the "script Kiddie" seems to be safe in this one. If the sysadmins were able to go through the logs to find him/her/theim then do you night think they would have spent every hour they could stay awake doing this before they had to go home with a box in hand.

It seems that the wrong person is getting blamed here (kind of at least). Yes what the kiddie's did was bad, but the admins should have had half a brain to stop this, or at least slow it down (DDos attachs are much harder to just stop).

Vigilantism

[Arandir]

Law enforcement in cyberspace is a joke. The FBI will spend millions harrassing SJGames but the local police won't even take your report on your site defacement. Show them printouts of headers, traces and syslogs and they'll stare blankly.

When the official law enforcement is incapable of action, it's time the citizenry take back the power they -lent- to the police. It's time for online vigilantes. Hack the cracker sites and infect their warez. Track the bastards down and crack their systems. Mailbomb their parents to let them know that Junior is misbehaving. Give them a steady stream of virii and trojans. Granted, most of these sociopaths lead lives of self-inflicted solitude and misery, but they can't live in utter isolation. They have other sociopath confederates. So infiltrate their box and attack their friends. Get them attacking with each other.

Yes, I know that vigilantism is "illegal". But the law enforcement community won't do anything. You can sit back and do nothing while your ISP goes down or you can act in your own defense.

The typical cracker is a moron. They couldn't code "Hello World" in English. All they do is download new warez. We're smarter than they are.

And oh, by the way, if you actually get ahold of one of these turkeys in the flesh, take them out back and beat the shit out of them.

Re:Vigilantism

[mpe]

When the official law enforcement is incapable of action, it's time the citizenry take back the power they -lent- to the police. It's time for online vigilantes. Hack the cracker sites and infect their warez. Track the bastards down and crack their systems. Mailbomb their parents to let them know that Junior is misbehaving. Give them a steady stream of virii and trojans. Granted, most of these sociopaths lead lives of self-inflicted solitude and misery, but they can't live in utter isolation. They have other sociopath confederates. So infiltrate their box and attack their friends. Get them attacking with each other.

If you are going to go in for vigilantism (regardless of if you are a hacker or a nation state) then you need to keep a very clear idea of what you are doing, who you are targeting and to show restraint. Otherwise after a short while you will end up as part of the problem, just another "script kiddie" (or "rogue state") who goes around attacking others for trivial (or bogus, even ficticious) reasons.
If any of the "enemy" is remotly smart they will have these vigilante groups fighting each other.

The typical cracker is a moron. They couldn't code "Hello World" in English. All they do is download new warez. We're smarter than they are.

That they may lack coding skills does not make them a "moron". Indeed there are many cases of crackers not needing any technical skills, but having very good skills in "social engineering".

A small ISP's viewpoint.

[Harik]

I just want to firewall ports around 6667 to keep people from getting in IRC wars

Seriously though, I could care less about the proliferation of DoS/DDoS tools. What bothers me is that the ISPs where this crap is coming from have never been blackholed by the rest of the community. It's not THAT hard to implement a widespread policy of filtering source packets, and that cuts down on a LOT of the methods used by the skript kiddiez.

The pathetic part about it all is it was already a problem in '95, and source-filtering was strongly recommended then. Soon after, no ip directed broadcast became also strongly recommended. Sadly, I can still get a 250:1 return on a forged ICMP ping (thankfully, their outgoing bandwidth is only a T1)

The real culprits are the people too lazy or inept to be allowed to run a network.

--Dan

Cracking Unreported

[kaladorn]

Someone should mod up the parent post! The poster has the right of it.

To further amplify the point, many successful cracks aren't reported to anyone (insurance, law enforcement, etc) because to do so would be in breach of the management team's responsibilities to its shareholders to protect the share value. This is a non-trivial situation and places corporations in a position where they have to not report a crime in order to not commit a crime (of sorts - breach of trust) upon their shareholders.

This is all too common. I haven't the vaguest clue how you fix it, but it smacks of wrongness. There should be a way (as far as the market is concerned) to not report a crack, while simultaneously actually reporting it (perhaps annonymously?) to the people who track and investigate these things.

Re:Cracking Unreported

[mpe]

For example, rape carries a stigma in many societies, and though that stigma is (IMHO) foolish, in the US most (if not all) states have victim privacy laws which prohibit release of victim information without the victim's express (often written) permission.

The problem with this idea is that protecting the identity of the alleged victim and not the identity of the alleged perpetrator is wide open to abuse. Especially if someone can be harmed simply through being accused.
The only icatagory people who there is a case for blanket protection of identity are those accused of a crime. This is in accordance with the idea of "innocent until proven guilty". Extending this to those making an accusation (or third party witnesses) is something really to be decided on a case by case basis, by a competant and impartial court. Because it hinders the ability of the defendant to defend themselves. It is generally considered a worst injustice to punish the innocent (which includes a trial where there is no real prosecution case) than to let the guilty go free.

Use Honey pots

[AaronW]

One solution to the problem would be to establish randomly distributed honey pot computers which act as if they're infected by one of the various script-kiddie trojans. Log everything that happens to those computers, but do not allow those computers to actually perform DoS attacks (the script-kiddie probably won't know the difference).

After collecting evidence, the perpetrator should be fined and prosecuted. It would likely cost nothing to the tax payers since it could fund itself from the fines imposed on the perpetrators. If it's just a kid, then hold the parents responsible.

Re:Got to be something more to this than is report

[MadAhab]

Geez, mod that up. It does make ya wonder why the firewall was allowing connects from outside. It really makes me wonder what password they were using... "msce1"? "cloud10"? While there may have really been a DoS, the story does reek of being a cover for either substantial incompetence or financial difficulties.

THE SOLUTION TO 99.999% OF DDOS ATTACKS

[bani]

Just firewall port 6667, and most DDOS would go away...

IRC is THE SINGLE LARGEST TARGET OF DDOS ATTACKS .

If something is going to replace IRC, its going to have to have a much more distributed infrastructure, and anonymity (at least by IP address) of both the servers involved and the clients will be a must. You must remove the identifiable targets if you want DDOS to stop.

Of course the authorities wouldnt much like the anonymized nature of such a network...

Maybe this notice would work...

[Shao+Ke]

"This network protected by Hells Angels"

I'm sure other countries have similarly frightening organizations. A little donation to the club and an address to make a visit to - nonviolently. A little verbal warning might make a world of difference: Your online actions do have real world consequences.

Re:stopping incoming/outgoing traffic...

[renehollan]

Obviously, such a scheme requires some form of authentication, yes.

uh...

[talks_to_birds]

After reading what little of substance (read: nothing) is available about this supposed DDoS at the link to ISPReview, and after reading the article about this deal at the Reg®, I've gotta say I'm not buying a bit of it.

• ""Firewall tightening prevented further intrusion beyond the firewalls. What followed was first a Firewall password brute force attack resulting in successful hash and destruction of the firewall," it said."

uh.. what?

• Speaking to The Register a dejected Mr Miszti said: "This is terrorism - pure and simple. I never want to relive the last seven days again.
  
  "We still don't know who's behind it - nor do we know who's next.
  
  "This is not just an attack against us, but against all our customers."

Yeah.

Right.

Who's next? The next podunk ISP that needs to blame its poor business practices on "terrorism".

Face it: if DDoS was a real, true problem, *on this scale* it would have been all over for a lot of ISP's a long time ago...

t_t_b

Re:Not fixing DDoS problems a tool for big busines

[praedor]

You know, if is paranoid of course but...upon reading the short /. blurb, I immediately thought "What a way for a bigger boy to knock out a smaller kid." Of course, this sort of tactic could also be used by smaller competitors too but the BIG boys (MSN, for instance) have more than enough resources and a total lack of ethics...they could do this without batting an eye or breaking a sweat.

It was highly likely to be a few buttwipe, snotnose kiddiez but I have that little doubt sitting in the back of my mind. If not this particular episode, what of any others? Who gained by the shutdown of this ISP? MSN? AOL?

Privacy vs Freedom of Information

[Aceticon]

Maybe Privacy vs Freedom of Information would be one example (as in my privacy vs somebody else's freedom to find information about me)???

I can imagine a situation in which somebody would find and tell everybody about one of my dark secrets (no goatse jokes please). Or maybe start spamming my e-mail, or my mobile phone. Or maybe i'm not accepted by some employer because they got hold of some confidencial medical record that says i've got some mental disease X (again no goatse jokes please).

On the other hand there my liberty to find information about others. Like for example know that a prospective employer is actually a sweat-shop and their so-called bonuses are just hot air. Or that some guy that works with me is paid twice as much, has half the brains, produces a third of what i do and is only there because he's the boss's nephew.

As with everything a balance has to be achieved. Where to stop other people's liberty and start my privacy?

In practice, don't expect others to protect/respect your privacy if you don't protect it yourself. If you are willing to give it up for a few bucks a month - for example by signing in to your local shop's Costumer Card program and answering a form that asks everything about you and your family including the name of your grandmother's cat - then you will in practice have much less privacy.