Slashdot Mirror
DDoS for Fun and Profit
First there's the Microsoft worm, reported earlier, which in addition to all the other damage has apparently knocked Microsoft's Windows XP activation servers (and Bank of America ATMs) off the net. Then we've got a report about the ongoing demise of DALnet, perhaps not the way we expected it to go. And Canada discovers a risk of online voting.
Geez, Dalnet and EFnet are beginning to sound like Apple - they're *always* "going out of business" or something like that.
Wait, the difference is that Apple is still on the net. Heh.
Microsoft will own all the servers, so all server attacks will take out Microsoft servers.
OK, I can see how some script kiddie might think that orchestrating a DDoS attack might be fun but how would he profit from it?
Anyone?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
from the conspiracy theory dept.:
Just a conjecture, but it wouldn't seem out of step with **AA tactics to take down DALnet in order to curb illegal file sharing.
~Chaltek
Does anyone ever check the dates on articles? Or the content?
April 1st.
like when Apple started charging for .mac services.
I would put money on it that tommorow will be the generally fastest day of the internet all year (not saying much it's january). Everything important will be patched, and all the home pc owners that don't know jack about computers will say, "I don't want to catch that virus I heard about on the news, I better wait a day untill it dies down". Thus more bandwidth for everyone else.
leprkan...
why would they use online voting when they could simply use chad-laden punch cards??
I'm on it right now. No problems connecting other than the normal internet issues from today's worm.
For hackers and even crackers to a certain extent. That feeling has eroded to nil.
...DDoS'ing for fun.
microsoft can't even secure their own servers? How can we expect their OS's to run securely on our servers?
This is from HardOCP.com:
It's 2:20 CST and I'm trying to activate a copy of XP. I need to, because this repair/upgrade (changed mb, disk controller, video, hdisk, NIC, RAM, USB revision, CPU, etc) I can't logon without activation.
Except, I CAN'T ACTIVATE. I am told there is no way ANY copy of XP can be activated in the next 5 hours because of (drum roll)
** Routine maintenance **. I mean, I asked: I said
"You don't have some little stand-alone machine that reads a DVD database so you could stand in line and do it?"
"You don't have a couple hundred "last resort" number ranges? You can call me back tomorrow!!!"
"There's not some guy you can go ask? Ya can't call Bill at home?"
So, I gotta stop my project for some unknown length of time. Good thing I'm not updating a medical drug interaction database, or an available transplant database, or a process flow control system or a hazardous atmosphere measurement system or a BUNCH of other possibilities. In my case, either I miss the superbowl, or my car dealer can't find and order Volvo cars on Monday. Life will continue.
But, I'm still seriously pissed. Call 'em at 888-571-2048 and try for activation.
And let's think about the true meaning of the fact you can't release liability for the consequential damage resulting from negligence. I mean, I have NEVER heard about "routine maintenance" on the 24.7.365 activation promise...
Well, on to the next job...
The Super Bowl will be on.
"Korean computers were cut off the net"...
Pity that they will be reconnected...
So torn...should I damn Microsoft for providing easy replicative means to fuck up the net all day, or thank them for providing the means to disable the XP activiation servers?
When your enemy is their own worst enemy, does that make them your friend?
Head...aching...
But today has been the fastest day of internet access for a while.... Must be becasue all those damn bandwidth hungry Microsoft SQL Servers are down. Hey, i'm not complaining, more bandwidth for me!
Hey, this is my sig, if you don't like it, STOP READING MY POSTS!
Right. I've had enough f this crap.
/.?
But all this rage can go nowhere - you can't do anything about other people's stupidity - it's just so frustrating.
Are there any SK's reading
Reply to this, anonymously if you must, and please give me some insight into what is so amusing about destroying the hard work/livelihood of others for 0 gain on your part? I just cannot understand the motivation to do so. It's like tagging - pointless destruction of property that achieves nothing.
I guess if I thought for one second people might think about how junky most MS product offerings are, and replace them with high quality Open Source or Free software, I might see a point - but no one ever seems to.
Sigh. So. Very. Depressed.
Prisoner #655321
Heh, looks like it took out a big portion of Bank of America's ATM (cash) machines!
Link
I can't believe that BoA has their ATM's on the internet -- anyone know more about how it got to their ATM network?
I know that the twat who's doing this, and it's the same muppet who went postal on efnet a while back.
It has nothing to do with profit, and everything to do with penis size (or lack thereof).
Feeling of power basically. They want to be "ph33r3d" and to run DalNET (or whatever else) into the ground would make them the most powerful people on DalNET because they have power over everyone else and the network is completely at their mercy.
That this is just an inherent problem in the internet's sociology and architecture isn't really a term in the equation but there you go.
i fail to see the profitability of this.
could be fun when it involves microsoft though.
I didn't get any spam today... can you guys do this DDOS thing more often? :)
I do not believe the people responsible for such attacks realize they are being self-destructive. The only end goal of such actions is not to increase security-mindedness in the computer world, but rather scare the normal users, the public, from ever touching the Net. Without the users, companies will be stretched to find the cash to keep up the backbone structure and I am sure it would fall apart. The media hypes anything that is detrimental to the public, including viruses, DDoS attacks, etc. This does nothing but a) scare users off the net 2) make the Net look bad to the public. So are all these kids out there pulling stunts going ahead with the goal of destroying the Net in mind? Even though that seems to be all they know? Interesting, work to destroy the only thing you know. Perhaps I should start a crusade to physically destroy computers too? My actions would teach people they do not *require* their computers to survive right? Just like taking down sites will serve to show people security vulnerabilities?
IRC going down? Archive all of your favorite quotes and other comedic mishaps here. I've always found this site to be rather funny, and I wanted to share it with others.
/. their server.
Especially because this is a good chance to
You zap the moderators with a wand of humor! The moderators resist!
DDOS attacks ruin the productivity of others. Whether it is microsoft, or any other site... Many people use WindowsXP in the world, much much more than the amount who use linux, and attacking the servers ruins the productivity of many businesses who rely on windowsXP to get work done.
Sure you could say "Microsoft is wrong for HAVING this activation feature", but that is incorrect. Attacking ANY company's network is wrong, and very illegal. How would you feel if the servers you get open-source applications from were made unusable because someone attacked the network they were hosted on? This is the same thing.
I hope the people who are responsible for this attack (which is technically terrorism) are thrown in jail. It will likely be a long sentence.
Stanley Feinbaum, professional journalist and master debater! God bless the USA!
what?
--you REALLY think this was a script kiddie attack? Been following ye olde internationale newse lately? Didja notice the main place this started last night?
I'm not trolling, I'm using my user name and self modded down -1, but, really, 2+2 and stuff. This was cyberwarfare, not script kiddies. As to WHO started it, no idea, legit attack or reichstagg fire styled attack, take yer pick at this point.
I've received almost no spam today. Probably because most of the spammers are on Asian networks that have imploded.
Mea navis aericumbens anguillis abundat
.. for me to use my hacked XP discs =)
BTW, the votes server is Windows 2000 IIS5...
it tells you FUCKS that you need to secure, and fix the internet.
if theres a big fucking problem (dos'ing) then fix it.
move to ipv6 now! the end is near! aieeeeee.
Today, on a slashback-like release, Michael of the slashdot.org forums presented to the world the secret behind business plans:
1. Distributed Denial of Service
2. Fun
3. Profit!!
Yes, it is true! Fun is part of being in a successful (profitable) business. Michael will be presented the Nobel Peice Prize today, as well as later Knighted by the Queen, and will be visiting the local Arvada Tavern to be meet with the Filthy Critic and break-open a keg or two for the "free as in beer" crowd!
Michael, you 'da' man!
But I'm sure you already Gnu that.
I feel like nuking EFNET because every one of their servers still needs ident. Ohhh so the clonebots need an extra command switch, thats really going to stop them. I'm tired of using a fake ident on a firewall or just redirecting port 113 back to the box trying to irc. Fucking drop it already. Ident was useless 10 years ago.
Only the State obtains its revenue by coercion. - Murray Rothbard
1.2 megabits per second
Your raw speed was 1156090.51 bits per second which is the same as:
Communications
1.2 megabits per second How communication devices are rated. Kilo means 1,000 and mega means 1,000,000. Examples include 56k modem and 10Mbit Ethernet
Storage
141.1 kilobytes per second The way data is measured on your hard drive and how file sharing and FTP programs measure transfer speeds. Kilo is 1,024 and mega is 1,048,576. 1MB file download 7.3 seconds The time it would take you to download a 1 megabyte file at this speed.
Rating
Compared to all connection types worldwide, yours is fantastic
Help fight continental drift.
I was waiting for the results of the NDP leadership vote here in Canada - my igloo has an ADSL connection, eh! ;^)
Ironically, this article just happens to show up on O'Reillynet on the same day. That seems just a little too tidy to me; I smell a conspiracy (or a script kiddy with right-wing political leanings)
Even heroes have the right to dream
Of course the modified version someone else now crafts that starts spreading sometime next week might actually aim to do some persistent damage, but this version didn't.
In fact, you might even regard this as a blessing in disguise. The worm spread on a Friday night/Saturday morning, when least business would be affected. As of this morning, most ISPs now have filters in place, so any follow up isn't likely to do much damage, and it will now be hard to launch a really destructive attack using this particular vulnerability in future.
- Fzz
... this would be the most interest anyone has shown in this leadership race!
When will the ISPs start getting off their respecitve behinds and start doing something about this? With the broadband ISPs subnets accounting for so much of the destructive power of these DDoS attacks, they have a responsibility to at least attempt to ameliorate their impact.
It's not hard to set up simple routing rules to at least curb some of these attacks. Hell, a lot of ISPs still even route spoofed IP packets out of their networks - this is nowhere near acceptable. Realistically, there is no real application for a constant stream of ICMP traffic coming from a single node - there should at least be a maximum allocatable bandwidth for ICMP set at the ISPs gateway. Obviously UDP and TCP based floods are more difficult to manage, but throttling ICMP based floods would be a step in the right direction.
All this is IMHO, of course - users have a responsibility to secure their machines, obviously, but it's going to be a hell of a lot easier to secure a few gateways and routers than a million home PCs.
Need I Say Anything Else?
From http://www.msnbc.com/news/864184.asp
Within a few hours, 25,000 back-end database servers had been infected, said Oliver Friedrichs, senior manager with Symantec Corp.'s security response team.
If they where truly 'backend', they wouldnt of been infected. This is because of all those open and live MS SQL servers.
Ah...it all makes sense now. So it is quite likely that the NDP online voting difficulties were caused by the MS SQL worm, since the company, Election.com, used M$ Windows 2000 as their backbone. I just wish they had announced it earlier, so that I didn't have to stare into the monitor for half an hour just waiting to vote. No conspiracy theories of right-wingers trying to sabatage the election then ;)
Which brings us to another interesting question: why didn't the NDP consider open source alternatives? Then again, they've hired Election.com to handle the whole process, so I suppose they couldn't really do much about it.
Seems the US military managed to leave an unpatched SQL server open to the world...
Efnet had the same problems awhile ago and people wondered if Efnet could ever recover. But the script kiddies behind the attacks hit puberty and started shaving and liking girls. So the same shit will probably happen to DALnet. But DALnet sucks anyway so its Efnet for life.
The best education consists in immunizing people against systematic attempts at education. - Paul Feyerabend
I don't know, and I am only speculating, but consider for a minute...
A RIAA/MPAA individual notices the vast amount of "stable server bots" running on DALNet, sharing out the movies and mp3s by the thousands.
"Got to stop this." they think. In comes the "code expert" and the irc network gets stomped.
Any takers for this bit of conspiracy?
cheers
front
I guess it's good that Kevin Mitnick has started his own consulting firm. Hmmmm.
3 /0 1/20/1254218&mode=thread
http://interviews.slashdot.org/article.pl?sid=0
Let me try my first profit post:
1) Free Kevin
2) Start Consulting Firm
3) (cough... cough)
4) Profit!
Seriously - I'd hate to be Kevin Mitnick right now... There's probably 20 different gov't agencies all getting the warrants right now. "This much havoc can only come from ONE man!" Mwuwuwuwahahhahaha.
Like Teddy with an elephant gun.
maybe the negotioations with AOL broke down and AOL decided to put DAL to sleep... just a thought :)
Did you know that "FTW" ("for the win") is a direct translation of "Sieg Heil"?
Whoever might be thinking that this is just your typical round of script kiddies attacking dalnet is dead wrong. DALnet is in more that serious trouble -- for the most part it's already dead.
As a DALnet vetran and an op of one of the top 20 channels (#80s-cartoons), I can tell you that almost all of the major channels have now moved to other networks for good. Ever since the begining of december we had outages that would last anywhere from 4 days to a WHOLE WEEK where no one could connect to a single server in the network.
The gaul of some people is pretty amazing. Apparently, these current DDos attacks have been orchestrated by some one (or group of people) that are holding the DALnet network ransom and are demanding that dalnet pays them X amount of money to stop the attacks. Mind you, these attacks have been going on for about 2 months now, and these people still aren't in custody of law enforcement. It just goes to show you that the only thing that seems to get the FBI involoved in computer crimes is corporate cash. I guantee you if such an attack was launched against a commercial website, the feds would snag these fools within one day; But since this is a non-profit organization, they seemingly don't give a shit.
A lot of the big channels from DALnet have gone to EFnet. The irony in this is quite painful (Since DALnet was initaly formed by disgruntled people from EFnet trying to escape shitty service in the first place.)
One plus about leaving DALnet on to greener pastures has been zero PM spam on the new networks at least. Well, for now.
"The Wright brothers were the first to fly with a heavier-than-air machine, but boy did they have a lousy plane"
I don't like that one of the linked articles suggests an end of IRC. Any server can be DDoS'd and there's nothing that makes IRC more vulnerable than any other service being provided. In general, the IP addresses of hubs are hidden from ordinary users, the the worst damage that can be done is taking some client servers offline.
/links. There's now a +x mode which if a user is logged into X/W, hides the user's host.
Yes, the kiddies get large botnets, but that doesn't mean they win. There were times a few years ago that most EFnet servers were offline for days, and that EFnet logs many servers during that time. But the kiddies were never able to destroy the network, and it's come back stronger than ever. If anything, the kiddies didn't hurt the network, they made it better. There's a chanfix, inspired by the attacks, to restore opless and some taken-over channels. This goes a long way to preventing attacks. Most of the EFnet attacks were motivated by channel disputes.
Undernet has hid which server a user is connected to and has disabled commends such as
Where I'm going with this is the best IRC networks generally survive the attacks and are stronger in the end. I don't think an attack on Dalnet is the end of IRC.
While I'm no expert on this, as a longtime user of IRC, in the past couple years I've seen a huge rise in the number of users who send you a website to visit upon joining a channel. Some networks take the steps of helping these users remove the trojan, or removing them from the network. On the other hand, some networks do nothing to solve these problems. If these are the same trojans that provide DDoS bots, opers could be doing a lot more to track down and solve the problems. I, for one, often report these to EFnet opers, and the opers are almost always quick to remove the user from the network.
What's my point in all of this? With some common sense, some coding skills, and opers who are willing to help, a network can solve a lot of its problems. If EFnet and Undernet managed to overcome DDoS attacks many times in the past, one wonders why Dalnet wasn't able to.
And the end of Dalnet doesn't mean the end of IRC. Other networks are better prepared to deal with this sort of thing, and can survive much more than Dalnet has. While the article raises valid concerns, it's written from the standpoint of someone who doesn't seem to know much about other networks.
Anyway, I hope Dalnet doesn't just cease to exist. Somehow I doubt it will, though.
..it's the timing and location that are suspicious to me. I don't believe in coincidences too much. And yes, I thought about it being before the weekend, there's another reality for that, less actual human beings on site to fix things. and it could just be an "amateurish" but still state sponsored event, that takes care of the attack angle.
Now I'll go out on another possible speculative limb, just musing here now, my earlier reference to a "reichstagg fire" event. enough to scare, not enough to damage much. What's the outcome of all this attacking today? A million guys downloading and slapping patches on as fast as they can? -->insert jon lovitz voice--> "patches", ya-a-a-a, THAT'S the ticket! patches!"
Impossible? So were the odds of the mad snipers hitting dc AND being the week before the homeland security bill vote. That's another one of those too-far out odds to be true just "random chance" events, at least for my supicious nature of modern political reality.
1. DDos
2. ???
3. Profit!
Orchestrate a DDoS attack against a company then sell their stocks short.
It's quite a simple and obvious scheme really. The RIAA has hired someone to build this virus which effectively DDOSes the entire 'net. All of the P2P filesharing networks slow to a halt, and suddenly all of those people who were planning to download + burn the music for their superbowl party tommorrow have to actually buy it.
Actually, it wouldn't surprise me *too* much to learn that this is the case...
...because no other OS has ever had an exploit. this is far-reaching because of wide-spread use, not because it's any more hole-ridden than any other OS. sign up to a few various security lists and marvel at the filling of your inbox.
Are you saying he should have 2 computers when he only needs one???? Not everyone can throw around money.
The Microsoft servers are a different story. They should have lots of backup systems running because they serve millions of people. Not to mention this is caused by a security flaw they carelessly created.
This guy is hardly being hypocritical.
jesus how many fucking morons are going to post, "where's the profit?"
TIME TO CASH IN YOUR CLUEPONS
I swear it wasn't my fault. Hans Blix told me that he couldn't find any worms on my SQL Server.
I realize that this may seem silly, but I still don't get just why M$ isn't liable for at least some of these damages. They release a compromisable product, they sell said product, they quietly release a patch of said product, then worm kills said product. I'm sorry, but the costs of releasing buggy code (particularly at M$) are so high that it is more reasonable to have harsh punishments to companies that release said code than to waste energy finding kiddies who will always exploit holes.
-Sean
jackass.
Unless, of course, he did the install 30 days ago, and waited to install NOW. Point is, this really doesn't matter, and this guy can kiss my ass -- "I gotta stop my project for some unknown length of time" sounds like the lamest excuse I've ever heard. Maybe he's gotta make a run to Krispy Kreme. Regardless, XP allows you 30 days grace (beta versions 14 days).
Well, I can see why Bruce Perens added you to his foes list.
The 30-day grace is for an initial install. For hardware changes the rules are different:
Source: Service Pack 1 Changes to Product Activation. So apparently the guy had the nerve to install new hardware on an XP system that didn't have this service pack applied.
The take home lesson here: until the activation servers come back up, you should not install any new hardware on an XP system or your machine will be rendered inoperable. Unless you've installed SP1 first. In that case you can install your new hardware and cross your fingers that the MS activation servers are back up within 72 hours.
I mean Excisely! Mod this guy up. This is the most reasonable theory - big business in the pursuit of the holy dollar has proven itself to have ethical standards that make used car salesmen look like saints.
There have been at least two, possibly three or four, occasions where DALnet just shut down completely for a period of at least a few days (this latest one being in the range of like a week). After the first "big" DALnet shut-down, it seems a lot of channels moved to other networks; most of these channels have even gained numbers. Seems even if DALnet does return, a lot of the channels that left it will stay on their new-found networks. The few anime channels that came back to DALnet are very slowly gaining back their numbers, but they're nowhere near the levels they used to be. As of right now, the highest count is 51 users, which is really low for a DALnet anime channel. Highest warez channel count is 68, which is also really low for a DALnet warez channel. And even the MP3 channels, which probably were some of the biggest channels on DALnet, have lost major numbers. I seem to remember them being in the area of like 600+; current count is 166. So yeah, DALnet has really been taking it in the ass.
General consensus around the parts i hang out seems to be that losing DALnet wouldn't be such a bad thing. We'd all move our channels to other networks, and be done with it. Chat channels would really love EsperNet or IRCnet, and warez/MP3/ISO/PlayStation/etc. channels have a half-dozen networks to choose from, most notably EFnet (though i despise it). Anime channels would thrive on Aniverse. DALnet was great, but, unless things see a really dramatic improvement, i think there are many that would agree that it needs to be put out of its misery as soon as possible.
What has made this all really lame has been the fact that DALnet hasn't really said anything about this. Their eZine (the DALnetizen) has truly been the opposite of helpful throughout this whole ordeal. It seemed as though DAL was almost oblivious to what was happening. There would be a paragraph about Christmas, a paragraph about the benefits of PHP, a paragraph about poems, a paragraph about some new op or something, and then tucked away in a little corner would be a little sentence or two along the lines of "ps dalnet si getitng ddosed pls bare w/ us thx". After this most recent attack, however, they've started to get their act together a bit, and have posted a lot more information regarding the situation. Information can really be helpful to their users, if they want to keep them.
Also not helping the situation are rumours(?) to the effect that the DALnet administration has resorted to childish finger-pointing, and have pretty much detached themselves from each other. DALnet isn't really doing a very good job of assuring its user base that it'll be alright. :/ Hopefully, if DALnet is to survive, this will be remedied.
And, finally, the biggest blow to DALnet has been the de-linking of several of its (best) servers. Almost all of the "good" servers, the ones that everyone had as their first picks, have disappeared. Even the "fall-back" servers seem to be gone. Evidently DALnet is picking up a few new (or renamed, maybe, i can't be sure myself) servers, even in light of the attacks, however.
So DALnet's fate is really unknown. No one can be sure, but for now it's functioning, at least in the sense that it has the ability to carry users. Who knows, though, it could be down again tomorrow.
So does this mean that all of DALnet uses MS SQL Server?
I sure hope not.
This Jim Blair guy is full of shit. You have 30 days to activate the software. It's not "crippled" in any way until that 30 day timer is over.
Nope, sorry dude. If you swap enough hardware in/out of your PC, XP will stop letting you log on *immediately*. Regardless whether your system was activated before or not!
Hell, once I swapped the network card and XP wouldn't let me log on before it had phoned home to get me permission to use my PC again. But the hard part was: without being able to log on I couldn't install the network driver, and without the driver the system couldn't activate! Deadlock! Well, had to use phone activation, but still...
The nice thing is, we can expect much more from MS where the whole Activation idea came from (DRM and whatnot). Now if only X11 wasn't so fucked up and KDE was more productive to use, I'd have made The Switch a long time before now...
You just know that whoever did this is a /.er, and has been for a long time.
This is such a huge community of technically-savvy people, even if most of us are ligitimate users--from lowly personal FTP site administrators to professional sysadmins for major corporations--some among us are the type who crave attention and/or power by any means, including bringing down the Internet in its entirety for a few hours.
I suppose we can't start seeing one another as suspects, though. As is the case with actual terrorism (I agree with other posters who argue that this isn't real terrorism), that type of reaction would be exactly what the perpetrators are hoping for.
I found the meaning of life the other day, but I had write-only access.
My boss tried to call them to pay the company cell phone bill, and they can't their database is hosed from this attack, anyone else know of any companies that are hosed right now?
Everybody denies I am a genius--but nobody ever called me one!
So, I did the thing any self-respecting geek would do. I download OpenOffice.org, and uninstalled Office XP. So, as you can see, software activation is a good thing for open source software, as it drives users like myself away from MS products. ;)
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
That's not right... I've made minor hardware changes to other peoples' computers and not been able to login w/o activation effective immediately. Pretty damn annoying as it was, since I needed to phone MS to reactivate... I can just imagine the fun in a case where you were unable to get a code at all.
So you gotta be a capitalist before the FBI will help find out who is attacking them ? That doesn't sound right. The FBI helped ETG back in August. Before this issue, I didn't realize ETG was a cash cow capitalist.
What if the FBI is letting the Entertainment Industry do this on purpose, to one by one destroy all the warez swapping networks/mediums. As all the people migrate to the other networks, it is very easy for both the FBI & the Entertainment Industry to join in (pose as swappers) and start keeping track of who is swapping what, and eventually bust the bigger fishes.
Of course, I did eat green eggs and ham this morning, so my view of the real world is slightly distorted today.
Microsoft has a history of ignoring people who tell them about holes, bugs and failures in their O/S.
I can't tell you how many times I've seen Outlook express crash from buffer overruns, and memory leaks. I'm certain that all it would take is the right email to do the same thing to OE. The bug I've reported has persisted through *5 separate upgrades* to OE, including 2 major versions (4->6).
If I had the source, I'd just wait for it to crash, launch the debugger, fix it (or workaround it - as needed), and post the patch.
Possibly it's Microsoft's outmoded business model that's to blame. Modern firms know that customers pay for service, not software...
Uhh...the Slashdot article on the sale of DALnet was a joke, but the DDoS attack on DALnet is very real. Actually, several IRC networks have been getting DDoSed in recent months.
The (new) article referenced in this article's initial post describes, not a DDoS attack on the IRC server, but a use of the IRC server as a control point for a DDoS attack on something else. (The "bots" - infected machines - connect to the IRC server and lurk on the channel for their master to give them orders.)
So perhaps the DDoSing of DALnet and/or other IRC servers is not an attempt to take out the servers themselves, but a side-effect of the progeny of a particularly fecund worm "phoning home" to ask for futher orders.
And perhps those trying to track down the authors of the worms will soon be bugging the worms' favorite IRC servers in the hopes of tracing the perpetrator when he finally logs in to give 'em marching orders.
(A marching army of worms. What an image. Something like an angry horde of bananna slugs on pogo sticks.
Worse yet would be an attempt to shut down IRC servers in general. Of course this wouldn't stop the worms, as the authors would quickly switch to another method of controlling them. So it would just eliminate another Internet tool without having any perceptable benefits.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It occurs to me that this might be (part of ?) a fairly sophisticated methodology to gobble up bandwidth connecting a few 'well-connected-nodes' in the network. There is a finite but very large capacity-per-second for data transfer to and from these nodes that, if it is consumed by garbage, has the effect of the sewers backing up. The commonplace traffic (which ordinarily is in the majority?) uses the same physical path as the more esoteric traffic, like IRC or Freenet, gets squeezed by the increase in traffic that is normally used by a minority of the physical users. This could knock the utility of the Internet at large down a few notches for a period of time, which might be what is needed to accomplish another aim. As the number of incidences of DDoS increase in targeted segments of the Internet, does anyone else think 'Proof of Concept', or am I just paranoid?
However, I suspect this new worm's ("Bill's Tapeworm" as I heard another slashdotter call it) DDoS payload was a side-effect and likely accidental.
/., I'm sure someone will "correct" me even if I'm right).
Perhaps the worm was really just trying to replicate itself and not meaning to do any damage yet...because that comes later.
Does anyone know if this worm offers its creators a way to do damage later? Maybe the goal last night was to infect a bunch of servers that would be put to use in a more permanently damaging way later on. After all, the slowdowns last night lasted mere hours and served only to make sysadmins sit up and take notice, and improve security--maybe the slowdowns were completely unintentional and unexpected. Mayhaps the ultimate goal was to use the worm to destroy the records in the databases, rather than just take out the databases temporarily.
I don't know, maybe some people get a kick out of an attack that gets lots of press but has no lasting effect--but it seems more logical to me to assume that the perp was going for a more permanent slowdown/loss of data.
Remember that the attack only affected MS servers, and MS has plenty of enemies. If the attack had wiped out the transaction, inventory and employee records of thousands of companies, people might actually think twice about using MS products in the future.
I'm not terribly knowledgable about these things and don't know if the worm could have been put to such a use had it managed to go unnoticed last night, so correct me if I'm wrong on that (though this being
I found the meaning of life the other day, but I had write-only access.
The imperialist South Koreans are off the net! --
I happened to be listening to the New Democratic Party's leadership convention live: yes, they did use Web voting; and yes, they did encounter problems consistent with this worm, problems which gave rise to rumours of sabotage since it seemed that someone was denying access to login. [Were they using M$ $erver $000?.] Happily, things worked out just fine. I don't know what the full story is yet.
-- When you look to see how the system works, you usually find that it doesn't.
It's interesting that the MS SQL worm that went around today would be such a problem....considering that MS released a patch for the vulnerability it exploits back in July:d efault. asp?url=/technet/security/bulletin/MS02-039.asp
http://www.microsoft.com/technet/treeview/
What do the sysadmins *think* is going to happen if you don't pay attention to security bulletins from major vendors and 3rd party orgs?
Don't become a regular here, you will become retarded. -- Yoda the Retard
There was a seperate attack coinciding with the DDoS. Large numbers of Chinese hosts attacked www.whitehouse.net, presumably by mistake (www.whitehouse.net!=www.whitehouse.gov). Elegant in its simplicity: they simply loaded the home page over and over and over again.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
... for using Dos as a server.
The virus was a TSR (Terminate and Stay resistant), that would write EOF to disk at a random location when other data was written to disk.
Tried it out on my own (spare!) machine, and without some kind of CRC checker to understand that files were being changed, there really was no telling. As there was no pattern, there was no way to recover files and no way to tell which files were intact.
The machine got worse and worse, lots of "unexplainable" crashes, and finally it took out some system files and didn't boot. Was slow enough that you'd think it was just the disk going bad though.
Was a really nasty one, never released into the wild though. At which point I realized "I could", and chose not to. Having the power, not using it, was my power trip. Guess some need more, though.
Kjella
Live today, because you never know what tomorrow brings
X11, I saw that bitstream gave some fonts away. And HP should be releasing some improvements, one that sticks in my mind is desktop resolution switching.
KDE: Seem to be taking time on 3.1, already hear reports from the devel list that Konq at least is a lot faster (and this before they added fixes and additions from Apple).
Gnome 2: Still waiting for Ximian 2.0, put back to the spring.
Hopefully your experience will be more productive soon, although I am finding it productive now (then again needs vary between people).
StarTux
Many stores, including Holt Renfrew, were unable to process credit card, credit, debit, or any other forms of electronic transactions today due to their central database being down. When will they learn?
Of course, if I didn't have to download the X10 pop-up at the same time that I was running the test, I would have had much faster results.
And if a marble breaks into two pieces, does that count or one or two votes?
Slow Down Cowboy!
Slashdot requires you to wait 2 minutes between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 1 minute since you last successfully posted a comment
Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.
BankofAmerica_ATM
Okay - DDOS attacks are a problem.
But how can they be halted in the next itteration of internet protocols, IP stacks and operating systems? A few random thoughts and questions:
How much of a difference is there between:
(1) A host with the operator's intent to be malicious.
(2) A host running trojan code without the operator's knowlege it is being malicious.
Is it possible to construct an OS / use default settings that can monitor the network behaviour of various applications and automatically stop or bring this behaviour to the notice of the operator? Building an OS that automatically polices itself without trusting other hosts?
How can the network provide "feedback" from the target, through intelligent routers, eventually back upstream to the ISP (and the user) that their machine is performing malicious operations - without making it possible for end-users to spoof these signals?
I can almost imagine an abundance of DDOS attacks leading to an emphasis on acountability in future networks, gained by a mass sacrifice of anonymity - and ISPs made to enforce this by law. Imagine if all user's data was untrusted and your ISP marks all data sent by you with a globally unique ID that idenfifies you as a customer - and is forced to keep a 6 month database of all other hosts that you have attempted to send packets to. Now imagine if this happened for all internet hosts. There'd be an ample evidence chain to trace back to "patient zero", find and persecute the originators of the worm.
Oddly, I'd buy that right now because I'm so pissed that anyone would want to destroy my precious internet. The tradgedy of the commons I guess. Here's looking forward to the first execution of a convicted spammer or DDOS attacker for their crimes against civilised society.
"Sorry, the MySQL daemon appears to be down."
I'm currenetly a student at UC Riverside (university of calif, riverside.) I am currenetly using the school's network for internet access. Starting last night, the internet progressively became unbearably slow. (I also verified that the same phenomen was expierenced at UCSD and USC) When I woke at 4pm (PST), it was still super-slow. I was seeing ping times to google.com in the 1500ms range. Now, they fixed something and im seeing 70-80ms. So, seems like a DDoS attack?
For those who don't know, in Canada we still use a pen and paper voting system -- not even punch cards. This vote was specifically for the leader of a political party, so I believe it was run by the party, not by Elections Canada. For me, these problems are evidence that we should stick with our proven voting methods until we're much more confident in electronic voting systems (if ever).
"I have never let my schooling interfere with my education." - Mark Twain
Called Xingular today because I couldn't get my voice mail - the PIN wasn't working. Woman at CS said she couldn't help because 'we have some kind of virus in our computers at the moment'. Think it was this SQL worm?
Note that hardly any of viruses, worms, etc cause any real damage.
In many firm the whole network will be shut down as long as it is unclear how harmful the worm is. The employees can't work. Their time at work costs money, though.
The fact that the LARGEST banking company in the united states relies on the public internet for ATM transactions is totally disturbing to me. I don't know about the rest of you, but I will never use Bank of America as long as I live becaues of a statement like that. I tried to use a Bank of America ATM earlier this morning, and the transaction timed out. That's BULLSHIT. They should rely on private (telephone, x.25) networks, not the internet, like they always have done previously. I know the Internet is cheaper, but the reliability of financial transactions is at stake here.
Or has no one checked things out there lately?
From the DALnet server I'm on at the moment:
There are 625 users and 17700 invisible on 22 servers
All I want is a kind word, a warm bed and unlimited power.
http://www.msn.dk/ this is the danish msn portal and its right now (3 am cet) completly empty, now thats funny :P. Ill bet they dont have an admin untill monday morning.
The patch came out in July. If they weren't accessable via the Internet this wouldn't be an issue. Who is at fault? Admins. I'm a network admin and my SQL2K boxes are patched and NOT available to the outside world.
It's not hard.
Rawhide!
But I think it was because my mail servers are dead.
this got me thinking... what would happen if someone were to create a worm that specifically targeted the windows xp activation servers with a ddos attack? If this kept people from activating new installs of windows xp for days or weeks at a time, could it force microsoft to rethink their new draconian licensing schemes?
Gyrate Dot Org - "Where high-tech meets low-life"
Go ahead, kill off all the DNS servers. That just means more bandwidth for Gnutella.
... as a lot of sysadmins fire up their unpatched MS SQL servers. Unlikely that any patching would be going on tomorrow either, with it being Super Bowl Sunday and all, no one will want to do any work.
Interesting timing, to say the least...
A lot of retailers today in Canada which use the Interac direct payment system (customers use their bank cards to pay as if they were at an atm--there's a code pad they enter their PIN on) had trouble. Royal Bank customers couldn't pay until about 5 pm at merchants using TD Canada Trust terminals, and the other major banks also had trouble with their system. ATM's worked however, so I guess the smaller-time systems were doing some authorization over systems affected by this.
and in addition to needing to piss and shit like crazy, I just became too paranoid to go to the bathroom.
That set me thinking -- windows XP activation is 30 days, right ? If you don't activate, what happens in 30 days ? It demands you activate or it locks up.
How many people when installing or starting up a new computer for the first time ignore the activation because they've got to try it out right now ? A lot. What day was 30 days ago ? December 25th. What day probably features more people opening up new computers than any other ?
Perhaps they didn't try to attack the activation servers specifically, but simply thought of bringing down the net to stop the wave of Jan 25th activations, and got the activation servers as a lucky bonus.
Geezus, when we did IMC with CMAQ for FTAA/QC-A20
stay in touch
regards to everyone there from the Far East of North America (i.e. Alexa's consituency)
and my best to Ducasse [mark my works: he's going to be the first NDP prime minister @ hfx_ben 2247AST 25JAN03]
cya
-- When you look to see how the system works, you usually find that it doesn't.
This morning, I burned my last two CDROMs into coasters and needed to get more...so I headed over to the bookstore on the college campus near my apartment, figuring that even if I had to pay a little more for one or two CDROMs there, it would be less bother than driving across town to Best Buy. I arrived at opening time...to find the bookstore completely dark. I knocked on the door, and one of the student workers came out and explained that the university had taken all its computers off-line today because of a "big computer virus attack" that hit last night. "You might see something about it in the news," said worker said sagely. "It was world-wide." And so the bookstore was closed. And they couldn't sell me a single CD-ROM.
I ended up going up the street to Walgreen's and getting a 10-pack there...for probably what 2 or 3 blank CDROMs would have run me at the campus bookstore, so I suppose I can't really complain too much that university stupidity saved me some money. It was extremely annoying at the time, though.
Editor Emeritus and Senior Writer, TeleRead.org
umm... didn't the EULA change in the last 'service pack'
thank God the internet isn't a human right.
... just thinking about the "sabotage" report that filtered up from the backrooms ... gawd, that's such M$ FUD/spam/mind-ph*k ... like callling the outage on the XP registration service "maintenance" [see my blog] ... "Oh, we wouldn't call that a bug" ... it's Enron-think, and it sux.
-- When you look to see how the system works, you usually find that it doesn't.
ABC didn't even mention microsoft in their report.
CBS only mentioned the specifics at the very last of their report.
"I know it's pretty poor that M$ doesn't have any kind of backup activation facility, but just playing devil's advocate a little."
.NET online, WITH NO BACKUP SERVERS!!!
Wow, you have just given the strongest reason possible for having backup(s) with any Microsoft system(s).
"You had better have a backup at home because Microsoft definitely, categorically and absolutely won't have one at Microsoft!!!".
By the way, the problem here seemed to only exist in servers. Do you mean that the home user should have a server at home to BACK UP MICROSOFT'S SERVER???!!! No, I don't think that is what you meant! But, then maybe you did!
Happy "Trustworthy Computing" when and if Microsoft ever gets
Never make the mistake of underestimating Microsoft!
Nobody is saying that it isn't wrong to DoS people. But that doesn't make Microsoft's activation software right.
Your logic, if I can even call it that (which I can't with a straight face), is stupid.
Meet Bob, Bob robs banks. Robbing banks is wrong. People tell Bob that robbing banks is wrong. One day Bob gets murdered in the process of robbing a bank. Murdering people is wrong. People say that robbing banks is wrong. You come in and tell everyone that they are "incorrect" murdering is wrong.
You are saying that because Microsoft is being DoSed, what Microsoft is doing isn't wrong. Now you might feel that what they are doing isn't wrong, but to base it upon that load of horseshit you like to call "logic" is laughable.
Where do they find these people?
http://www.archive.org/details/ThePowerOfNightmares
reuters also buries the microsoft reference deep in the article. Is every report a copy of the same wire report?
-- "I can't tell the future, I just work there." -- The Doctor
Again I repeat, never make the mistake of underestimating Microsoft, they will always come in even lower and slimier than you ever could have expected!!!
This Research Advisary reads real well ... lays it right out there. Any admin-type that ignores this should really find another line of work.
-- When you look to see how the system works, you usually find that it doesn't.
As Bucky Fuller put it, tell the truth, tell all of it, and tell it right away.
*The part that blows me away is how officialdom acknowledges that admin-types are uncomfortable with M$ service packs *DUHH* because they sometimes call for editing critical system files. huh ... I mean, well, I made a good living cleaning up after engineers, but still ... there's something sad about that, doncha think?*
-- When you look to see how the system works, you usually find that it doesn't.
Seriously, I picked up a winxp keygen and ran off several hundred numbers. I never have a problem activating.
I'm so glad to see that your REAL copy doesn't work and my PIRATE copy works perfectly.
Life sucks, doesn't it?
I'd rather you do it wrong, than for me to have to do it at all.
from the article "But this patch required manual editing of critical system files, something many administrators just aren't comfortable doing. "
WTF!!
What administrator doesnt feel comfortable configuring their fucking network/system!?@
what a joke...
Someone else knows about example.com and its purpose!
Tim
Omnia vestra castrorum habetur nobis.
It's just as easy to warez the Enterprise Edition as the Personal edition.
Tim
Omnia vestra castrorum habetur nobis.
Why not? it is informative, at least to windoze users since they haven't got a clue anyways.
--can you expand on this some more? I got overpeer, but redteam? And did this start on a file sharing network or on irc or usenet, etc? Or did someone just decide to try it out first just at random? I'm not seeing the connection between the ms sql and the music sharing. And I haven't read any "first sighting in the wild" reports yet.
sure would be embarassing for them, though......
I was thinking that the data I gathered was probably useful to bust that botnet. The problem was, I wasn't able to find anybody to throw the data to.
It would be nice if the owners DALnet (and others) would provide faq info on where to send such botnet data.
OS Software is like love: The best way to make it grow is to give it away.
First Union/Wachovia online network now down.
NC2999: We are temporarily experiencing a problem with our Online Banking website. We expect this issue to be resolved shortly. In the interim, you may obtain your checking or savings account balances via automated telephone service at (800) 275-3862. We apologize for any inconvenience you may experience and appreciate your patience while we work to resolve this situation.
Domain Name: ENTERTHEGAME.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS2.MEDIASTUDIOS.COM
Name Server: NS1.MEDIASTUDIOS.COM
Status: ACTIVE
Updated Date: 08-jan-2003
Creation Date: 02-jan-1999
Expiration Date: 02-jan-2004
Domain Name: ENTERTHEGAME.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS2.MEDIASTUDIOS.COM
Name Server: NS1.MEDIASTUDIOS.COM
Status: ACTIVE
Updated Date: 08-jan-2003
Creation Date: 02-jan-1999
Expiration Date: 02-jan-2004
Does anyone know if the service pack that contains the necessary patch to stop this worm is one of those with MS's fun new licencing agreements? What about the patch by itself? It would be interesting if the vulnerability couldn't be fixed without changing the licence...
Now we know the second step:
1) DDOS
2) Fun
3) Profit!
Heh, via my cable modem I'm at 3.3mbit/sec download, 400kb/sec upload.
:)
Not bad for my house!
It's actually _better_ than my office! (And I work for a Very Large Telco
--NBVB
1. DDoS
2. Have Fun
3. Profit!!!
It's just a little bit scary that a few lines of bad code in one of MS' database apps can bring down most of BOFA's ATMs in California. Even scarier that BOFA is not using that software.
I realize that "marginalized left of centre Canadian political party" is not as catchy as "Canada" but that last line in the post is simply lazy.
Maybe a possible solution to this would be only allowing certain IP's to connect to their servers, so if you wanted to chat you would go to their web site enter your IP and type in some letters shown in a picture, to make it bot-proof.
They took down a bank, and the public found out about it.
This will be used, and taken seriously, by everyone who wants to take anominity away from us.
There are 2 rules you should never break:
1) never piss off the people who handle your food.
2)Never piss off the people who handle your money.
I will be there will be legislation to only allow financial transactions with a bank to people with a smart card within 2 years.
The Kruger Dunning explains most post on
The version of win xp pro i have has activation for 90 days. I don't know where you got 30 days from.
Every time in these reports (wire services included), Microsoft shows up as the heroes that are going fix everything: "You all just go get your patches, and everything will be fine. We're too busy taking care of this problem to talk about why it might have happened to our great product".
I think the problem is that the news services treat these viruses like they were tornadoes or floods or something. (They would like to have pictures of endless lines of cars heading for higher ground to escape the horrible virus.)
A worm is actually an act of God, we are all just victims.
Congratulations! Now we are the Evil Empire
First, it shows the blatant stupidity of the average "god like MCSE", too stupid to keep up with the almost daily security hole updates from Microsoft. Looks like those MCSE credentials forgot basic BOFH security training.
Second, you'd think a financial institution would be more security concious than to trust its financial information to the most virus prone platform in existance. I bet there are quite a few management folks running around pointing fingers blaming everyone else for their stupidity right about now.
Third, it's obvious that not even Microsoft can keep up with their constant bombardment of security patches.
Sooner or later consumers will start to wake up and say "gee, there's got to be something better than this security hole software", rather than continue to be the sheep they are.
In the mean time, here are some catchy new marketing slogans for Microsoft:
What virus do you want today?
Microsoft, where security is an afterthought.
Trusted computing, hardware to solve our software stupidity.
I work for HP pavillion technical support, and were totally fuct... none of our servers work... were logging phone calls by pen and paper, we cant set up orders for repairs and a whole crap load of other services are down.... since yesterday. all due to that damn worm.
<snip>
Most patches require a simple download and restart of the computer. But this patch required manual editing of critical system files, something many administrators just aren't comfortable doing.
</snip>I work at a Bank of America data center. Last night was a fun night. I would like to personally thank the asshole who started this. Thank you and kindly go fuck yourself.
I always assumed it was the other way around. I've known tons of professionals that either put up with something substandard because they know how to deal with it (eg, mechanic with a car with a chronic problem), computer people that put up with crappy homebrew software simply because they know how to work around it, painters that cut all kinds of corners at home but don't for clients, and so on.
I don't run M$ software and I haven't agreed to any of their EULAs.
My Internet shop suffered from the general slowdown.
Can i sue M$ for the inconvenience?
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
Are these the people who are behind this? - http://www.indymedia.org/front.php3?article_id=23
I assume that a majority of the serves hit were been administered by qualified people, someone with an MSCE or similar.
If such a huge number of MSCEs failed to do some basic thing like appling a service pack, or they are not aware of the importance of them, that raises several questions regarding the msce CERTIFICATION ITSELF.....
PENAROL: Seras eterno como el tiempo y floreceras en cada primavera.
begin 644 MS SQL WORM IS DESTROYING INTERD Y%5"!"3 $]#2R!03U)4M +2TM+2TM+2TM+ 2TM+2TM+2TMM +2TM+2TM+2TM+ 0T-("`@*B!47 1E.B!3870L(#(U($IA;B`R,#`S(#$S.C`X.C,T("LP,3`P# 2`@("H@3&ESL 69O8W5S+F -O3 X-(" `@*B!-86EL:6YG+6QI69O8W5S+F-O;0T@("`J(%5S97(M86=E; G0Z($UUM +2TM+2TM+ 2TM+2TM+2TMM +2TM+2TM+2TM+ 2TM+0T-22=M1 3"!397)V97(@6]U2X@($ME>2!F:6YG97) PFEN8 U-30@- T$V."!!-4-&
M35,@4U%,(%=/4DT@25,@1$535%)/64E.1R!)3E1%4
M(#$T,S0A#0T@("TM+2TM+2TM+2TM+2TM+2T
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2T
M;SH@;GEL=66QU9RYO"UE;&ET:7-T2UD
M8
M="UH96QP.B`\;6%I;'1O.F)U9W1R87$M:&5
M;3X-("`@*B!,:7-T+6ED.B`\8G5G=')A69O8W5S+F-O;
M='0O,2XR+C5I#0T@("TM+2TM+2TM+2TM+2TM+2T
M+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2TM+2T
M(&=E='1I;F6]N92!R
M=6YN:6YG($U3(%-
M=#H-("!#-#!#($-",44@1#)&-B`W-C(X(#8S,#@@($
+(#!"1#@@0S`U-0U"
`
end
* Subject: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
* From: Michael Bacarella
* Date: Sat, 25 Jan 2003 02:11:41 -0500
Late Friday, January 24, 2003 we became aware of a new SQL worm spreading
quickly across various networks around the world.
d
eeye digital security eeye.com
netgraft corporation netgraft.com
ngssoftware nextgenss.com
http://www.norml.org/index.cfm?Group_ID=5517
Now it's the hard working people of America who are pissing away money on bollocks adverts during the SB. Well actually the Government is going that on their behalf.
Now how about the kind US government running some anti-drink-driving or anti-smoking adverts alongside them? Mmmmnah... didn't think so.
Ali
Ph33r m3!!!
So what about if I have a lab with 3 or 4 computers and I need to move WinXP around?
Or what about if I buy a no-name PC and install WinXP there after removing it from my other PC?
My point is, MS is dictating to you how you use your own hardware. If you think that is reasonable, good for you cowboy and good luck.
If copyright infringement is such a menace, how it comes MS made a profit from completely unprotected software for all these years?
IANAL but write like a drunk one.
What most probably happened is that the worm affected machines behind the corporate firewalls, thus making corporate intranets grind to a halt. Any backend servers that for any reason where in the same networks as affected machines were in serious problems due to network congestion.
This could and should have been avoided, but when you have literally hundreds or thousends of servers details like these can go unnoticed.
I don't work for that bank but for another that was less affected (because we rely far less in MS software, very rarely for mission critical applications, we still got bitten though).
The reason it takes so long for the updates to show up isn't the incapability of their system. The transaction shows up the first day and it disapears the day after.
It is because they love to not let you know for sure how much money you have in your account and just in case you live from paycheck to paycheck and don't have a tight grip on your balance, you have high chances of overdrafting your account. They charge 29$ for every transaction you overdraw so if you have a let's say for 1$ transaction they would charge you 116$ for the fantastic service they provided to you by paying 4$.
I hope this attack cost them a lot because they deserve it for fucking over people that struggle from day to day.
They need to change their name to Gringotts Bank.
I wondered why it's been so tough to get into Slashdot recently...