DDoS for Fun and Profit

First there's the Microsoft worm, reported earlier, which in addition to all the other damage has apparently knocked Microsoft's Windows XP activation servers (and Bank of America ATMs) off the net. Then we've got a report about the ongoing demise of DALnet, perhaps not the way we expected it to go. And Canada discovers a risk of online voting.

They're still dying?

[EvilStein]

Geez, Dalnet and EFnet are beginning to sound like Apple - they're *always* "going out of business" or something like that.

Wait, the difference is that Apple is still on the net. Heh.

For Fun and Profit?

[WIAKywbfatw]

OK, I can see how some script kiddie might think that orchestrating a DDoS attack might be fun but how would he profit from it?

Anyone?

Re:For Fun and Profit?

1. Orchestrate DDoS
2. ????
3. Profit!

Re:For Fun and Profit?

its all about their ego, no real life or real life issues to be compensated with non real life actions.

Re:For Fun and Profit?

I believe the news clipping was labeld in such a way to make a play off Aleph1's famous phrack magazine article describing buffer overflows, which was titled "Smashing the Stack for Fun and Profit".

za

Re:For Fun and Profit?

[TheTomcat]

Hypothetically, say there were two major on-line auction sites. We'll call them auction.example.com and sell.example.com.

auction.example.com might want to attack sell.example.com's servers -- more business and credibility for auction.example.com (unless they get caught)

----

If, hypothetically, I run a brick-and-mortar specialty store (I sell cheese). I notice business dwindling off. I survey some of my customers and find out they're buying their Gouda from cheese.example.com. Attack the site, or the whole 'net: get customers back.

----

However, I suspect this new worm's ("Bill's Tapeworm" as I heard another slashdotter call it) DDoS payload was a side-effect and likely accidental. The worm is trying to reproduce, and the DDoS seems like an unintended payload (after all, if the work can't get to another target because of network congestion, it can't infect it (UDP packets DO get dropped in such situations)).

S

Re:For Fun and Profit?

[TheTomcat]

No. It's a parasite.

Its rate of infection is so high that the DoS is caused, which in turn uses all available bandwidth, just like when a biological parasite kills the host; the parasite dies off..

As you put it, the payload doesn't do anything but try to infect other hosts -- no syn floods, no ICMP, nothing except sending packets that could infect other servers. That's why I think the DoS was unintentional.

S

Re:For Fun and Profit?

[paganizer]

I doubt very seriously that we have to look any further than OverPeer for the origins of this attack; according to RedTeam, this has been going on in very localized spurts since Jan 5th.
It would make sense to me this is a RIAA sponsered thing gone wrong.

**AA behind DALnet attacks?

[Chaltek]

from the conspiracy theory dept.:
Just a conjecture, but it wouldn't seem out of step with **AA tactics to take down DALnet in order to curb illegal file sharing.

~Chaltek

Re:**AA behind DALnet attacks?

[drinkypoo]

Personally I think that the DoS against DALnet is actually an attempt to harm efnet. See, the DALnetters are all flooding into channels on efnet. In fact since DALnet has come under fire many efnet servers have started limiting you to five (!) ban slots. FIVE! So the signal to noise ratio has gotten worse on efnet, yet we have less tools to try to solve it with.

Re:**AA behind DALnet attacks?

[C0deM0nkey]

Just a conjecture, but it wouldn't seem out of step with **AA tactics to take down DALnet in order to curb illegal file sharing.

If I was going to get into conspiracy theory, I'd point the finger at any of the various commercial "Messengers" (AOL Messenger, Yahoo Messenger, MSN Messenger, etc.) before I'd point at the *AA's.

People addicted to chatting WILL pick up one of the other chat venues if IRC is not available which means more eyeballs for the ads that support those venues.

File traders already have other means: KaZaa, et. al.

Fastest day of the internet all year

[leprkan]

I would put money on it that tommorow will be the generally fastest day of the internet all year (not saying much it's january). Everything important will be patched, and all the home pc owners that don't know jack about computers will say, "I don't want to catch that virus I heard about on the news, I better wait a day untill it dies down". Thus more bandwidth for everyone else.

huh

[pummer]

why would they use online voting when they could simply use chad-laden punch cards??

i don't get it

[pummer]

microsoft can't even secure their own servers? How can we expect their OS's to run securely on our servers?

Re:i don't get it

[anubi]

I think the psychology is kinda simple:

You know how it is if you hire somebody *else* to paint your house? There is usually a heckuva lotta stuff you would have done differently because its *your* house.

But if you paint the house yourself, it takes a heck of a lot longer than you dreamed, but it's done right - to your exact satisfaction. You know everything about it - and if anything goes wrong, you know exactly how to fix it.

There's a big different between *yours* and *someone-else's*.

I feel the same about OS.

If its really not all that important, I will go with whatever gets the job done quickest.

But, if my life or reputation depend upon it, I need to be secure in my knowledge that I know exactly what I am doing - for it is I and I alone which must take responsibility for the outcome.

I think a lot of it is like choosing rope - if you are a shopkeeper, you may choose a rope based on its markup and profit potential, but if you are a mountain climber, you probably choose rope based on a completely different criteria.

Activation servers off the net?

This is from HardOCP.com:

It's 2:20 CST and I'm trying to activate a copy of XP. I need to, because this repair/upgrade (changed mb, disk controller, video, hdisk, NIC, RAM, USB revision, CPU, etc) I can't logon without activation.

Except, I CAN'T ACTIVATE. I am told there is no way ANY copy of XP can be activated in the next 5 hours because of (drum roll)

** Routine maintenance **. I mean, I asked: I said

"You don't have some little stand-alone machine that reads a DVD database so you could stand in line and do it?"

"You don't have a couple hundred "last resort" number ranges? You can call me back tomorrow!!!"

"There's not some guy you can go ask? Ya can't call Bill at home?"

So, I gotta stop my project for some unknown length of time. Good thing I'm not updating a medical drug interaction database, or an available transplant database, or a process flow control system or a hazardous atmosphere measurement system or a BUNCH of other possibilities. In my case, either I miss the superbowl, or my car dealer can't find and order Volvo cars on Monday. Life will continue.

But, I'm still seriously pissed. Call 'em at 888-571-2048 and try for activation.

And let's think about the true meaning of the fact you can't release liability for the consequential damage resulting from negligence. I mean, I have NEVER heard about "routine maintenance" on the 24.7.365 activation promise...

Well, on to the next job...

Re:Activation servers off the net?

[handsomepete]

I've been given the 'routine maintenance' runaround on non-mssql bombing days twice. About 8 months ago they told me I wouldn't be able to activate for at least 24 hours because of 'routine maintenance and a database upgrade'. Activated two days after. 2 months later I called about 3am CST and was told that during that time is when they do their 'routine maintenance'. When I got them during a good time after that, the operator (poor guy) hassled me about my re-activating. Even after I told him that I just changed out some hardware on the same computer, he insisted on telling me that I couldn't install XP on a second computer (as in he didn't believe me). After a 10 minute conversation he finally gave up and gave me activation, but with a stern warning ("Well, just remember that this is the third time you've activated this copy in 6 months").

2 months after that I left Windows for good and latched on to Linux. So far I haven't had to call my distros for product activation, so I'm happy.

(Disclaimer: Linux isn't for everyone, not preaching, just my experience, yadda yadda yadda...)

Re:Activation servers off the net?

[escher]

This sort of thing is precisely why I will never run XP on any of my own computers. If I have to run a Windows program, it will be on Windows 2000. When new software stops supporting that platform I hope to have already switched everything over to either my Mac or Linux boxen.

Dilemma

So torn...should I damn Microsoft for providing easy replicative means to fuck up the net all day, or thank them for providing the means to disable the XP activiation servers?

When your enemy is their own worst enemy, does that make them your friend?

Head...aching...

Re:Dalnet Article is a JOKE.

[Wizzu]

It's dated January 24. Nothing about April.

DALnet has had practically no public servers available since sometime early December, this thing is no joke.

Re:Dalnet Article is a JOKE.

[EchoMirage]

Does anyone ever check the dates on articles? Or the content?

Uhh...the Slashdot article on the sale of DALnet was a joke, but the DDoS attack on DALnet is very real. Actually, several IRC networks have been getting DDoSed in recent months.

Bank ATM's knocked out

[Maditude]

Heh, looks like it took out a big portion of Bank of America's ATM (cash) machines!
Link

I can't believe that BoA has their ATM's on the internet -- anyone know more about how it got to their ATM network?

Re:Bank ATM's knocked out

[DAldredge]

Believe it. Bank of America can not even do realtime updating of accounts on the internet. Sometimes it takes 48 hours for CASH transaction you DO IN A BRANCH to show up.

Power.

[Second_Derivative]

Feeling of power basically. They want to be "ph33r3d" and to run DalNET (or whatever else) into the ground would make them the most powerful people on DalNET because they have power over everyone else and the network is completely at their mercy.

That this is just an inherent problem in the internet's sociology and architecture isn't really a term in the equation but there you go.

Re:Power.

[ez76]

That this is just an inherent problem in the internet's sociology and architecture isn't really a term in the equation but there you go.

As a sociological phenomenon, power-tripping is hardly limited to the Internet.

What's up with email?

[seanadams.com]

I didn't get any spam today... can you guys do this DDOS thing more often? :)

Self-destructive

[mu51c10rd]

I do not believe the people responsible for such attacks realize they are being self-destructive. The only end goal of such actions is not to increase security-mindedness in the computer world, but rather scare the normal users, the public, from ever touching the Net. Without the users, companies will be stretched to find the cash to keep up the backbone structure and I am sure it would fall apart. The media hypes anything that is detrimental to the public, including viruses, DDoS attacks, etc. This does nothing but a) scare users off the net 2) make the Net look bad to the public. So are all these kids out there pulling stunts going ahead with the goal of destroying the Net in mind? Even though that seems to be all they know? Interesting, work to destroy the only thing you know. Perhaps I should start a crusade to physically destroy computers too? My actions would teach people they do not *require* their computers to survive right? Just like taking down sites will serve to show people security vulnerabilities?

Re:hope the ddos'ers enjoy jail

[DarkKnightRadick]

You know, since 9/11/2001 it seems that every attack of any kind has been labled an act of terrorism.

Those who start these DDoS attacks are seen less like your standard fare and labled TERRORISTs. I don't see them creating terror. Perhaps we should all take a look at this definition of terrorist from Merriam Webster:

One entry found for terrorism.
Main Entry: terrorism
Pronunciation: 'ter-&r-"i-z&m
Function: noun
Date: 1795
: the systematic use of terror especially as a means of coercion
- terrorist /-&r-ist/ adjective or noun
- terroristic /"ter-&r-'is-tik/ adjective

Usama and his bunch are terrorists.

The people responsible for this attack are more akin to electronic warriors. Whether or not they are right in their methodology OR targets makes them no more and no less. Yes, they are criminals, but I really don't think any such attack against any company that experiences so many can be called a "random act of terror". It's more like a concerted effort to destroy said company.

Had they issued some sort of demand with a threat of physical violence, I'd change my opinion, but as it stands the people responsible are criminals/warriors.

Re:hope the ddos'ers enjoy jail

[GigsVT]

I hope the people who are responsible for this attack (which is technically terrorism) are thrown in jail. It will likely be a long sentence.

I seriously doubt Bill Gates and other Microsoft programmers will spend any time in jail at all over this.

Not cyberwarefare.

[Fzz]

I don't think so. The disassembled code I've seen indicates that the SQL worm only spreads fast - any problems were just due to the load it's spreading attempts generate. If it had been real cyberwarfare, I'm sure they'd have at least deleted the SQL database files on the machines they attacked.

Of course the modified version someone else now crafts that starts spreading sometime next week might actually aim to do some persistent damage, but this version didn't.

In fact, you might even regard this as a blessing in disguise. The worm spread on a Friday night/Saturday morning, when least business would be affected. As of this morning, most ISPs now have filters in place, so any follow up isn't likely to do much damage, and it will now be hard to launch a really destructive attack using this particular vulnerability in future.

- Fzz

ISP's fault?

[YellowElectricRat]

When will the ISPs start getting off their respecitve behinds and start doing something about this? With the broadband ISPs subnets accounting for so much of the destructive power of these DDoS attacks, they have a responsibility to at least attempt to ameliorate their impact.

It's not hard to set up simple routing rules to at least curb some of these attacks. Hell, a lot of ISPs still even route spoofed IP packets out of their networks - this is nowhere near acceptable. Realistically, there is no real application for a constant stream of ICMP traffic coming from a single node - there should at least be a maximum allocatable bandwidth for ICMP set at the ISPs gateway. Obviously UDP and TCP based floods are more difficult to manage, but throttling ICMP based floods would be a step in the right direction.

All this is IMHO, of course - users have a responsibility to secure their machines, obviously, but it's going to be a hell of a lot easier to secure a few gateways and routers than a million home PCs.

Backend?

[new-black-hand]

From http://www.msnbc.com/news/864184.asp

Within a few hours, 25,000 back-end database servers had been infected, said Oliver Friedrichs, senior manager with Symantec Corp.'s security response team.

If they where truly 'backend', they wouldnt of been infected. This is because of all those open and live MS SQL servers.

Interesting site

[larien]

Well, my firewall's been getting hit with port 1434/UDP packets (>150 so far today), so I decided to have a looksee where they were coming from by doing reverse lookups on the IPs. Most seemed to be Europe (.de, .fr, .nl) and some .au, but I did notice one in... navy.mil.

Seems the US military managed to leave an unpatched SQL server open to the world...

Re:hope the ddos'ers enjoy jail

[Henry+V+.009]

Post 9/11 Godwin's Law corollary: As a Usenet discussion grows longer, the chances of a comparison involving terrorism or bin Laden approaches one.

I therefore declare this thread over and whatever ideas you meant to express discredited.

Attacks and... freedom?

[jabex]

I guess it's good that Kevin Mitnick has started his own consulting firm. Hmmmm.

http://interviews.slashdot.org/article.pl?sid=03 /0 1/20/1254218&mode=thread

Let me try my first profit post:
1) Free Kevin

2) Start Consulting Firm

3) (cough... cough)

4) Profit!

Seriously - I'd hate to be Kevin Mitnick right now... There's probably 20 different gov't agencies all getting the warrants right now. "This much havoc can only come from ONE man!" Mwuwuwuwahahhahaha.

The DALnet attacks are the real deal

[g00z]

Whoever might be thinking that this is just your typical round of script kiddies attacking dalnet is dead wrong. DALnet is in more that serious trouble -- for the most part it's already dead.

As a DALnet vetran and an op of one of the top 20 channels (#80s-cartoons), I can tell you that almost all of the major channels have now moved to other networks for good. Ever since the begining of december we had outages that would last anywhere from 4 days to a WHOLE WEEK where no one could connect to a single server in the network.

The gaul of some people is pretty amazing. Apparently, these current DDos attacks have been orchestrated by some one (or group of people) that are holding the DALnet network ransom and are demanding that dalnet pays them X amount of money to stop the attacks. Mind you, these attacks have been going on for about 2 months now, and these people still aren't in custody of law enforcement. It just goes to show you that the only thing that seems to get the FBI involoved in computer crimes is corporate cash. I guantee you if such an attack was launched against a commercial website, the feds would snag these fools within one day; But since this is a non-profit organization, they seemingly don't give a shit.

A lot of the big channels from DALnet have gone to EFnet. The irony in this is quite painful (Since DALnet was initaly formed by disgruntled people from EFnet trying to escape shitty service in the first place.)

One plus about leaving DALnet on to greener pastures has been zero PM spam on the new networks at least. Well, for now.

Re:The DALnet attacks are the real deal

[jonathan_ingram]

Someone should setup a website or something saying who went where, unless of course this has been setup already.

You could try searching for them here. That site maintains statistics on *all* the major IRC networks. It also has some very pretty graphs -- this one, for example, very graphically illustrates DALnet falling off the edge of the world.

Christ Almighty...

[hebble]

"The latest attack was likely to revive debate within the technology industry about the need for an Internet-wide monitoring center, which the Bush administration has proposed. Some Internet industry executives and lawyers said they would raise serious civil liberties concerns if the U.S. government, not an industry consortium, operated such a powerful monitoring center."

I swear, sometimes it seems like Bush is playing through Deus Ex really slowly, jotting down policy proposals as he goes.

Re:DDoSing and Script Kiddies in general

[JohnFluxx]

Just one quick point I forgot to make...
Note that hardly any of viruses, worms, etc cause any real damage. Imagine the harm you could do if you really wanted. Imagine if code-red wiped the drive. Imagine if this SQL worm spread really slowly and randomly modified the SQL database. If it wasn't detected for ages, yet had slowly deteriated the database over a matter of months hence rendering backups next to worthless.

Why should one person have to own 2 computers?

[moncyb]

Are you saying he should have 2 computers when he only needs one???? Not everyone can throw around money.

The Microsoft servers are a different story. They should have lots of backup systems running because they serve millions of people. Not to mention this is caused by a security flaw they carelessly created.

This guy is hardly being hypocritical.

Re:Why should one person have to own 2 computers?

[Reziac]

You get ten "points" before XP is supposed to demand re-activation. Trouble is, some stuff counts weirdly. IIRC, reformatting your HD counts as 3 points (it's a "hardware change" because the *volume serial number* changes when you reformat the drive). Some other devices (I forget which) also count as 3 points. Some people have had merely adding a new NIC or SCSI card count as all 10 points. Not to mention the bugs that sometimes make it decide it needs reactivation out of the blue (discussed to death in various XP forums).

Re:BIG FUCKING DEAL

[MillionthMonkey]

This Jim Blair guy is full of shit. You have 30 days to activate the software. It's not "crippled" in any way until that 30 day timer is over.
Unless, of course, he did the install 30 days ago, and waited to install NOW. Point is, this really doesn't matter, and this guy can kiss my ass -- "I gotta stop my project for some unknown length of time" sounds like the lamest excuse I've ever heard. Maybe he's gotta make a run to Krispy Kreme. Regardless, XP allows you 30 days grace (beta versions 14 days).

Well, I can see why Bruce Perens added you to his foes list.

The 30-day grace is for an initial install. For hardware changes the rules are different:

Users will have up to 3 days to re-activate Windows XP after making a hardware change that triggers the need to re-activate. Previously, users were required to re-activate immediately upon the next boot after the hardware changes were made.

Source: Service Pack 1 Changes to Product Activation. So apparently the guy had the nerve to install new hardware on an XP system that didn't have this service pack applied.

The take home lesson here: until the activation servers come back up, you should not install any new hardware on an XP system or your machine will be rendered inoperable. Unless you've installed SP1 first. In that case you can install your new hardware and cross your fingers that the MS activation servers are back up within 72 hours.

DALnet

[lvdrproject]

This is the first i've heard about the other two stories-within-the-story here, but DALnet has been the constant bane of people wanting to get things done (and/or chat) for quite some time now. The DDoS attacks have been going on for a long time, but they really came to a peak a few months ago, where it became extremely difficult to stay connected to DALnet for more than a few hours at a time (at which point you would have to reconnect, usually to a different server, since the servers seemed to just take turns dying).

There have been at least two, possibly three or four, occasions where DALnet just shut down completely for a period of at least a few days (this latest one being in the range of like a week). After the first "big" DALnet shut-down, it seems a lot of channels moved to other networks; most of these channels have even gained numbers. Seems even if DALnet does return, a lot of the channels that left it will stay on their new-found networks. The few anime channels that came back to DALnet are very slowly gaining back their numbers, but they're nowhere near the levels they used to be. As of right now, the highest count is 51 users, which is really low for a DALnet anime channel. Highest warez channel count is 68, which is also really low for a DALnet warez channel. And even the MP3 channels, which probably were some of the biggest channels on DALnet, have lost major numbers. I seem to remember them being in the area of like 600+; current count is 166. So yeah, DALnet has really been taking it in the ass.

General consensus around the parts i hang out seems to be that losing DALnet wouldn't be such a bad thing. We'd all move our channels to other networks, and be done with it. Chat channels would really love EsperNet or IRCnet, and warez/MP3/ISO/PlayStation/etc. channels have a half-dozen networks to choose from, most notably EFnet (though i despise it). Anime channels would thrive on Aniverse. DALnet was great, but, unless things see a really dramatic improvement, i think there are many that would agree that it needs to be put out of its misery as soon as possible.

What has made this all really lame has been the fact that DALnet hasn't really said anything about this. Their eZine (the DALnetizen) has truly been the opposite of helpful throughout this whole ordeal. It seemed as though DAL was almost oblivious to what was happening. There would be a paragraph about Christmas, a paragraph about the benefits of PHP, a paragraph about poems, a paragraph about some new op or something, and then tucked away in a little corner would be a little sentence or two along the lines of "ps dalnet si getitng ddosed pls bare w/ us thx". After this most recent attack, however, they've started to get their act together a bit, and have posted a lot more information regarding the situation. Information can really be helpful to their users, if they want to keep them.

Also not helping the situation are rumours(?) to the effect that the DALnet administration has resorted to childish finger-pointing, and have pretty much detached themselves from each other. DALnet isn't really doing a very good job of assuring its user base that it'll be alright. :/ Hopefully, if DALnet is to survive, this will be remedied.

And, finally, the biggest blow to DALnet has been the de-linking of several of its (best) servers. Almost all of the "good" servers, the ones that everyone had as their first picks, have disappeared. Even the "fall-back" servers seem to be gone. Evidently DALnet is picking up a few new (or renamed, maybe, i can't be sure myself) servers, even in light of the attacks, however.

So DALnet's fate is really unknown. No one can be sure, but for now it's functioning, at least in the sense that it has the ability to carry users. Who knows, though, it could be down again tomorrow.

I just drank an entire pot of cold coffee

[MrRudeDude]

and in addition to needing to piss and shit like crazy, I just became too paranoid to go to the bathroom.

That set me thinking -- windows XP activation is 30 days, right ? If you don't activate, what happens in 30 days ? It demands you activate or it locks up.

How many people when installing or starting up a new computer for the first time ignore the activation because they've got to try it out right now ? A lot. What day was 30 days ago ? December 25th. What day probably features more people opening up new computers than any other ?

Perhaps they didn't try to attack the activation servers specifically, but simply thought of bringing down the net to stop the wave of Jan 25th activations, and got the activation servers as a lucky bonus.

Re:hope the ddos'ers enjoy jail

[glwtta]

oh, I guess you haven't seen the new one:

One entry found for terrorism.
Main Entry: terrorism
Pronunciation: 'ter-&r-"i-z&m
Function: noun
Date: 2001
: any activity against which more extreme measures are desired than current law permits. commonly used to argue that due process and public debate are unwarranted in this instance.
- terrorist /-&r-ist/ adjective or noun
- terroristic /"ter-&r-'is-tik/ adjective