Slashdot Mirror
DDoS for Fun and Profit
First there's the Microsoft worm, reported earlier, which in addition to all the other damage has apparently knocked Microsoft's Windows XP activation servers (and Bank of America ATMs) off the net. Then we've got a report about the ongoing demise of DALnet, perhaps not the way we expected it to go. And Canada discovers a risk of online voting.
OK, I can see how some script kiddie might think that orchestrating a DDoS attack might be fun but how would he profit from it?
Anyone?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
microsoft can't even secure their own servers? How can we expect their OS's to run securely on our servers?
Feeling of power basically. They want to be "ph33r3d" and to run DalNET (or whatever else) into the ground would make them the most powerful people on DalNET because they have power over everyone else and the network is completely at their mercy.
That this is just an inherent problem in the internet's sociology and architecture isn't really a term in the equation but there you go.
I do not believe the people responsible for such attacks realize they are being self-destructive. The only end goal of such actions is not to increase security-mindedness in the computer world, but rather scare the normal users, the public, from ever touching the Net. Without the users, companies will be stretched to find the cash to keep up the backbone structure and I am sure it would fall apart. The media hypes anything that is detrimental to the public, including viruses, DDoS attacks, etc. This does nothing but a) scare users off the net 2) make the Net look bad to the public. So are all these kids out there pulling stunts going ahead with the goal of destroying the Net in mind? Even though that seems to be all they know? Interesting, work to destroy the only thing you know. Perhaps I should start a crusade to physically destroy computers too? My actions would teach people they do not *require* their computers to survive right? Just like taking down sites will serve to show people security vulnerabilities?
If the work is that important, why do you not have a backup machine with which to perform the task? Rather ironic that you're lambasting Microshaft for having no backup system when you yourself have none.
Disclaimer: yeah, yeah, I know it's pretty poor that M$ doesn't have any kind of backup activation facility, but just playing devil's advocate a little.
DDOS attacks ruin the productivity of others. Whether it is microsoft, or any other site... Many people use WindowsXP in the world, much much more than the amount who use linux, and attacking the servers ruins the productivity of many businesses who rely on windowsXP to get work done.
Sure you could say "Microsoft is wrong for HAVING this activation feature", but that is incorrect. Attacking ANY company's network is wrong, and very illegal. How would you feel if the servers you get open-source applications from were made unusable because someone attacked the network they were hosted on? This is the same thing.
I hope the people who are responsible for this attack (which is technically terrorism) are thrown in jail. It will likely be a long sentence.
Stanley Feinbaum, professional journalist and master debater! God bless the USA!
"Script kiddies" won't answer to that label. They consider themselves "hackers"
Script kiddies don't write worms though, at least not the sophisticated kind. Sure, they might turn out Melissa v24.0 in VB, but these advanced attacks are written by people with much more skill.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Of course the modified version someone else now crafts that starts spreading sometime next week might actually aim to do some persistent damage, but this version didn't.
In fact, you might even regard this as a blessing in disguise. The worm spread on a Friday night/Saturday morning, when least business would be affected. As of this morning, most ISPs now have filters in place, so any follow up isn't likely to do much damage, and it will now be hard to launch a really destructive attack using this particular vulnerability in future.
- Fzz
This sort of thing is precisely why I will never run XP on any of my own computers. If I have to run a Windows program, it will be on Windows 2000. When new software stops supporting that platform I hope to have already switched everything over to either my Mac or Linux boxen.
When will the ISPs start getting off their respecitve behinds and start doing something about this? With the broadband ISPs subnets accounting for so much of the destructive power of these DDoS attacks, they have a responsibility to at least attempt to ameliorate their impact.
It's not hard to set up simple routing rules to at least curb some of these attacks. Hell, a lot of ISPs still even route spoofed IP packets out of their networks - this is nowhere near acceptable. Realistically, there is no real application for a constant stream of ICMP traffic coming from a single node - there should at least be a maximum allocatable bandwidth for ICMP set at the ISPs gateway. Obviously UDP and TCP based floods are more difficult to manage, but throttling ICMP based floods would be a step in the right direction.
All this is IMHO, of course - users have a responsibility to secure their machines, obviously, but it's going to be a hell of a lot easier to secure a few gateways and routers than a million home PCs.
From http://www.msnbc.com/news/864184.asp
Within a few hours, 25,000 back-end database servers had been infected, said Oliver Friedrichs, senior manager with Symantec Corp.'s security response team.
If they where truly 'backend', they wouldnt of been infected. This is because of all those open and live MS SQL servers.
I don't like that one of the linked articles suggests an end of IRC. Any server can be DDoS'd and there's nothing that makes IRC more vulnerable than any other service being provided. In general, the IP addresses of hubs are hidden from ordinary users, the the worst damage that can be done is taking some client servers offline.
/links. There's now a +x mode which if a user is logged into X/W, hides the user's host.
Yes, the kiddies get large botnets, but that doesn't mean they win. There were times a few years ago that most EFnet servers were offline for days, and that EFnet logs many servers during that time. But the kiddies were never able to destroy the network, and it's come back stronger than ever. If anything, the kiddies didn't hurt the network, they made it better. There's a chanfix, inspired by the attacks, to restore opless and some taken-over channels. This goes a long way to preventing attacks. Most of the EFnet attacks were motivated by channel disputes.
Undernet has hid which server a user is connected to and has disabled commends such as
Where I'm going with this is the best IRC networks generally survive the attacks and are stronger in the end. I don't think an attack on Dalnet is the end of IRC.
While I'm no expert on this, as a longtime user of IRC, in the past couple years I've seen a huge rise in the number of users who send you a website to visit upon joining a channel. Some networks take the steps of helping these users remove the trojan, or removing them from the network. On the other hand, some networks do nothing to solve these problems. If these are the same trojans that provide DDoS bots, opers could be doing a lot more to track down and solve the problems. I, for one, often report these to EFnet opers, and the opers are almost always quick to remove the user from the network.
What's my point in all of this? With some common sense, some coding skills, and opers who are willing to help, a network can solve a lot of its problems. If EFnet and Undernet managed to overcome DDoS attacks many times in the past, one wonders why Dalnet wasn't able to.
And the end of Dalnet doesn't mean the end of IRC. Other networks are better prepared to deal with this sort of thing, and can survive much more than Dalnet has. While the article raises valid concerns, it's written from the standpoint of someone who doesn't seem to know much about other networks.
Anyway, I hope Dalnet doesn't just cease to exist. Somehow I doubt it will, though.
Are you saying he should have 2 computers when he only needs one???? Not everyone can throw around money.
The Microsoft servers are a different story. They should have lots of backup systems running because they serve millions of people. Not to mention this is caused by a security flaw they carelessly created.
This guy is hardly being hypocritical.
I realize that this may seem silly, but I still don't get just why M$ isn't liable for at least some of these damages. They release a compromisable product, they sell said product, they quietly release a patch of said product, then worm kills said product. I'm sorry, but the costs of releasing buggy code (particularly at M$) are so high that it is more reasonable to have harsh punishments to companies that release said code than to waste energy finding kiddies who will always exploit holes.
-Sean
Speaking of BSD and DDoS attacks;
What's the general opinion here about slashdot linking to freebsd's main ftp server every time there's a new version, before it's been officially announced or mirrored?
How about slashdot linking to small personal servers, knowing full well that 99% of the time this is going to effectively make those servers inaccessable for a day or two?
Is Cmdrtaco a script-kiddie?
Uhh...the Slashdot article on the sale of DALnet was a joke, but the DDoS attack on DALnet is very real. Actually, several IRC networks have been getting DDoSed in recent months.
The (new) article referenced in this article's initial post describes, not a DDoS attack on the IRC server, but a use of the IRC server as a control point for a DDoS attack on something else. (The "bots" - infected machines - connect to the IRC server and lurk on the channel for their master to give them orders.)
So perhaps the DDoSing of DALnet and/or other IRC servers is not an attempt to take out the servers themselves, but a side-effect of the progeny of a particularly fecund worm "phoning home" to ask for futher orders.
And perhps those trying to track down the authors of the worms will soon be bugging the worms' favorite IRC servers in the hopes of tracing the perpetrator when he finally logs in to give 'em marching orders.
(A marching army of worms. What an image. Something like an angry horde of bananna slugs on pogo sticks.
Worse yet would be an attempt to shut down IRC servers in general. Of course this wouldn't stop the worms, as the authors would quickly switch to another method of controlling them. So it would just eliminate another Internet tool without having any perceptable benefits.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
However, I suspect this new worm's ("Bill's Tapeworm" as I heard another slashdotter call it) DDoS payload was a side-effect and likely accidental.
/., I'm sure someone will "correct" me even if I'm right).
Perhaps the worm was really just trying to replicate itself and not meaning to do any damage yet...because that comes later.
Does anyone know if this worm offers its creators a way to do damage later? Maybe the goal last night was to infect a bunch of servers that would be put to use in a more permanently damaging way later on. After all, the slowdowns last night lasted mere hours and served only to make sysadmins sit up and take notice, and improve security--maybe the slowdowns were completely unintentional and unexpected. Mayhaps the ultimate goal was to use the worm to destroy the records in the databases, rather than just take out the databases temporarily.
I don't know, maybe some people get a kick out of an attack that gets lots of press but has no lasting effect--but it seems more logical to me to assume that the perp was going for a more permanent slowdown/loss of data.
Remember that the attack only affected MS servers, and MS has plenty of enemies. If the attack had wiped out the transaction, inventory and employee records of thousands of companies, people might actually think twice about using MS products in the future.
I'm not terribly knowledgable about these things and don't know if the worm could have been put to such a use had it managed to go unnoticed last night, so correct me if I'm wrong on that (though this being
I found the meaning of life the other day, but I had write-only access.
from the article "But this patch required manual editing of critical system files, something many administrators just aren't comfortable doing. "
WTF!!
What administrator doesnt feel comfortable configuring their fucking network/system!?@
what a joke...