Slashdot Mirror
Distributed Denial of Service Attacks
hetairoi was one of the many people who wrote to us about ZDNet's coverage of "distributed coordinated attacks", a new style of denial of service attack. Rather then using just one machine, efforts are coordinated through multiple servers, making server-defense more difficult. Huh - does the Slashdot effect count? *grin*
Old news! Favorite pastime for back oriffice farms is DOS attacks, I have seen 400 BO cable modem farms in action take out small ISP and no trace to the attacker as non of his packets go anywhere near the target.
Major Domo is not a person first of all. It's a program that does what you're describing, mailing lists. --- Hi ThiS is A ReAalY EliTE sIGnArTuRE --- Jefus Crest ---------------------------------------------
I would rather shave my cat then put up with offtopic postings like this. The first thing im gonna due after I right this is change my threshhold to +3 so loosers like you don't make it in the articles, than im gonna find a cooler web sight.
Websters defines nitpick as one who posts unrelevent (sp?) crap. Head back to alt.mindless.crap where you belong!
I've seen hundreds of bots (eggdrops) linked together, sharing a tcl with some DoS support and being able to ping (not CTCP ping) any machine the botnet owners choose to attack.
Needless to say, 95% of shells were hacked.
This is not new stuff.
Praise Bob! You have no idea how happy I am to learn that other /. readers are also engaged in the a.r.s. struggle. It's nice to know that there are other /. readers who care about something besides the Linux v. Microsoft v. FreeBSD debate.
Actually, if you check around, you'll find that "script kiddy" is a euphemistic way of spelling "criminal." Making them seem like immature brats just makes it harder to lock them up. And lock them up we will, it's becoming more and more important.
There is a lot of speculation and misinformation in peoples' responses. Nobody is using windows boxes or cablemodems to do the DoS'ing. The groups who have large trinoo (a client/server distributed DoS program) networks are NOT just script kiddies, but they also aren't international terrorists. They're more concerned with terrorizing people who won't give them free warez and mp3s and shells. They have hundreds, maybe even thousands, of rooted Solaris and Linux boxes. They scan the net 24/7 for wu-ftpd, imapd,
Wouldn't it be better if developers just quit being spectacularly incompetent instead?
Forgive my ignorance. But why don't SysAdmins just configure their routers/firewalls not to respond to remote ICMP requests? I know our router is configured not to respond to any ping's from a subnet other then its own? can someone enlighten me?
I keep seeing these posts about this is nothing new, etc. The problem isn't new, it's the application of the attack. Back even just three years ago, taking out a companies email server might have caused problems, but think about a planned attack on all of Visa or some other big company. The gov has no idea what we are getting into. We can't protect ourselves from another country, they just don't have the knowledge to take us out yet. Right now, ignorance is our only protection.
The fact that ZD is just now covering this only goes to show that the Windows biased media is just as clueless as the newspapers and nightly news broadcasts. They all seem to be in their own little backwards world where Windows is the center of the universe, Linux is a cheap little hobby OS written by a bunch of geeks, and that dreaded Y2K bug is actually a threat. These are also the people who can't get the terms "hacker" and "cracker" straight.
This multiple location DoS technique isn't new at all; over a year ago, a few friends and I killed the connection some jerk who was harassing us, and we did it with only a few, low bandwidth ping floods from various geographic locations. I also sucessfully used it to defend myself from a single, but high bandwidth, DoS flood.
This technique has also been in our news before. I beleive it was used for the FBI.gov attack a few months ago. Although it can be very effective, it's no ultimate DoS weapon.
I did this for 3 years ago. I wrote a suite of master/slave shell scripts that cold scale up to thousends of Sun Solaris workstations scanning a B class network in just some minute, well managed to blow the campus NFS server due to all the stations mounting users home dir thru automount/NFS and the task where pretty write intensive (try to write 100-500 files each second thru NFS and see how well the server manages it) :-)
what is a.r.s?
There Is No Lumber Cartel....
http://come.to/the.lumber.cartel
There Is No Lumber Cartel....
I am not recommending doing this!This is only for challege of figuring it out!
Injured software engineer wins against Mattel!
You'd think some company's lawyers would have patented this kind of revolutionary use of denial of service attacks. I mean it's not every person who can think of pinging from more than one ip address. In fact I think I'll file a patent on it right now before anyone else gets it. ::For the record... I assumed long, long ago that anyone launching a serious DoS attack would want to do it from multiple locations anyway. (I just didn't see a good attack resulting from my 56k modem, now 1000 56k modems randomly switching IPs, that would show 'em.)
I did something similar to this by accident once. At the time I worked for a company that had a full T1 but our upstream provider wasn't very good at monitoring their routers. These routers liked to go down often and it was up us to tell them about it.
:-)
I wrote a script that sat on our linux webserver and our linux mail server that every 2 minutes sent a ping to an outside server. I picked my ISP's DNS server because I knew it was reliable enough to test our connection. I wrote the script on a Windoze box and FTP'ed it to the linux boxes. What I had forgotten is that using Windoze ping the ping dies after 4 attempts. On linux it needs an explicit kill. Every 2 minutes from then on each server would start a new ping process without killing the preceding one. OOPS. It launched a multi-server denial of service against my ISP's DNS server. Let's just say my account doesn't work there anymore
That was an article by John Dvorak after he got his new cable modem or DSL line installed. And yes, he got ripped apart for using the wrong terminology then too !
>I thought this idea got a bunch of coverage a couple months back >under the name "smurf attacks". Was that something different, or was >ZD just looking for filler today?
Yes and yes. What needs to understood when reading this ZD "discovery" is that ZD needs something *BADLY* to make themselves look like they actually know something about the subject after their recent "Hack Our Machines" farce. However, this particular article wasn't it......
>Wonder how they figure that this is 'new'. Not like anyone hasn't >gone down to the open lab one morning and set up a DOS on each >machine before. I had to put a new rule on the wall in on of my labs >covering just this thing six months ago.
The PC Week Lab guys told them that it was new....
S from "eSpionage"
C from "Criminals"
R from "cRiminals"
I from "crIminals"
P from "esPionage"
T from "Terrorism"
K from "crimINals" - rotate the "n" 45'.
I from "terrorIsm"
D from "Bent" - reflect the "b"
D from "esPionage" - rotate the "p" 90'.
Y from "terroRIsm" - rotate the "ri" 90'.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Even if this wasn't new, there really is no way to stop it. Smurf and Fraggle were good examples of this with the added bonus of a very good ratio of required attacker bandwidth to the ammount of bandwidth used in the actual attack. The attack described in this article could be as simple as sending out thousands of forged icmp packets to single IPs (Unlike to broadcast addresses like Smurf and Fraggle). I would be very surprised if people were actually rooting "thousands" of boxes to be used as attack points in an assault such as this, it's too non-trivial for your average script-kiddie DoS monger.
P.S. Any misspellings or faults of grammar you think you detect are mearly transmition errors, and probably your fault a
Isin't Pete gay?
"Criminals bent on espionage or terrorism"?!? That's an odd way to spell "script kiddy". rOD.
--
Rod Begbie done this, and he's not
I have received reports from different unrelated sources about various people and organizations who approach breaking into systems very seriously and very differently from the regular crackers. Most of the time they don't bother to invent their own expoits. They take the existing ones and convert them from a simple command-like utility to another weapon on a sophisticates automated cracking engine. By automating the process they can gain access to tens of thousands of machines or more. These tools can break in, cover their tracks and install a hidden back door in seconds.
I'll leave the possibilities of having tens of thousands of machines on well-connected high-bandwidth networks as an excercise to the reader.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
The site has certainly had its share of technical failures - but it was developed with high load in mind, and so it manages to take it.
.ASP and such - sites where every page was generated by a program of some sort. This development methodology is very expensive in terms of hardware when compared to Slashdot's static model.
One major advantage of Slashdot is that until new hardware was bought a few months ago, almost all the pages were static. Before customizable Slashboxes were introduced, the main page was static. The article pages were static until fairly recently - instead of being updated on the fly, a cron job updated them about once a minute. As a result, programs were not run every time someone called up a page - they were run once a minute instead of once a hit, which could be many times a second. (This appears to have changed post-Andover, with some things specific to the user appearing even on article pages. However, this is since the Andover purchase allowed nearly unlimited hardware upgrades).
Many of the Slashdot effect victims have been sites that have bought the Microsoft vision of
The Microsoft hype is that pages should be heavily personalized for each individual user. Slashdot does that now, and very cleverly - but I think they had their priorities straight: Create a system that works first, then add neat stuff. Microsoft's approach is to build neat stuff into the system from the ground up, without considering the consequences for system load and reliability.
D
----
There seem to be a few problems with this.
First, I haven't seen Slashdot feature many stories that were not from a site at least pretending to be journalistic. The heart of Slashdot is zdnet, cnn, wired, salon and a handful of other places. When an outside editorial is requested, such as Jon Katz or a book reviewer, it's generally hosted on the Slashdot site itself.
Your suggestion requires that a "foreign" site be nominated, and that nomination be accepted by a member of the Slashdot staff. It seems to me that this would be extraordinarily difficult.
Your best bet might be to crack one of the major sites and wait until Slashdot featured an article on it. Then replace the article with the redirect and you're good to go. Still, that would have legal ramifications and might not be good for a simple prank.
D
----
I thought this idea got a bunch of coverage a couple months back under the name "smurf attacks". Was that something different, or was ZD just looking for filler today?
God does not play dice - Einstein
Not only does God play dice, he sometimes throws them where they
While we're on the subject of grammatical pet peeves -
LOSE only has one "o"!
I still frequently see things like "this will
cause you to loose your connection".
It's petty...but it still makes me twitch.
For a group of highly educated people, we just
can't spell worth a dam!
(Yes...I did that on purpose!)
------------
There are three kinds of people in this world. Those who can count, and those who can't.
Hacker Public Radio is our Friend
I've seen such attacks as early as 4 years ago, if not sooner. The first was a non-spoofing udp (non-root requiring) client/server flooding program for *nix, though i can't recall its name (FABI? or something like that). To install a massive number of these things, it'd be all too trivial for someone to setup a perl script which'd parse sniffing logs, then install and launch the program. Futhermore, it could also theoretically also be remotely commanded via spoofed packets from the hax0r's dialup linux box (making it difficult to positively trace the hackers and the other machines from the others)
I've also seen perl scripts which jump on a list of backdoors (bind shells, netbus/bo, etc) and simply executing a trivial command like "ping" on a whole list of them. These have been around for a couple years as well.
Its extremely difficult to stop such attacks, on either end: the flooding victim, or the flooder victims. Spoofed or unspoofed. There is a little that can be done. Though DOS counterattacks can work too. Let us imagine that I've rigged up a script to cause a thousand different windoze machines to connect() (via TCP) repeatedly to a service such as httpd(this can cause a great deal of damage to even the best servers). These are obviously not spoofed, and could be effectively DOSed by sending a single nestea style packet to each offending machine. Better to have those few ignorant users machines offline for a few minutes (preferably with an accompanying email) than deny access to a popular site to millions. Windows can't yet spoof, so this would atleast require the hacker to use *nix machines to execute the attack. Unix machines do tend to have more competent administrators, and its easier to reach them as they're fewer. The hackers could of course spoof, but that would atleast require somewhat more skill on the part of the coder (not that script kiddies know the first thing about that anyways).
In the long run, there is simply no solution to stopping this stuff though. There a thousands of ways that a reasonably creative person can come up with, without a great deal of skill, to effectively cripple the internet. This is true today, and it will remain true in the future as long as we have: companies who put security on a low priority, ISPs who're essentially incompetent, and strong priorities on freedom and privacy.
Hi, it seems a lot of you have misconstrued this article into some kind of "new hole", when it is in fact the contrary. This article describes an attack that is all too trivial to undertake. All that is required is a few fast root shells, and a daemon to handle the requests. The result is a denial of service orgy, holding down the victim's connection until the attack ceases. The only way I can see to prevent this is firewalling your own network to prevent a wiley script kiddy from using your network to carry out his or her revenge on the internet. If every network was firewalled in such a way, where would the script kiddies "packet" from? Network admins, this is your job, time to earn that check of yours!
--- Stampede linux for me! I play with fire to break the ice..
You mentioned IRC Botnets - another example (and to my knowledge, one of the most common) of DOS attacks is a simple "smurf" attack. It's an easy enough attack: put together a ping request with a forged FROM header, and send it to a network's broadcast address. If the admin has been lazy (and you're on a full class C), you'll wind up with up to 255 computers all pinging the same device.
I've seen this used to blow out a University's web server at the same time as it stresses two Universities' Internet connections. It's not pretty. Or new: Wired News ran an article about escalating numbers of smurf attacks way back in January of 1998.
When they give in to our demands!!
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I don't know much about routing technology, so I don't know how practical this is.
Of course, the only way they could compile the greylist would be to run through IP addresses and test them for security holes, the same way that the script kiddies do. Would that be ethical?
send all spam to theotherwhitemeat@ropine.com
You can tell what kind of day I'm having...
-- Word of the day: Percussive maintenance is the fine art of whacking the crap out of an electronic device to get it wo
Is information. Anyone who thinks otherwise is a fool. The average net user needs to be informed about lax security and how to correct it. Sure, we are the informed, but we also aren't average. Have you done your part to inform others? Untill there are tens of thousands of people demanding better security, the software makers won't listen because they think it isn't worth while.
Consider this: In a Senators office, they figure one printed letter is roughly representitive of 500 people. Much more if it's hand written.
If there isn't an interesting story at the other end of a link, I'm not going to go there. (and if Hemos says there is, and I discover that he lied just to bring down a site, I might go somewhere else for my Nerd News, and /. loses ad revenue.)
Now everyone go /. my website
Reality has a liberal bias
I would think that in a distributed DOS attack, as described in this article, it would be easy to identify the large cable modem providers (for example), and it should then be fairly easy to get the provider to get its customers in line.
The distributed attacks are certainly not a new phenomenon. ICMP smurfing is probably the best example of a distributed attack that is entirely automated and usually not detected by the third parties that are unvoluntarily involved in the attack.
However, the distributed attacks are becoming increasingly easy to perform, mostly because it is easier for script kiddies to get access to hundreds of poorly protected home computers from which they can launch their attacks. This happens because more and more computers are "always connected" (thanks to cable modems) and because most software vendors do not educate their users with some basic security hints. They do not want their customers to be scared away when they discover that the security issues on a computer are more complex than they thought. So it is usually in the vendor's best interest to ignore the risks of connecting a computer to the Internet.
Anyway, the article should not present this as something new. Something that becomes more frequent or harder to detect, maybe. But new, certainly not.
Of course, one could also wonder why these articles about cyberterrorism and various kinds of attacks involving the Internet are becoming more frequent in the mainstream press. As one of the talkback comments mentioned, maybe some people or some government agencies would like to use these reports to justify the need for stronger control over what is exchanged on the Internet.
-Raphaël
yap
"There are no cool guys in musicals." -- Coach McGuirk
Greylist: netscan.org
Here's a list of the most offending broadcast IP's on the net, and any one who can parse HTML can get a nice smurf broadcast list from here.
Of course, it also can be used as a good place for a netadmin to set up 'ignore broadcasts from x ip'.
A distributed.net/seti@home type client called SpamSlam. When you get spam, you paste the originating address into the client and it sends it to the master blacklist server. The blacklist server allocates work units to that address whenever the number of votes for it exceedes a certain threshold, then based on the percentage of votes sent in for that offender.
Then, all your spare cycles are dedicated to retrieving server IPs from the blacklist main server and ping-flooding the offenders. Potential for abuse is high, but it would certainly get the point across to spammers if the selection of targets could be well regulated. The spammers couldn't sue you for unwelcome use of their network without undermining their own position and business model.
hee hee hee.
Ah, posting as an AC today I see.
Here's a hint - if you are really so upset at Hemos' english skills, try **e-mailing him directly**.
Posting this here adds nothing to the discussion, and is certainly not "+1 informative", as whatever mentally challenged moderator has marked it.
I wish all of you grammar-mistake police would take this tip and then we wouldn't be forced to wade through this crap in the comments.
Do you even know anything about perl? -- AC Replying to Tom Christiansen post.
Wonder how they figure that this is 'new'. Not like anyone hasn't gone down to the open lab one morning and set up a DOS on each machine before. I had to put a new rule on the wall in on of my labs covering just this thing six months ago.
Wow, do I feel redundant all of the sudden;-,
I dunno if these attacks are really that coordinated. A random SYN flood looks like hundreds if not thousands of servers are hammering you all day long. And what's worse is that there's no real way to defend against it.
And as for smurf attacks (ICMP echo-requests desined for the broadcast address), any engineer or network admin worth his salt should be setting 'no ip directed-broadcast' on _all_ of his interfaces. That'll put a stop to that silly shit right now.
The "target" list is updated hourly with tens of thousands of co-conspirators ready and willing to do their part for the good of the overall attack.
Many many servers have been brought to their knees by this rouge band of pseudo news followers who claim the "source" is when them.
When will the terror stop?
heh
Since these were discussed in security tutorials at LISA last year, how can they be passed off as 'new'?
For some reason, this story reminds me of a story from back in August about the the Internet Auditing Project. It seems to me that what they're doing (i.e. measuring the overall security of the net by probing individual boxes) is the only solution for this kind of DoS attack. Of course, if you wanted to take it one step further, you'd probe your neighbor's box, crack the insecure ones, then patch it for your neighbor. =)
I was just informed last night by my ISP that the main server on my network here (mentasm.com) had received a DoS attack. My ISP reported that the attack came from hundreds of IPs. Because of that they were unable to block the attacker but instead had to block incoming connections to that particular IP on my network.
Mentasm has seen these types of attacks in the past and I've never been able to track them down due to the fact that I have a full time job 35 minutes away from home. Mentasm lives on a 500k cable modem and only provides a handfull of shell accounts and web hosting accounts, most of which are given out free.
After the IP was switched off, the attacker never bothered choosing another IP on our network which makes me believe this is probably random and not specifically aimed at Mentasm. I can't understand why anyone would want to randonly attack servers for no apparent reason.
Has this kind of stuff being going on with broadcast ICMP and other annoying things? (mis-configured routers enable this?) I saw something like this happen at on employer's network over a year ago. We unplugged the T1 uplink and it did not stop. To our best guess it was a program running on several machines (solaris) which only stopped after a "mass-scale" reboot. I wondering if this is becoming popular or if this has been going on for a while. Anyone have any interesting stories about this?
--Evan
Or crack somebody's account on the CS department's server - the Doom as a sysadmin tool story was posted at a URL of the form "http://www.cs.xyz.edu/~somebody/a/b/c.html". All you need is a subdirectory with write privs.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Let's say there existed a web server that was not of particular interest to geeks, but which an 3V1L H4X0R wanted to Slashdot. (You know, I just realized that it's awkward to end a sentance with /. - do you end it "/.."?)
3V1L H4X0R sets up a web page of interest to geeks (most likely with false information - say, make up something about Linux running on an Atari 2600) and puts it up on a server somewhere. And maybe the server is some clueless newbie's PC that happens to have a cable or DSL connection. 3V1L H4X0R submits the page, anonymously, to Slashdot.
When accesses to the page start to come in and get heavy, 3V1L H4X0R replaces his page with one that has a redirection URL to the target page.
In fact, I think if he was sneaky enough, he could make his orginal page load the target in a non-visible frame - or several targets in several non-visible frames - and not even bother with the switch! If 3V1L H4X0R picks small target URLs (say, some small images on the target site), the brower user won't notice the network activity; but of course that would be less load on the target server per browser.
It's a social engineering bait-and-switch.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
from being used by malicious programmers, rather than protecting the target, he
said.".
Ack. That is suerly the best way to deal with security issues. Let's just put
infocops all over the web at the back of every computer to ensure that
it's user is not misbehaving.
I believe the problem lies elsewhere. It's more about people in the systems
administration not having a clue about security, and people in management
positions not willing to spend on enoug personnel to actually run things the
way they should. I've seen too many sites where the 3 systems guys double as DBA/Sysadmin/help desk/tech support and whatnot. And I'm not talking about small business.
In fewer bytes, it's about culture.
+Raider of the lost BBS
I don't know...I wouldn't underestimate these guys. The meme package may be badly adapted right now, but it may always mutate (Hubbard went to extremes to try to make the thing un-mutatable, but it's really not possible to build a meme system that solid. The transcription mechanism (i.e. humans) is just too flaky).
If it does mutate, and it manages to create a variant that is better adapted to the current environs, well, we all know what happens then.
I'll give you an example...suppose they come up with a meme that says "at certain points during his life, Hubbard was possesed by enemy aliens, and wrote deliberately wrong things". Now they have justifications to change operations to suit the new situation (plus great tools for a holy war).
The best way to kill these guys is to dilute and damage the meme pool, by injecting memes like the one above that disrupt the organization.
"Oh, Senator, you're so gullible!" - Buckaroo Banzaii
Damn, re-reading that brought back a lot of laughs. Of particular note - look for the lawyer falling for the "FTP site at 127.0.0.1" troll, as well as the "ARSCC" troll.
The ARSCC troll is particularly amusing. Those of you who read news.admin.net-abuse.email and and have heard about the Lumber Cartel (TINLC) - imagine being questioned about "who runs the Lumber Cartel" in a deposition. The ARSCC started out the same way - another ficticious organization cooked up by netizens to troll a group so deeply in denial that they already believed that "since so many people on the 'net disagree with us, they must all be part of the same large conspiracy against us", fell for it hook, line, and sinker.
In both n.a.n-a.e and a.r.s., the conspiracy meme was already fully expressed amongst the lams and the spammers, respectively. All the 'netizens had to do was give the Conspiracy a name, and watch its opponents go nuts trying to find out who, in meatspace, was part of it. When properly executed, such a troll leads the opponent into executing a meatspace distributed denial-of-service attack against himself by seeing conspirators wherever he goes.
I'm not at all surprised that many spammers fell for the Lumber Cartel (spammers are, if dogshit will forgive me, dumber 'n dogshit), but the clams fell for the mythical ARSCC even more easily!
The cult's falling for the ARSCC troll indicates another bit of defective memetic programming; by sekrit skripture, they're trained to ask "who are you working for?" whenever anyone questions them, because the notion of "activist" (in the sense of "someone who acts independently and takes personal risk to challenge big organizations when they're misbehaving") simply didn't exist in the 1950s-and-60s memetic environment out of which the cult formed. To the cult, there can be no independent objectors to its practices; anyone who criticizes it is a priori assumed to be part of an organized conspiracy against the cult.
(Any coercive organization generally needs an "enemy" on which it can fixate its members' emotions. Another 50s-and-60s memetic bug either introduced by this, or reinforced by it, in the CO$, is the fact that the cult exists in a universe composed of large organizations battling on roughly equal footings, like superpowers in the WWII and the Cold War. An army defeated because it was "nibbled to death by ducks" was simply inconceivable until after Vietnam, by which time Cult doctrine had been frozen. Oops.)
It's only recently that trolling has become a weapon of memetic warfare per se - fabricating organizations and watching conspiracy-minded loons run around in circles looking for them is, of course, a grand 'net tradition, going as far back as the original USENET Cabal. TINC. The Cabal told me so.
I saw a man upon a stair, a little man who wasn't there
I saw the man again today. Gee I wish he'd go away.
> of the mysterious person called 'Major Domo' who'd been running
> all those anti-scientology mailing lists
What cracked me up was when they tried to break some PGP-encrypted data on some drives they'd managed to seize from a Netizen. For a bunch of UFO cultists who claim total domination over Matter, Energy, Space, and Time (for only $300,000!) through sheer force of mental will, you'd think they'd be able to break PGP trivally by simply using their powers to apply clairvoyance backwards in time and just watch their enemies entering the PGP keys.
Better yet, since cult sekrit skripture includes a "blame-the-victim" meme, effectively "If anything we claim doesn't work for you, you're by definition not doing it right and in need of either further cult proce$$ing, or you're subconsciously working for the enemies of the cult and in need of punishment", I'll bet a lot of would-be PGP breakers in the cult spent a lot of time eating rice and beans.
The image of an entire room of high-ranking cultists staring at a hard drive, thinking "DECRYPT! DECRYPT! DECRYPT!" at it for hours on end, and then blaming themselves (or being punished) for their failure to break PGP, kept me giggling for months.
Back on topic - in addition to learning about new denial-of-service attacks and other cult nastiness, I learned more about memetic warfare and information warfare from lurking on a.r.s. for three years than anywhere else. I consider a.r.s. to be the infowar boot camp for the world, both for private citizens and intelligence agencies alike.
Why? a.r.s. is the canonical "what happens when the print era of journalism meets the /. age of reader-feedback" battle. The cult is an ideal control group because it can't change its tactics. It lives in a set of memetic straitjackets of its own construction; most significantly, it has a meme that ensures that can't adapt to any new reality of media because "Everything Hubbard Wrote Was True And Will Remain True Forever", including the parts about dealing with bad PR (essentially, "use superior financial resources to defame your opponent in the major media first, because more people read the news articles than the 1 or 2 rebuttals that might appear on the editorial page") in the 1960s. As we all know, "dat don't work no more".
A better analogy would be the immovable object and the irresistable force. What the cult never imagined was that someday there'd be an irresistable force that didn't have to move the object, but could just flow around it.
Poor little clams! Snap! Snap! Snap!
IRC's "fludnetz" which are a bunch of bots run on a few machines(including several on each machine) that like to flood people with CTCP requests and the like. Just as lame, just as annoying, just a different medium.
/|dD|3z suck
Bleh, SkR|p+
Dan "What's Karma?" Turk
However, it's interesting to note that the Slashdot Effect has never been used with ill intent. I've seen a few people in forums suggesting we turn to a particular site and bomb their server out of existence, but no one has ever rallied under such a cause.
And that's the really interesting part: the Slashdot Effect is very real, yet it doesn't seem it can be wielded. No one complains of the Slashdot Effect, because it brings thousands of interested readers to a particular site. It's like choking on too many chocolate bars; it's too much of a good thing, but it's a good thing nonetheless.
The closest I've seen to a Slashdot Effect used as a form of attack was the Hotmail crack, that didn't take long to appear in the Slashdot forums. If one cracker getting through didn't make Microsoft react, a thousand of them certainly make them pale in panic. And I still maintain Slashdot is the site that tipped off CNN!
My question is: how could the Slashdot Effect be wielded, either as a tool, or as a weapon? Does anything think it's feasible to put it to good or ill use? How?
I personally think it cannot be wielded, and certainly not as a weapon. But I'd like to hear others on the subject.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
This is old news, most of the comments under the story on zdnet complain about this, actually, when I submitted the story to /. i said the most interesting part was the comments.
everytime someone asks you for something, ask if they want fries with that.
you're all figments of my deranged imagination
What about smurf, fraggle, papasmurf, etc.. where you use misconfigured broadcast addresses all over the internet, and have the backing of multiple megabits of bandwidth.. ?
This doesn't even take into account open proxy servers which are everywhere, which could be used to make some sort of distributed attack, or even irc "flood nets."
Script kiddie tools never cease to become more damaging and more widely available. blah.
This reminds me of a diabolic Exchange macro virus I was thinking of, something along the lines of Melissa but it also sends emails to random usernames at some target domain (eg. blahblah@microsoft.com). The effect on a single infected site would be moderate, but the target site would get hammered by practically the entire Net (at least the part of te Net running Exchange servers).
Of course, I would never recommend that anyone actualy write such a virus, its probably illegal and would do lots of damage, but it sure is fun to thing about how easy it would be.
---- I made the Kessel Run in under 11 parsecs.
> What the cult never imagined was that someday there'd be an irresistable
> force that didn't have to move the object, but could just flow around it.
yeah - I kinda think of Scientology as this sort of '50s cold-war cult - stuck in a James-Bond spy mentality (with world wide conspiricies continually after them - in their case apparently it's an international conspriricy of psychiatrists - probably run by Freud from beyond the grave).
They have run their organisation for years with huge secrecy, covert operations (a number of leaders were sent to jail a while back for breaking into federal govt. files and stealling/altering records) - and have gone out of their way to shut up any critics by isolating them and trying to sue them out of existance.
This sort of organisation has the most to lose from an open, global, information revolution. Suddenly all those isolated ex-scientologists found each other and started sharing their horror stories - this is a wonderfull example of a community brought together by the net that would never have been possible otherwise .... and when Co$ tried to shut down their forum (by rmgrouping alt.religion.scientology) hundreds of free-speech people like me got involved.
As the saying goes "the internet sees censorship as an fault and routes around it"
http://wpxx02.toxi.uni-wuerzburg.de/~krasel/CoS/bi ased/biased.2.10.html#2
alt.religion.scientology - the newsgroup where all this madness has gone down
What's followed has been a cat and mouse games through the courts and on the net including a couple of wonderfull moments when their lawyers tried in depositions to disvover the real identity of the mysterious person called 'Major Domo' who'd been running all those anti-scientology mailing lists .... and to find out who ran that FTP site at 127.0.0.1 which seemed to have a lot of their files on it ....
What's not so well know is their most recent tactic which has become known as 'sporge' in which a roving band of spammers inject random garbage using real people's forged identies into alt.religion.scientology and related groups - moving from ISP to ISP burning accounts as they go they some days inject 2-3 thousand messages into the news group every day trying to drown out and meaningfull conversation.
If this doesn;t count as a distributed denial of service attack I don't know what does
(besides I'm pissed at people forging stuff in my name)
Currently we're actually seeing a mysterious respite from the sporge - probably they forgot to pay their bills - but I'm sure it will be back .... after all we wouldn't want the real world to know about Scientology's space alien fixation without paying $300k like the rest of the suckers.
For more info on Scientology vs. the Net check out www.xenu.net
> Of course, the only way they could compile the
:wq
> greylist would be to run through IP addresses
> and test them for security holes, the same way
> that the script kiddies do. Would that be
> ethical?
Y3$. 1T W0ULD $4V3 M3 L0T$ 0F T1M3 1F I C0ULD
JU$T U$3 UR ``greylist'' 2 P1CK T4RG3T$ FR0M.
Y3$, PL33ZE D0 R3C0N W0RK F0R M3.
:WQ
------ ------ ------
ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
------ ------ ------
ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
:WQ
------ ------ ------
ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
------ ------ -
This is essentially the same idea as Melissa, except more targeted. It seems like it would be the most useful in making crackers just that much more anonymous.
For example:
I want to crack a machine, but if someone tries to catch me, I want it to look like it was someone else. So, I want to assume that other person's identity (IP) for the attack. I need to DoS that person and then spoof his IP while attacking my target. Oops, but now the person I'm doing a DoS attack on knows who is attacking him! Oh, no problem, I'll just write a macro virus that installs a time-scheduled program (via Windows Task Scheduler or whatever) that hits my DoS target's HTTP port at a certain time (UTC). Now I distribute the virus, wait until the specified time, verify that the DoS target is getting pounded, and then spoof him and try to crack my original target. Hopefully I'm non-blind spoofing so I can see what is going on!
Is anyone aware of a way in which the DoS target would a) know it was me, or b) be able to defend against the attack?
um,
isn't this a variant on the FloodNet java app which is drifting about?
From: http://www.thing.net/~rdom/ecd/floodnet.html
"See The Zapatista Tactical FloodNet for a discussion of FloodNet's functionality, interactivity, philosophy, and as a form of conceptual art."
Basically, if you run the java app on your system it regularly sends enough stuff to the remote site to overload it if sufficient people get involved, but not enough to hose your link.
There were some rumours the DoD were crashing it as some sort of counter-electronic-terrorism thing.
Dwayne
I would argue that the most destructive (aka smurf, fraggle ... amplified) distributed attacks are getting harder and harder as isps default to no directed broadcast on their networks. The "always on" connections ... well, I haven't personally seen an attack that could take down a well-connected web site without amplification, and 3-4 machine cable or dsl networks aren't going to be a heavy source of amps. If there were some reference to "in the wild" attacks, rather than cert blabbing about 4 or 5 undescribed "incidents", I would be more inclined to take it seriously. Exploits, anyone??
good. fast. cheap. (pick any two, you can't have all three)
I can't seem to find any mention of a "trinoo" anywhere on net ... do you still have the tool?? I am interested in source code, especially, as I would like to know both which ports it uses to communicate with other servers and which methods it uses to DoS.
Thanks.
good. fast. cheap. (pick any two, you can't have all three)
can you say Oh! Oh! Oh! new smurfs!!!
...
Seriously, ICMP smurfing was a distributed attack. As referenced in the original post, the slashdot effect was a distributed attack. The real question is whether or not the attack exploits a bug in the operating system or ip stack of the victim server (in which case it's the vendor's problem to fix), or the equivalent of opening up http requests from 10,000 different hosts at the same time (which is a function of the IP/TCP/HTTP combo and should happen).
In the case that it is a vendor software bug (ping o death, etc) then it should be patched and blocked. If someone is able to flood your web server with legitimate connections, a.k.a. 3-way tcp handshakes, there's not a whole lot you can do without killing your web server.
I don't see how this is some brand new attack, nor do I see how it is a real problem. Anyone been icmp echo'd to death from 100,000 hosts lately? Jeez
good. fast. cheap. (pick any two, you can't have all three)
Older than smurf is pingfloods from a few different networks. This is the oldest common distributed DoS attack that I know of, no doubt its obviousness and the use of a standard system utility contributed strongly to that.
But the article is not quite about distributed pingfloods, or smurf attacks. It's about widely distributed attacks (from 100s-1000s of hosts), that appear to be legitimate connections. The scary thing about an attack like this is that you *can not stop* a determined and intelligent attacker if you're running a public service. The comforting thing is that if the attacker is that determined, he'll probably just rm one of your machines, which in most cases is much less costly if you have good backups.
This is only interesting because it is finally commonplace. It's always been obvious. Anyone who thinks for a minute about how to protect against remote resource starvation attacks will come to an attack like this as the extreme example of what you can't defend against. The people coming up with new DoS attacks realize the same thing.
I seem to remember attacks like this being a big thing about 2 or 3 years ago. Well, not a big thing, but big enough that it existed and was a threat. In fact, I think Milworm (Don't quote me on this) used an attack similar to this to gain access to Packistans (or some country over there) government computers, including some sensative information about Nuclear weapons. They made the attack go through the US Governments Dential plan servers ((This is all from memory, this happened well over a year ago)).. The the point is that this has happened many times, and the whole idea of "Distributed" hacking is not a new one. Why all of a sudden it is a big deal, and a major threat to the world as we know it I don't know. Mayby if instead of complainging about the problem they would just go in and figure out how to stop it, and move on to the next thing.. don't tell me that their is a problem that needs to be fixed, tell me that you have the solution to the problem and where I can go to get this problem taken care of.
"I couldn't give him (Bill Gates) advice in business and he couldn't give me advice in technology." Linus Torvalds
This type of attack has been going on for YEARS. IRC Botnets are a good example of a coordinated method of attack. And the attack isn't necessarily limited to the IRC environment.
I suppose I'm not surprised that it took this long for the government to start recognizing distributed attacks...
Best regards,
SEAL
The US Navy Sea Systems Command has been hosting a research project called CIDER (Cooperative Intrusion Detection Evaluation and Response) for several years now. You can find more info about the CIDER Project -there.
People who bite the hand that feeds them usually lick the boot that kicks them
Hasn't the possibility for such a thing been around for quite a while? If I am wrong though please excuse me because I am largely an ignorant peasant when it comes to networking.
An ISP my company recently acqired has a shell server. One day, we get a frantic note from a user who is saying that their account had been hacked, that there were some additional lines in their .history that they didn't type.
.mil and .gov agencies about this, so I would assume it's fairly well spread.
So, an hour later, I had cleaned out the trojaned ls, ps, inetd, login, etc, and I found some interesting stuff that they left behind.
It's called 'trinoo'. It's a remotely-accessable DOS attack tool...it runs on certain ports (31335 for instance) and co-ordinates the attacks with other servers. For instance, if you establish a network of these, you would telnet to one, tell it to start the attack on whichever IP you choose, and it would get all the other trinoo daemons it's aware of to also attack that IP.
We got some calls from some DOD and other
It's not long before this gets out of hand...
Please. Please please please, do you have a link to this transcript? I looked through Xenu, but had no way of guessing where to start looking for that specific legal transcript.. :/
This sounds better than "stupid tech-support calls."