Slashdot Mirror
Distributed Denial of Service Attacks
hetairoi was one of the many people who wrote to us about ZDNet's coverage of "distributed coordinated attacks", a new style of denial of service attack. Rather then using just one machine, efforts are coordinated through multiple servers, making server-defense more difficult. Huh - does the Slashdot effect count? *grin*
I did something similar to this by accident once. At the time I worked for a company that had a full T1 but our upstream provider wasn't very good at monitoring their routers. These routers liked to go down often and it was up us to tell them about it.
:-)
I wrote a script that sat on our linux webserver and our linux mail server that every 2 minutes sent a ping to an outside server. I picked my ISP's DNS server because I knew it was reliable enough to test our connection. I wrote the script on a Windoze box and FTP'ed it to the linux boxes. What I had forgotten is that using Windoze ping the ping dies after 4 attempts. On linux it needs an explicit kill. Every 2 minutes from then on each server would start a new ping process without killing the preceding one. OOPS. It launched a multi-server denial of service against my ISP's DNS server. Let's just say my account doesn't work there anymore
S from "eSpionage"
C from "Criminals"
R from "cRiminals"
I from "crIminals"
P from "esPionage"
T from "Terrorism"
K from "crimINals" - rotate the "n" 45'.
I from "terrorIsm"
D from "Bent" - reflect the "b"
D from "esPionage" - rotate the "p" 90'.
Y from "terroRIsm" - rotate the "ri" 90'.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"Criminals bent on espionage or terrorism"?!? That's an odd way to spell "script kiddy". rOD.
--
Rod Begbie done this, and he's not
The site has certainly had its share of technical failures - but it was developed with high load in mind, and so it manages to take it.
.ASP and such - sites where every page was generated by a program of some sort. This development methodology is very expensive in terms of hardware when compared to Slashdot's static model.
One major advantage of Slashdot is that until new hardware was bought a few months ago, almost all the pages were static. Before customizable Slashboxes were introduced, the main page was static. The article pages were static until fairly recently - instead of being updated on the fly, a cron job updated them about once a minute. As a result, programs were not run every time someone called up a page - they were run once a minute instead of once a hit, which could be many times a second. (This appears to have changed post-Andover, with some things specific to the user appearing even on article pages. However, this is since the Andover purchase allowed nearly unlimited hardware upgrades).
Many of the Slashdot effect victims have been sites that have bought the Microsoft vision of
The Microsoft hype is that pages should be heavily personalized for each individual user. Slashdot does that now, and very cleverly - but I think they had their priorities straight: Create a system that works first, then add neat stuff. Microsoft's approach is to build neat stuff into the system from the ground up, without considering the consequences for system load and reliability.
D
----
There seem to be a few problems with this.
First, I haven't seen Slashdot feature many stories that were not from a site at least pretending to be journalistic. The heart of Slashdot is zdnet, cnn, wired, salon and a handful of other places. When an outside editorial is requested, such as Jon Katz or a book reviewer, it's generally hosted on the Slashdot site itself.
Your suggestion requires that a "foreign" site be nominated, and that nomination be accepted by a member of the Slashdot staff. It seems to me that this would be extraordinarily difficult.
Your best bet might be to crack one of the major sites and wait until Slashdot featured an article on it. Then replace the article with the redirect and you're good to go. Still, that would have legal ramifications and might not be good for a simple prank.
D
----
I've seen such attacks as early as 4 years ago, if not sooner. The first was a non-spoofing udp (non-root requiring) client/server flooding program for *nix, though i can't recall its name (FABI? or something like that). To install a massive number of these things, it'd be all too trivial for someone to setup a perl script which'd parse sniffing logs, then install and launch the program. Futhermore, it could also theoretically also be remotely commanded via spoofed packets from the hax0r's dialup linux box (making it difficult to positively trace the hackers and the other machines from the others)
I've also seen perl scripts which jump on a list of backdoors (bind shells, netbus/bo, etc) and simply executing a trivial command like "ping" on a whole list of them. These have been around for a couple years as well.
Its extremely difficult to stop such attacks, on either end: the flooding victim, or the flooder victims. Spoofed or unspoofed. There is a little that can be done. Though DOS counterattacks can work too. Let us imagine that I've rigged up a script to cause a thousand different windoze machines to connect() (via TCP) repeatedly to a service such as httpd(this can cause a great deal of damage to even the best servers). These are obviously not spoofed, and could be effectively DOSed by sending a single nestea style packet to each offending machine. Better to have those few ignorant users machines offline for a few minutes (preferably with an accompanying email) than deny access to a popular site to millions. Windows can't yet spoof, so this would atleast require the hacker to use *nix machines to execute the attack. Unix machines do tend to have more competent administrators, and its easier to reach them as they're fewer. The hackers could of course spoof, but that would atleast require somewhat more skill on the part of the coder (not that script kiddies know the first thing about that anyways).
In the long run, there is simply no solution to stopping this stuff though. There a thousands of ways that a reasonably creative person can come up with, without a great deal of skill, to effectively cripple the internet. This is true today, and it will remain true in the future as long as we have: companies who put security on a low priority, ISPs who're essentially incompetent, and strong priorities on freedom and privacy.
Hi, it seems a lot of you have misconstrued this article into some kind of "new hole", when it is in fact the contrary. This article describes an attack that is all too trivial to undertake. All that is required is a few fast root shells, and a daemon to handle the requests. The result is a denial of service orgy, holding down the victim's connection until the attack ceases. The only way I can see to prevent this is firewalling your own network to prevent a wiley script kiddy from using your network to carry out his or her revenge on the internet. If every network was firewalled in such a way, where would the script kiddies "packet" from? Network admins, this is your job, time to earn that check of yours!
--- Stampede linux for me! I play with fire to break the ice..
You mentioned IRC Botnets - another example (and to my knowledge, one of the most common) of DOS attacks is a simple "smurf" attack. It's an easy enough attack: put together a ping request with a forged FROM header, and send it to a network's broadcast address. If the admin has been lazy (and you're on a full class C), you'll wind up with up to 255 computers all pinging the same device.
I've seen this used to blow out a University's web server at the same time as it stresses two Universities' Internet connections. It's not pretty. Or new: Wired News ran an article about escalating numbers of smurf attacks way back in January of 1998.
You can tell what kind of day I'm having...
-- Word of the day: Percussive maintenance is the fine art of whacking the crap out of an electronic device to get it wo
I would think that in a distributed DOS attack, as described in this article, it would be easy to identify the large cable modem providers (for example), and it should then be fairly easy to get the provider to get its customers in line.
I dunno if these attacks are really that coordinated. A random SYN flood looks like hundreds if not thousands of servers are hammering you all day long. And what's worse is that there's no real way to defend against it.
And as for smurf attacks (ICMP echo-requests desined for the broadcast address), any engineer or network admin worth his salt should be setting 'no ip directed-broadcast' on _all_ of his interfaces. That'll put a stop to that silly shit right now.
The "target" list is updated hourly with tens of thousands of co-conspirators ready and willing to do their part for the good of the overall attack.
Many many servers have been brought to their knees by this rouge band of pseudo news followers who claim the "source" is when them.
When will the terror stop?
heh
For some reason, this story reminds me of a story from back in August about the the Internet Auditing Project. It seems to me that what they're doing (i.e. measuring the overall security of the net by probing individual boxes) is the only solution for this kind of DoS attack. Of course, if you wanted to take it one step further, you'd probe your neighbor's box, crack the insecure ones, then patch it for your neighbor. =)
Or crack somebody's account on the CS department's server - the Doom as a sysadmin tool story was posted at a URL of the form "http://www.cs.xyz.edu/~somebody/a/b/c.html". All you need is a subdirectory with write privs.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Let's say there existed a web server that was not of particular interest to geeks, but which an 3V1L H4X0R wanted to Slashdot. (You know, I just realized that it's awkward to end a sentance with /. - do you end it "/.."?)
3V1L H4X0R sets up a web page of interest to geeks (most likely with false information - say, make up something about Linux running on an Atari 2600) and puts it up on a server somewhere. And maybe the server is some clueless newbie's PC that happens to have a cable or DSL connection. 3V1L H4X0R submits the page, anonymously, to Slashdot.
When accesses to the page start to come in and get heavy, 3V1L H4X0R replaces his page with one that has a redirection URL to the target page.
In fact, I think if he was sneaky enough, he could make his orginal page load the target in a non-visible frame - or several targets in several non-visible frames - and not even bother with the switch! If 3V1L H4X0R picks small target URLs (say, some small images on the target site), the brower user won't notice the network activity; but of course that would be less load on the target server per browser.
It's a social engineering bait-and-switch.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
from being used by malicious programmers, rather than protecting the target, he
said.".
Ack. That is suerly the best way to deal with security issues. Let's just put
infocops all over the web at the back of every computer to ensure that
it's user is not misbehaving.
I believe the problem lies elsewhere. It's more about people in the systems
administration not having a clue about security, and people in management
positions not willing to spend on enoug personnel to actually run things the
way they should. I've seen too many sites where the 3 systems guys double as DBA/Sysadmin/help desk/tech support and whatnot. And I'm not talking about small business.
In fewer bytes, it's about culture.
+Raider of the lost BBS
I don't know...I wouldn't underestimate these guys. The meme package may be badly adapted right now, but it may always mutate (Hubbard went to extremes to try to make the thing un-mutatable, but it's really not possible to build a meme system that solid. The transcription mechanism (i.e. humans) is just too flaky).
If it does mutate, and it manages to create a variant that is better adapted to the current environs, well, we all know what happens then.
I'll give you an example...suppose they come up with a meme that says "at certain points during his life, Hubbard was possesed by enemy aliens, and wrote deliberately wrong things". Now they have justifications to change operations to suit the new situation (plus great tools for a holy war).
The best way to kill these guys is to dilute and damage the meme pool, by injecting memes like the one above that disrupt the organization.
"Oh, Senator, you're so gullible!" - Buckaroo Banzaii
Damn, re-reading that brought back a lot of laughs. Of particular note - look for the lawyer falling for the "FTP site at 127.0.0.1" troll, as well as the "ARSCC" troll.
The ARSCC troll is particularly amusing. Those of you who read news.admin.net-abuse.email and and have heard about the Lumber Cartel (TINLC) - imagine being questioned about "who runs the Lumber Cartel" in a deposition. The ARSCC started out the same way - another ficticious organization cooked up by netizens to troll a group so deeply in denial that they already believed that "since so many people on the 'net disagree with us, they must all be part of the same large conspiracy against us", fell for it hook, line, and sinker.
In both n.a.n-a.e and a.r.s., the conspiracy meme was already fully expressed amongst the lams and the spammers, respectively. All the 'netizens had to do was give the Conspiracy a name, and watch its opponents go nuts trying to find out who, in meatspace, was part of it. When properly executed, such a troll leads the opponent into executing a meatspace distributed denial-of-service attack against himself by seeing conspirators wherever he goes.
I'm not at all surprised that many spammers fell for the Lumber Cartel (spammers are, if dogshit will forgive me, dumber 'n dogshit), but the clams fell for the mythical ARSCC even more easily!
The cult's falling for the ARSCC troll indicates another bit of defective memetic programming; by sekrit skripture, they're trained to ask "who are you working for?" whenever anyone questions them, because the notion of "activist" (in the sense of "someone who acts independently and takes personal risk to challenge big organizations when they're misbehaving") simply didn't exist in the 1950s-and-60s memetic environment out of which the cult formed. To the cult, there can be no independent objectors to its practices; anyone who criticizes it is a priori assumed to be part of an organized conspiracy against the cult.
(Any coercive organization generally needs an "enemy" on which it can fixate its members' emotions. Another 50s-and-60s memetic bug either introduced by this, or reinforced by it, in the CO$, is the fact that the cult exists in a universe composed of large organizations battling on roughly equal footings, like superpowers in the WWII and the Cold War. An army defeated because it was "nibbled to death by ducks" was simply inconceivable until after Vietnam, by which time Cult doctrine had been frozen. Oops.)
It's only recently that trolling has become a weapon of memetic warfare per se - fabricating organizations and watching conspiracy-minded loons run around in circles looking for them is, of course, a grand 'net tradition, going as far back as the original USENET Cabal. TINC. The Cabal told me so.
I saw a man upon a stair, a little man who wasn't there
I saw the man again today. Gee I wish he'd go away.
> of the mysterious person called 'Major Domo' who'd been running
> all those anti-scientology mailing lists
What cracked me up was when they tried to break some PGP-encrypted data on some drives they'd managed to seize from a Netizen. For a bunch of UFO cultists who claim total domination over Matter, Energy, Space, and Time (for only $300,000!) through sheer force of mental will, you'd think they'd be able to break PGP trivally by simply using their powers to apply clairvoyance backwards in time and just watch their enemies entering the PGP keys.
Better yet, since cult sekrit skripture includes a "blame-the-victim" meme, effectively "If anything we claim doesn't work for you, you're by definition not doing it right and in need of either further cult proce$$ing, or you're subconsciously working for the enemies of the cult and in need of punishment", I'll bet a lot of would-be PGP breakers in the cult spent a lot of time eating rice and beans.
The image of an entire room of high-ranking cultists staring at a hard drive, thinking "DECRYPT! DECRYPT! DECRYPT!" at it for hours on end, and then blaming themselves (or being punished) for their failure to break PGP, kept me giggling for months.
Back on topic - in addition to learning about new denial-of-service attacks and other cult nastiness, I learned more about memetic warfare and information warfare from lurking on a.r.s. for three years than anywhere else. I consider a.r.s. to be the infowar boot camp for the world, both for private citizens and intelligence agencies alike.
Why? a.r.s. is the canonical "what happens when the print era of journalism meets the /. age of reader-feedback" battle. The cult is an ideal control group because it can't change its tactics. It lives in a set of memetic straitjackets of its own construction; most significantly, it has a meme that ensures that can't adapt to any new reality of media because "Everything Hubbard Wrote Was True And Will Remain True Forever", including the parts about dealing with bad PR (essentially, "use superior financial resources to defame your opponent in the major media first, because more people read the news articles than the 1 or 2 rebuttals that might appear on the editorial page") in the 1960s. As we all know, "dat don't work no more".
A better analogy would be the immovable object and the irresistable force. What the cult never imagined was that someday there'd be an irresistable force that didn't have to move the object, but could just flow around it.
Poor little clams! Snap! Snap! Snap!
However, it's interesting to note that the Slashdot Effect has never been used with ill intent. I've seen a few people in forums suggesting we turn to a particular site and bomb their server out of existence, but no one has ever rallied under such a cause.
And that's the really interesting part: the Slashdot Effect is very real, yet it doesn't seem it can be wielded. No one complains of the Slashdot Effect, because it brings thousands of interested readers to a particular site. It's like choking on too many chocolate bars; it's too much of a good thing, but it's a good thing nonetheless.
The closest I've seen to a Slashdot Effect used as a form of attack was the Hotmail crack, that didn't take long to appear in the Slashdot forums. If one cracker getting through didn't make Microsoft react, a thousand of them certainly make them pale in panic. And I still maintain Slashdot is the site that tipped off CNN!
My question is: how could the Slashdot Effect be wielded, either as a tool, or as a weapon? Does anything think it's feasible to put it to good or ill use? How?
I personally think it cannot be wielded, and certainly not as a weapon. But I'd like to hear others on the subject.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
This is old news, most of the comments under the story on zdnet complain about this, actually, when I submitted the story to /. i said the most interesting part was the comments.
everytime someone asks you for something, ask if they want fries with that.
you're all figments of my deranged imagination
What about smurf, fraggle, papasmurf, etc.. where you use misconfigured broadcast addresses all over the internet, and have the backing of multiple megabits of bandwidth.. ?
This doesn't even take into account open proxy servers which are everywhere, which could be used to make some sort of distributed attack, or even irc "flood nets."
Script kiddie tools never cease to become more damaging and more widely available. blah.
This reminds me of a diabolic Exchange macro virus I was thinking of, something along the lines of Melissa but it also sends emails to random usernames at some target domain (eg. blahblah@microsoft.com). The effect on a single infected site would be moderate, but the target site would get hammered by practically the entire Net (at least the part of te Net running Exchange servers).
Of course, I would never recommend that anyone actualy write such a virus, its probably illegal and would do lots of damage, but it sure is fun to thing about how easy it would be.
---- I made the Kessel Run in under 11 parsecs.
What's followed has been a cat and mouse games through the courts and on the net including a couple of wonderfull moments when their lawyers tried in depositions to disvover the real identity of the mysterious person called 'Major Domo' who'd been running all those anti-scientology mailing lists .... and to find out who ran that FTP site at 127.0.0.1 which seemed to have a lot of their files on it ....
What's not so well know is their most recent tactic which has become known as 'sporge' in which a roving band of spammers inject random garbage using real people's forged identies into alt.religion.scientology and related groups - moving from ISP to ISP burning accounts as they go they some days inject 2-3 thousand messages into the news group every day trying to drown out and meaningfull conversation.
If this doesn;t count as a distributed denial of service attack I don't know what does
(besides I'm pissed at people forging stuff in my name)
Currently we're actually seeing a mysterious respite from the sporge - probably they forgot to pay their bills - but I'm sure it will be back .... after all we wouldn't want the real world to know about Scientology's space alien fixation without paying $300k like the rest of the suckers.
For more info on Scientology vs. the Net check out www.xenu.net
> Of course, the only way they could compile the
:wq
> greylist would be to run through IP addresses
> and test them for security holes, the same way
> that the script kiddies do. Would that be
> ethical?
Y3$. 1T W0ULD $4V3 M3 L0T$ 0F T1M3 1F I C0ULD
JU$T U$3 UR ``greylist'' 2 P1CK T4RG3T$ FR0M.
Y3$, PL33ZE D0 R3C0N W0RK F0R M3.
:WQ
------ ------ ------
ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
------ ------ ------
ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
:WQ
------ ------ ------
ALL HA1L B1FF, TH3 M05T 31337 D00D!!!!!1
------ ------ -
This is essentially the same idea as Melissa, except more targeted. It seems like it would be the most useful in making crackers just that much more anonymous.
For example:
I want to crack a machine, but if someone tries to catch me, I want it to look like it was someone else. So, I want to assume that other person's identity (IP) for the attack. I need to DoS that person and then spoof his IP while attacking my target. Oops, but now the person I'm doing a DoS attack on knows who is attacking him! Oh, no problem, I'll just write a macro virus that installs a time-scheduled program (via Windows Task Scheduler or whatever) that hits my DoS target's HTTP port at a certain time (UTC). Now I distribute the virus, wait until the specified time, verify that the DoS target is getting pounded, and then spoof him and try to crack my original target. Hopefully I'm non-blind spoofing so I can see what is going on!
Is anyone aware of a way in which the DoS target would a) know it was me, or b) be able to defend against the attack?
can you say Oh! Oh! Oh! new smurfs!!!
...
Seriously, ICMP smurfing was a distributed attack. As referenced in the original post, the slashdot effect was a distributed attack. The real question is whether or not the attack exploits a bug in the operating system or ip stack of the victim server (in which case it's the vendor's problem to fix), or the equivalent of opening up http requests from 10,000 different hosts at the same time (which is a function of the IP/TCP/HTTP combo and should happen).
In the case that it is a vendor software bug (ping o death, etc) then it should be patched and blocked. If someone is able to flood your web server with legitimate connections, a.k.a. 3-way tcp handshakes, there's not a whole lot you can do without killing your web server.
I don't see how this is some brand new attack, nor do I see how it is a real problem. Anyone been icmp echo'd to death from 100,000 hosts lately? Jeez
good. fast. cheap. (pick any two, you can't have all three)
This type of attack has been going on for YEARS. IRC Botnets are a good example of a coordinated method of attack. And the attack isn't necessarily limited to the IRC environment.
I suppose I'm not surprised that it took this long for the government to start recognizing distributed attacks...
Best regards,
SEAL
The US Navy Sea Systems Command has been hosting a research project called CIDER (Cooperative Intrusion Detection Evaluation and Response) for several years now. You can find more info about the CIDER Project -there.
People who bite the hand that feeds them usually lick the boot that kicks them
An ISP my company recently acqired has a shell server. One day, we get a frantic note from a user who is saying that their account had been hacked, that there were some additional lines in their .history that they didn't type.
.mil and .gov agencies about this, so I would assume it's fairly well spread.
So, an hour later, I had cleaned out the trojaned ls, ps, inetd, login, etc, and I found some interesting stuff that they left behind.
It's called 'trinoo'. It's a remotely-accessable DOS attack tool...it runs on certain ports (31335 for instance) and co-ordinates the attacks with other servers. For instance, if you establish a network of these, you would telnet to one, tell it to start the attack on whichever IP you choose, and it would get all the other trinoo daemons it's aware of to also attack that IP.
We got some calls from some DOD and other
It's not long before this gets out of hand...