Distributed Denial of Service Attacks

hetairoi was one of the many people who wrote to us about ZDNet's coverage of "distributed coordinated attacks", a new style of denial of service attack. Rather then using just one machine, efforts are coordinated through multiple servers, making server-defense more difficult. Huh - does the Slashdot effect count? *grin*

This concept isn't really new, however...

[FallLine]

I've seen such attacks as early as 4 years ago, if not sooner. The first was a non-spoofing udp (non-root requiring) client/server flooding program for *nix, though i can't recall its name (FABI? or something like that). To install a massive number of these things, it'd be all too trivial for someone to setup a perl script which'd parse sniffing logs, then install and launch the program. Futhermore, it could also theoretically also be remotely commanded via spoofed packets from the hax0r's dialup linux box (making it difficult to positively trace the hackers and the other machines from the others)

I've also seen perl scripts which jump on a list of backdoors (bind shells, netbus/bo, etc) and simply executing a trivial command like "ping" on a whole list of them. These have been around for a couple years as well.

Its extremely difficult to stop such attacks, on either end: the flooding victim, or the flooder victims. Spoofed or unspoofed. There is a little that can be done. Though DOS counterattacks can work too. Let us imagine that I've rigged up a script to cause a thousand different windoze machines to connect() (via TCP) repeatedly to a service such as httpd(this can cause a great deal of damage to even the best servers). These are obviously not spoofed, and could be effectively DOSed by sending a single nestea style packet to each offending machine. Better to have those few ignorant users machines offline for a few minutes (preferably with an accompanying email) than deny access to a popular site to millions. Windows can't yet spoof, so this would atleast require the hacker to use *nix machines to execute the attack. Unix machines do tend to have more competent administrators, and its easier to reach them as they're fewer. The hackers could of course spoof, but that would atleast require somewhat more skill on the part of the coder (not that script kiddies know the first thing about that anyways).

In the long run, there is simply no solution to stopping this stuff though. There a thousands of ways that a reasonably creative person can come up with, without a great deal of skill, to effectively cripple the internet. This is true today, and it will remain true in the future as long as we have: companies who put security on a low priority, ISPs who're essentially incompetent, and strong priorities on freedom and privacy.

Slashdot.org does this every day!

[|DaBuzz|]

The "target" list is updated hourly with tens of thousands of co-conspirators ready and willing to do their part for the good of the overall attack.

Many many servers have been brought to their knees by this rouge band of pseudo news followers who claim the "source" is when them.

When will the terror stop?

heh

Slashdot Effect as a weapon

[Mr.+Slippery]

This is just idle speculation to stretch the brain, I don't think it's very practical. But...

Let's say there existed a web server that was not of particular interest to geeks, but which an 3V1L H4X0R wanted to Slashdot. (You know, I just realized that it's awkward to end a sentance with /. - do you end it "/.."?)

3V1L H4X0R sets up a web page of interest to geeks (most likely with false information - say, make up something about Linux running on an Atari 2600) and puts it up on a server somewhere. And maybe the server is some clueless newbie's PC that happens to have a cable or DSL connection. 3V1L H4X0R submits the page, anonymously, to Slashdot.

When accesses to the page start to come in and get heavy, 3V1L H4X0R replaces his page with one that has a redirection URL to the target page.

In fact, I think if he was sneaky enough, he could make his orginal page load the target in a non-visible frame - or several targets in several non-visible frames - and not even bother with the switch! If 3V1L H4X0R picks small target URLs (say, some small images on the target site), the brower user won't notice the network activity; but of course that would be less load on the target server per browser.

It's a social engineering bait-and-switch.

Re:Kinda like the Scientology sporge ...

[Tackhead]

> their lawyers tried in depositions to disvover the real identity
> of the mysterious person called 'Major Domo' who'd been running
> all those anti-scientology mailing lists ....

What cracked me up was when they tried to break some PGP-encrypted data on some drives they'd managed to seize from a Netizen. For a bunch of UFO cultists who claim total domination over Matter, Energy, Space, and Time (for only $300,000!) through sheer force of mental will, you'd think they'd be able to break PGP trivally by simply using their powers to apply clairvoyance backwards in time and just watch their enemies entering the PGP keys.

Better yet, since cult sekrit skripture includes a "blame-the-victim" meme, effectively "If anything we claim doesn't work for you, you're by definition not doing it right and in need of either further cult proce$$ing, or you're subconsciously working for the enemies of the cult and in need of punishment", I'll bet a lot of would-be PGP breakers in the cult spent a lot of time eating rice and beans.

The image of an entire room of high-ranking cultists staring at a hard drive, thinking "DECRYPT! DECRYPT! DECRYPT!" at it for hours on end, and then blaming themselves (or being punished) for their failure to break PGP, kept me giggling for months.

Back on topic - in addition to learning about new denial-of-service attacks and other cult nastiness, I learned more about memetic warfare and information warfare from lurking on a.r.s. for three years than anywhere else. I consider a.r.s. to be the infowar boot camp for the world, both for private citizens and intelligence agencies alike.

Why? a.r.s. is the canonical "what happens when the print era of journalism meets the /. age of reader-feedback" battle. The cult is an ideal control group because it can't change its tactics. It lives in a set of memetic straitjackets of its own construction; most significantly, it has a meme that ensures that can't adapt to any new reality of media because "Everything Hubbard Wrote Was True And Will Remain True Forever", including the parts about dealing with bad PR (essentially, "use superior financial resources to defame your opponent in the major media first, because more people read the news articles than the 1 or 2 rebuttals that might appear on the editorial page") in the 1960s. As we all know, "dat don't work no more".

A better analogy would be the immovable object and the irresistable force. What the cult never imagined was that someday there'd be an irresistable force that didn't have to move the object, but could just flow around it.

Poor little clams! Snap! Snap! Snap!

Distributed attacks vs. the Slashdot Effect

[Enoch+Root]

Reading this, I'm surprised no one has ever tried to sue Slashdot for, I don't know, "irresponsible use of URL" or something as silly. Yes, the Slashdot Effect is, for all intents and purposes, a distributed DOS attack.

However, it's interesting to note that the Slashdot Effect has never been used with ill intent. I've seen a few people in forums suggesting we turn to a particular site and bomb their server out of existence, but no one has ever rallied under such a cause.

And that's the really interesting part: the Slashdot Effect is very real, yet it doesn't seem it can be wielded. No one complains of the Slashdot Effect, because it brings thousands of interested readers to a particular site. It's like choking on too many chocolate bars; it's too much of a good thing, but it's a good thing nonetheless.

The closest I've seen to a Slashdot Effect used as a form of attack was the Hotmail crack, that didn't take long to appear in the Slashdot forums. If one cracker getting through didn't make Microsoft react, a thousand of them certainly make them pale in panic. And I still maintain Slashdot is the site that tipped off CNN!

My question is: how could the Slashdot Effect be wielded, either as a tool, or as a weapon? Does anything think it's feasible to put it to good or ill use? How?

I personally think it cannot be wielded, and certainly not as a weapon. But I'd like to hear others on the subject.

"There is no surer way to ruin a good discussion than to contaminate it with the facts."

Kinda like the Scientology sporge ...

[taniwha]

$cientology's been hammering the newgroup(s) where people have been gathering to criticize them for several years now - this was a big deal ago when they tried to rmgroup alt.religion.scientology a few years back the followed up with US Marshalls to take away a couple of critic's computers - there was a lot of righteous net-indignation that blossomed into a free-speech (by Co$ critics) movement

What's followed has been a cat and mouse games through the courts and on the net including a couple of wonderfull moments when their lawyers tried in depositions to disvover the real identity of the mysterious person called 'Major Domo' who'd been running all those anti-scientology mailing lists .... and to find out who ran that FTP site at 127.0.0.1 which seemed to have a lot of their files on it ....

What's not so well know is their most recent tactic which has become known as 'sporge' in which a roving band of spammers inject random garbage using real people's forged identies into alt.religion.scientology and related groups - moving from ISP to ISP burning accounts as they go they some days inject 2-3 thousand messages into the news group every day trying to drown out and meaningfull conversation.

If this doesn;t count as a distributed denial of service attack I don't know what does

(besides I'm pissed at people forging stuff in my name)

Currently we're actually seeing a mysterious respite from the sporge - probably they forgot to pay their bills - but I'm sure it will be back .... after all we wouldn't want the real world to know about Scientology's space alien fixation without paying $300k like the rest of the suckers.

For more info on Scientology vs. the Net check out www.xenu.net

smurf, anyone?

[netpuppy]

can you say Oh! Oh! Oh! new smurfs!!!

Seriously, ICMP smurfing was a distributed attack. As referenced in the original post, the slashdot effect was a distributed attack. The real question is whether or not the attack exploits a bug in the operating system or ip stack of the victim server (in which case it's the vendor's problem to fix), or the equivalent of opening up http requests from 10,000 different hosts at the same time (which is a function of the IP/TCP/HTTP combo and should happen).

In the case that it is a vendor software bug (ping o death, etc) then it should be patched and blocked. If someone is able to flood your web server with legitimate connections, a.k.a. 3-way tcp handshakes, there's not a whole lot you can do without killing your web server.
I don't see how this is some brand new attack, nor do I see how it is a real problem. Anyone been icmp echo'd to death from 100,000 hosts lately? Jeez ...