ISP Forced Out of Business by DoS

flyhmstr writes "According to a report on ISPReview Cloud Nine have been forced off line and out of business thanks to the actions of crackers deciding to go play with some DoS tools." It's only getting worse. The kids are getting more and more aggressive as time goes on and it gets easier and easier to launch a large scale DoS. As any techie knows, fixing the problem is far easier said then done... but as a frequent recipient of the sharp end of the DoS stick, I sure wish it wasn't an issue.

whoops

[magicslax]

of course a nice healthy slashdotting right now doesn't help anybody's case. :grin:

I wonder why?

[Em+Emalb]

Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world? Do these kids need a hug? Why would you do this? Feeling "elite" because you can knock down an ISP? Take your energy and do something positive with it. IMO, this is petty and retarded. Maybe these script kiddies can go knock down a hospital or something next, hey why not, it doesn't hurt anyone right? RIGHT? forking iceholes.

Re:I wonder why?

[sphealey]

Can someone please clue me into why people do this? I don't quite understand this mentality. I have never done something bad like this simply because I could. Am I a rarity in this world?

If 1000 people walk down a backstreet past an empty building, 998 will just pass by. 2 will throw a rock through a window and spraypaint the walls.

This just seems to be part of human nature; I haven't seen much change in the percentage of people who behave this way since my childhood (1960's) anyway. The problem is that the world today is so interconnected, and also dependent on technologies whose webs of interconnection are more fragile than we like to think, that the 2/1000 with the desire to damage can do a lot more damage to a lot more people than ever before.

I am a bit discouraged myself about whether or not this can be stopped on the Internet, personally.

sPh

Re:I wonder why?

[Thomas+M+Hughes]

Part of me thinks it has a lot to do with the online mentality of a lot of people who are powerless in the real world, but feel empowered when online. I'm most likely pulling this out of my ass, but its something I've seen fairly often when hanging around EFnet in years past.

In real life, you can't just take something from someone else, unless you're much bigger than them. When you're online, you just need to have the ability to access a lot of bandwidth. So, if someone has a channel on IRC that I want, I DoS the server, split it and take the channel. Now, supposedly this doesn't happen as much these days, but it used to happen fairly often back in the day.

There's also online cliques, who for lack of better explaination seem to act as online gangs. Loose groups of friends who associate, talk, and dislike the same people. Thus, much like real life gangs, if one gets ticked off at another, they get their friends to make their life hellish for the opposing party. I wouldn't be suprised if they DoS'd a dialup user just in an attempt to knock him offline and went a little overboard. Or were trying to DoS an IRC bot. Or even a webpage.

Of course, I really have no idea what caused this incident. This is mostly just speculation. But I'm fairly certain at least one script kiddie has had similar motives in mind during his mischief. Kids will be kids, and that involves doing stupid stuff that they don't understand the consequences of. That doesn't mean we should string them up, but it does mean we should make efforts to make it more difficult for them to do damage.

Re:I wonder why?

[overunderunderdone]

Do these kids need a hug?

Actually, this is probably closer to the truth than most people realize.

I will agree with this. These kids are doing this to make themselves feel powerful. They want to feel important, significant. If they were made to feel their significance by the people to whom they should be significant - their parents - perhaps they would be less likely to seek a feeling of power in mindless destruction. Though there is no guarantee - even a person without excuse, loved, cared for, etc. can lack the self-control to tame their baser desires.

If you think about it, you realize it is only possible to hurt someone else (or their property) if you feel like you are hurting yourself.

Now I have to disagree - sort of. Their indulgence in malice and cruelty, their seeking after the thrill of power does them harm. But in their self absorbtion they are only aware of how good it feels to wield that power - to feel important. They do not feel hurt, they feel powerful.

The really sad thing is, when we find someone who is hurting, and has demonstrated this to us by hurting someone else, we hurt them more by punishing them. Thats a human approach, but it will only result in larger problems. When someone hurts us we should help them by giving them a hug... or something :)

Here I have to disagree - for several reasons. First: If someone cannot exersise enough self-control to refrain from hurting others they must be externally controlled by someone else (the state or their parents) - either by actual physical restraint or by the credible threat of punishment. Also, while they still need "a hug" love and acceptance from those from whom it is due - now that is not enough. I don't think their can be healing without honest regret (not just regret for being caught but for being *wrong*) - that is up to the criminal, no one can either force them through punishment or manipulate them through compassion to arrive at that repentance. There also can't be healing without suffering real (depending on the crime even harsh) consequences. Even kids have an inate sense of justice (that I believe is valid) and that even criminals will acknowledge. It does not do the do the victim or society at large - but especially the criminal - any favors by bypassing the requirements of justice. A penitant criminal who has been punished for his crimes can start again. A penitant criminal who has escaped punishment will feel the unfairness of that escape and a continued sense of guilt. He will be crippled in his ability to begin anew. An unrepentant criminal will take either scenario as an excuse to continue in their crime.

Re:which side of the law is our community on?

[BgJonson79]

If the scrupt kiddies buy the hardware like we buy the DVDs maybe you have a case, otherwise it seems to me like apples and oranges to me.

Register coverage

[Zocalo]

The Register is an effective mirror of the article too, but they also have a *tiny* bit more information.

Why hasn't this been solved?

[DotComVictim]

A solution to the DOS problem was posed at the Adelaide IETF meeting a couple years ago. Basically, some small percentage of packets randomly selected get ICMP notices from routers, with last and next hop information, that is forwarded to the destination. So if you are getting a large number of packets from a single source, you get proportionally more of these packets, and can use a heuristical engine to model the source, even for DDOS problems. This allows you to trace back to the offending network/ISP and shut off the DOS

Why did no one do this? It requires changes to router firmware, I'm not sure about Cisco firmware upgrades, but I thought they were at least possible. Besides, they could use this as a selling point and declare their old routers obsolete.

Admittedly, the model breaks down under MPLS, since it is difficult to track the cloud, but you can at least track entrance and exit points from the cloud.

Re:which side of the law is our community on?

[bwt]

We're on the side that says information is not a crime, but attacking someone is.

Writing a DoS tool is not a crime. Using it on someone else is. What's so hard to understand?

Ethics

[Aceticon]

As usual this is a question of ethics.

It has nothing to do with hackers, crackers, RIAAs, MPAAs or the color green - it has all to do with freedom of information:

- I support freedom of information, and by extension those that help make information free.

- I'm against restriction of information (any kind of information - bad, good, usefull or useless). Naturaly i am by extension against those that try to constrain that freedom.

- Which side of the law am i on?
Neither side. My ethics are independent of the law.

Going back to this specific case, i'm against however did the DDoS attacks because they went against other people's freedom to give and receive information.

We're in the grey area.

[phathead296]

There is a world of difference between trying to maintain our fair use rights or exposing bad "security" methods and launching a DDoS attack against ANYONE.

This is not a black and white issue. A DoS attack is both illegal and imoral, as what you are doing hurts a large group of people. Exposing bad security in e-book files will help people in the long run. (Although it will help the copyright holders and not us :( )

As for the general population, it depends entirely on what the media reports. They can report that "hackers" have cracked a protection scheme, or they can report that a digital protection scheme was proven inadequate. Both are technically true, but each favors one group as the good guy. Unfortunately, since news is an entertainment forum, the first is more likely to be reported.

Until the general population is tech savvy enough to understand these issues, the media will have complete control over their opinions.

Cheers,
Phathead

Knock on their door

[CDWert]

We had a DOS issue once,
Kinda funny actually, poorly done, we tracked down who it was, Unknown to the dimwit on his dads T1 (at home his dad was playing hosting provider) The admin at his upstream was a friend of mice accross town, I called paul up and said hey what you trying to pull here, he chuckeled and said I know, I know, I just saw the traffic, you wanna know who it is, you want me to cut him off ?, I said nah, leave him up, I dont want him to know I know, My friend kindly gave me his name and address,

I showed up at around 3:30 since I figured it was they guys kid, and he should be out of school by then, I took a friend(witness along) I didnt want this punk saying I beat him up or anything. I had a cell phone in one hand and rang the bell with th other, he came to the door and I said, right now the Police number is on this phone, I am good friends with a detective there(true) now, you either pull the plug on your end or I press send and well see how long it takes for them to come and pull the plug permanetly, although I dont think you dad would be real happy, I thought this kid was going to wet his pants, Ive only seen somebody so scared a few times, he fell back over a chair in the foyer and took off ? I looked at my friend and it was all we could do to keep a srtaiht face.

He came back 20 seconds later and said its off, and the n stared to enquire about if I was going to tell his dad, I said no but Im sure the bill from your provider will, He was on a transfer pricing plan and this had been going on over 2 weeks while I was on vacation.

I have "Knoked on doors" twive one was a 2 hour drive but I had other business in that area , most certainly the most effective DOS stoppages Ive ever had.

Maybe we should form an allicance of Administrators geographically dispersed to start knocking on their doors, sort of an Administrators Militia , you knock on his in BFI and Ill knock for you when you need it. Police scare the shit out of most of these script kiddies, probably more the fear of knowing being arrested is not something easy to hide from the parents that pay for their computers and bandwidth.

No technical solution, it's an apathy thing...

[anthonyclark]

The problem is that sysadmins see the scans from these kiddies and ignore them (those that even have a portsentry or similar application in place). If you saw someone walking around your house and trying the doors and windows, you'd call the police right away, wouldn't you?

So why do the kiddies get off free? Sheer apathy from most of the sysadmins in the world.

When you get scanned, you have the address (if it's not spoofed), you can send a mail to abuse@domain. But most people don't, because It's too much hassle or we can't be bothered or no harm was done.

Script Kiddies will have a far harder time when admins start practising zero tolerance.

This will never stop until ...

[gewalker]

Although the news item does not justify saying that the ISP was going out of business because of DOS attacks (they were still financially solvent), perhaps the owner decided he had had enough of the problems from vandals. A well-run business will shut down and leave the neighboorhood when windows get broken repeatedly before they loose all of their money.

Computer vandalism -- This will not decrease until we (as the technical community -- including management) decide to make some changes. Without changes, it will only get worse.

1) Although technological solutions are useful and necessary, they are not enough. The trusted network model does not work in the real world. There must be rules, accountabilty and penalties (without penalties, nothing stops me from continuing to break the rules).

2) Many network rules exist, some are poorly enforced.

3) Because of packet-spoofing. Some (D)DOS attacks can be nearly impossible to shutdown. We need to make sure only legitimate packets can Internet at large. Without this rule, tracking down the vandal and applying the penalty is not practical. If packet spoofing were eliminated, it would be possible to identify culprits at a modest cost.

4) Accoutability needs to be improved by everybody. If Nimba2002 is released tomorrow, Microsoft should be expected to make it well known, and supply a fix. Network servers should be patched. People running compromised server should be cut-off until they get fixed. These things happen by and large in a haphazard fashion today. The problem needs to be addressed at the source whenever possible.

4) Penalties need to be commensurate with violation. A hand-slap for vandalism does not deter, a death-sentence for jaywalking deters, but it not justice either.

5) Then maybe we should get rid of junk email for an encore.

Re:I'd like to know

[RC514]

The slashdot effect has been analyzed:

Traffic increase from slashdot effect
Increase in hits and bandwith requirements of a Linux related story being featured on Slashdot
Analysis of several stories making it to the frontpage of Slashdot and other newslogs.

Especially the second link shows that the Slashdot effect can look very much like a DDoS attack. The severance depends on the story, probably on the time of day and of course on the link and hardware powering the /.ed site.

If you pay by the gigabyte for your webtraffic (who doesn't), the /. effect can be a financial DoS attack much more than a technical DoS.

Egress filtering and ISP responsibility

[Medievalist]

/.
Back in the day, before the Internet went commercial, if you abused your connection your upstream provider (typically a bunch of long-hairs at a land-grant university) would cut you off. If they didn't do it, their upstream provider would cut them off.

Currently, there is no real penalty for large ISPs who do not implement egress filtering (which prevents IP source spoofing) and/or refuse to co-operate in tracking down DOS sources.

The anti-spam vigilantes have been partially effective in cutting off ISP service to the worst spammers; perhaps something similar is needed to influence the ISPs who refuse to implement egress filters.

--Charlie

Re:This can't be the whole story...

[3am]

yeah, but that was before the release of Windows XP. This would never have happened if raw socket access was unavailable!

Re:which side of the law is our community on?

[fatphil]

You're far to direct to get any attention, alas. You deserve an upmod for sure.

To reiterate and expand:

The DoS-ers are causing material and practical harm to the equipment of others.

The LiVid guys etc. are doing something useful and practical with something that they own.

The two situations are _diametrically opposed_.

FP.
(I don't mind being redundant if it helps some people get the point!)

Re:which side of the law is our community on?

[renehollan]

"...as far as I can tell there is no legitimate use for a tool designed specifically for DoS attack.

Of course there is: to test the robustness of a piece of equipment against such attacks.

There are ways to deal with DDOS attacks, but, unfortunately, they require the cooperation of most parties involved in the aggregation of "hostile" traffic toward a given target. It does no good for the target to simply drop "hostile" packets, because upstream "friendly" traffic might still get congested. The upstream routers need to be told to stop forwarding the "hostile" traffic.

And this raises two problems: 1) How do you deploy the software to an existing router infrastructure to allow this back-propagation of "stop forwarding hostile traffic to me" messages. 2) How do you identify traffic as "hostile"?

There are techniques for guessing what traffic is actually hostile, based on packet signatures (often the source address is spoofed, the attack is distributed, or otherwise useless), without dropping too much friendly traffic. It is better, though, to lose some friendly traffic, rather than all of it -- failing gracefully, as it were.

But retrofitting a standard DDOS defense will prove to be difficult, given the diversity of players involved (and this is one area where IP carrier consolidation would be a good rather than a bad thing) -- just look at the difficulty in bootstrapping IPv6 in the network.

Re:which side of the law is our community on?

[Tassach]

Of course, we reserve the right to define what are "good laws" and what are "bad laws", and in what cases a particular law that we consider "bad" is suddenly "good" or vice versa...

It's pretty easy to tell good laws from bad ones, using objective standards:

Good laws protect individual freedoms and provide a level playing field for everyone.

Bad laws destroy liberty and favor special interests over the good of the whole.

This is not the first time!

[wackysootroom]

CP/M Was also forced out of business by DOS.

Re:Obstruction?

[tomblackwell]

Have you tried recently to sue a 14-year-old in Singapore or Russia or South America?

Not fixing DDoS problems a tool for big business?

[netsplit]

As someone who was put in this same situation at the end of '99. I can only say -- if the big boys were concerned -- it would not be a problem. Although its not a trivial problem, dynamic blocking rulesets on bordergate routers who get a rush of ICMP (or other sorts) of traffic to a single target would not be hard to block.

My small ISP which had been doing okay had been stranded without an uplink after a 150Mbit attack took out sprint links in our part of .ca. After the attack our ISP was quick to disconnect us with no alternatives we closed our doors (noone else in town wanted to touch us).

After the attack we were quick to contact the NOC of a few schools with unused 'open' blocks who refused to claim responsibility (of the DDoS packets) or fix the problem. About a month and a half later they had FBI knocking on their door after the ebay/yahoo etc attacks.

The question --

Do you think DDoS could be a tool for the bigger ISP's and players to squeeze smaller guys (ISP/ASP) out of business? I know that one quite is a stretch.

What other reasons have kept ``Tier-1'' networks from implementing fixes?