Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Attack Hits US Government Web Sites

Posted by Soulskill on from the world-war-three-point-oh dept.

angry tapir writes "A botnet composed of about 50,000 infected computers has been waging a war against US government Web sites and causing headaches for businesses in the US and South Korea. The attack started Saturday, and security experts have credited it with knocking the Federal Trade Commission's (FTC's) web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the Department of Transportation."

4 of 199 comments (clear)

  1. Re:blame China by William+Robinson · · Score: 4, Informative

    No. They are suspecting North Korea

    --
    hilarious
  2. Pull the Gdamn plug! by cdn-programmer · · Score: 3, Informative

    All that is required is to pull the damn plug on these bots. Each of these machines has and IP address which it advertises every time it makes an attack. That's right folks: The return IP address is part of the header. You can't route packets without this information.

    These feral packets _ALSO_ come into the ISP's routers. It is easy to identify them. Uninfected machines don't normally sit there and hammer away at port Blah. Some of the worst ports are 80 (html), 25 (mail) and 22 (SSH).

    One really needs to only look at the ports that the botnet tries to exploit.

    A simple solution is to pull the plug. A solution which is slightly more difficult is to block the ports the botnet is trying to attack on and then redirect any web access to a banner page advising the owner their machine is cracked and what to do about it... or a tech could phone the client.

    _any_ ISP can do this. If they don't do it then they don't want to. As for consumer rights - crap! Its the ISP's which write the Terms of Service. They can put pretty much any terms they want providing said terms are considered reasonable. The public will probably not object. Spammers might however but then who cares if they can't find an uplink.

    So the first place to start is at the ISP level.

    Next: I've blocked botnets of more than 50,000 machines. I use OpenBSD on the webservers and on the firewalls. Its not that hard to do. Pf can easily handle this. If the server admins over at the "US Government Web Sites" can't handle this then IMHO they are incompetent. If reference, here is an example of how to block these bots in PF:

      pfctl -t spammers -T add 190.174.220.241
      pfctl -t spammers -T add 67.10.200.220
      pfctl -t spammers -T add 125.161.37.199
      pfctl -t spammers -T add 71.218.209.198
      pfctl -t spammers -T add 202.28.120.19

    This is a shell script BTW. extracting the list of bots can be done by scanning the appropriate logs.

    1. Re:Pull the Gdamn plug! by kybred · · Score: 5, Informative

      Each of these machines has and IP address which it advertises every time it makes an attack. That's right folks: The return IP address is part of the header. You can't route packets without this information.

      Not necessarily. For SYN flood the src address can be spoofed, since the attacker doesn't care if he gets the SYN-ACK.

      What the ISPs could do for this is to filter outbound traffic such that if the src IP is not on their network (i.e., is spoofed) the packet is dropped.

  3. Re:blame China by Anonymous Coward · · Score: 3, Informative
    It's IP ADDRESSES, not fucking IP NUMBERS.

    purple monkey dishwasher