Its pretty obvious that you don't understand what a DDoS attack is all about. A firewall can do NOTHING about it. A DDoS attacks makes your connection 100% busy (or your cpu, or you run out of memory...)
A firewall can't do ANYTHING to kill it.
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
You're right, I didn't think clearly. I forgot that you could query for the IP address through most DNS servers - as they allow querying of web-wide addresses, from anywhere.
My mistake. Most DNS servers are misconfigured - I forgot.
In any case, we both agree that the essay mentioned doesn't solve anything.:)
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I do NOT think slow propagation of DNS will be the major problem. TTL = 0 would "solve" it, but then - a lot of people scream, you would have DoS attack against the DNS servers instead. Personally I think that argument is moot - as you can have several DNS servers, and preferably on different backbones.
The problem is that EVEN if you set TTL to 0, the attacker can discover this, and since we're talking about a distributed attack -- which may be updated to attack a new address pretty quickly -- we are still talking about a devastating attack. Perhaps one could reduce the attack from 100% to 30%, but it would still be devastating.
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Assuming that the attacker isn't too smart, the attacking host would be discovered - if he queries the DNS every two seconds. All they would need to do, would be to dig through the dns-server-log, to find out who queried the DNS server plenty of times. Then that host would be tracked down, and at least ONE of the servers that was used in the attack, could be blacklisted. They could simply throw in a 'deny' rule in their routers, and block DNS lookups from the host in question...
Also, your proposal says that the attackers script would re-query a dns server every few seconds -- something I don't think any of the current tools does. They do a one-time-lookup against DNS, and after that, attack the associated IP address(es).
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I've already seen some critic of the approach here on slashdot, and I see several points myself. My points may not be the best against it - but here they are.
First, yes, this proposal will absolutely make it a tad more difficult to attack the victim. But not difficult enough. Increasing the difficulty only increases the skill level needed by the cracker, and is security throuh obscurity.
Say i want to attack yahoo.com. The first thing I do, is to scan a couple of million IP addresses for vulnerable hosts. I crack into the 0.1% (probably more..) that is vulnerable, which gives me , say, 1000 compromized hosts to play around with. Heck, lets say its only 0.01% thats vulnerable. Still leaves me with 100 machines that I've got full access to. (That's a very, VERY modest number).
Ok, now I do an nslookup against my target. Ah, nice IP. Ok, i let, say 10, of the machines I've rooted - start attacking the victim. Making it switch to the new IPs.. I do a new nslookup.. ah, nice. new ip/new network. Then I initiate a new attack on this ip/network. Ah, good, no more bandwidth there neither. new nslookup.. ah! A third IP! new attack. maybe a forth or fifth ip.. no problem, attack them and kill'em.
If the attacker is reasonable smart, he does a lot of bouncing via Wingates, making it impossible to track him down. One or two bounces, and he's pretty safe. We can forget about tracking him down. Its irrelevant if its possible -- the DDos has already been executed. It could be done as a terrorist act, by someone who isn't located in a 'specific' place. Therefore depending on tracking down the culprit isn't good enough.
OK, say that the customer has enough bandwidth, to sustain an attack from a divided attack. That it takes all 100 hosts to kill its bandwidth. Ohwell, then he does attack with every single host. The victim goes down for 5 seconds, switches to new ip, the new route take [unknown time, I guess a couple of minutes, I don't know that stuff] to spread out netwide. The attacker notices this after, say, 1 minute, and takes attacks the victims new IP - full force. The victim switches back.
This would still disrupt trafic to the site. If a site if down for abour 30% of its requests - it is down for to many people. 30% of the people accessing the page will get an error message about the host beeing unreachable. That's unacceptable. The rest would find the service disrupted after getting the front page, and having 70% chance (probably less) of getting to the next page - due to the new ip address.. dns lookup, and so forth. remember, it takes time to propragate DNS too. Far too long time.
So, the suggested approach doesn't work. It may, perhaps, slow down the attack, or STOP the unskilled attacker -- but it wouldn't fool - for example - me. Now, luckily I'm not a smurfpuppy.. but if it won't fool me, then my guess is - it won't fool the dedicated attacker.
However, there is a way to prevent, or at least slow down / make it easier to track DOS attacks (not DDOS..or it would take some more time). If ISP's there came new router software, making it possible to grep the packet stream for certain packets (ICMP for example), and giving access to this - to other ISP's... then it would be possible to speed up the tracking. This, however, has severe privacy issues. As well as the load probably would be far to much for the router to handle. I'm not skilled enough in router-related things, to know if it would be possible (load-ways) to apply -- but I think it would be a possible solution, if implemented in all core-routers. possibly with limited information (only what router the packetstream is coming from)
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
19932845 Mar 23 23:52 linux-2.3.99-pre3.tar.gz 21544357 Mar 30 19:49 03302000linux-2.3-xfs.tgz Finally! A filesystem which is larger than the whole OS!:)
From the announcement: "A complete linux 2.3.99pre2 tree including the XFS filesystem is available forcvs checkout."
If I understand the above correctly, the Filesystem is 21544357 - 19932845 (= 1611512).. which is considerable less than the kernel.
Sorry if i misunderstood anything.
-- Rune Kristian Viken -- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
First off, its closed source. If we find bugs, we have to report them to the company, which in turn needs to fix them, release a fix (after a looong while), and so on. It won't be good enough.
Secondly, the company is saying "we're doing it the legal way, use us!". eh? They are saying DeCSS is illegal? They are indirectly saying that reverseengineering should be illegal? Excuse me, I don't want to buy ANYTHING from such a company.
What we need is a fully opensourced DVD player for Linux. With "all keys" included. If it violates a couple of copyrights - then who cares? Who is going to stop it?:-)
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
What if someone found a hole in Apache? Should they post it far and wide, or should they quitely pass it along to the main developers so that the hole can be closed before half the world's websites are replaced by "ThiZ Site HAXed by KeWl d00d"?
It should be openly published. Nobody can know for sure that they are the first to discover the bug. It could've been circulating in hidden circles for years - without anybody knowing.
It is blatantly disrespectful to the customers not to open the bugs to the community. Only that way they may secure themselves.
-- Rune Kristian Viken -- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
My site DOES NOT mirror the source and binaries anymore. I cannot see how I possibly can stand up legally when Mattel suddenly has copyright on the program / essay.
They are TAKEN DOWN.
(But I still link to relevant sites. Oh, and the openpgp mirror should still be up..)
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I don't think it's appropriate to characterise this as Microsystems et al "winning". The document is out there, I know the mirror sites aren't going to take it down without a fight
My mirror of the files is going down now. I'm not interested in fighting the fight for you. Sorry mate, you made a great program - you made a fool out of mattel, but now you've made a fool out of us who supported you.
I feel like a fool. I've recomended people to mirror the stuff, I've put up a pretty decent mirror myself with links to the relevant articles and stuff. And now - you go ahead and do this.
Wellwell, my mirror is taken down effective immediately. (At least the mirror of the essay / files).
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Oh please, shut your hole. If you have a problem with katz, register and disable him in your profile. nobody is forcing you to read his articles.
I for one enjoy katz articles, and love his writings here on slashdot. I'm really FED UP with all you AC's shouting every time he writes something. Register yourself, and make yourself a katz-free profile. I'm sick and tired of your stupid rantings.
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
First of, there is nothing new in censorware malfunctioning like this. There is nothing new that censorware block sites they shouldn't. Take a look at peacefire.org for lots of examples.
beaver.com should pursue every maker of censorware that blocks their pages. They block legitimate pages, legitimate universities.. and so forth.
Furthermore, I read that the inquerier article "promoted" cybersitter from solid oak software. Well, take a look at the aforementioned peacefire site. Solid Oak software don't want criticism. They block every page that critizises their software. Like www.spectacle.org which has delivered quite a lot of criticism.
Not to mention. I wrote to solid oak once, and told them my opinion about them blocking peacefire, and that I would NOT buy any form of product from them, as long as they had that kind of attitude. You know what the jerks did? Heck, they mailed my abuse@department. The funny thing is.. I *am* my abuse department. When I answered to their complaint that they were being childish, and that they should stop sending *fake* abuse-messages (complaining about SPAM? When I send them opinions and feedback?). The freaking head of solidoak answered that they had sent the case to the "FPI" for investigation (I have a feeling that the nutcase have some problems with writing "fbi" or something;)
Ohwell. Enough ranting.
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
You should be aware that toywar managed to get several people to QUIT etoys ?
I am pretty certain that it was toywar that did most of the stock-crashing. They drove the stocks down with false orders, threatening emails, flaming emails, and so forth. The entire company got the "wrath of the internet" poured down their shirts. They didn't have a chance.:)
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Heh, the first thing I started wondering about, when I read about the crusoe chip was.. will it be software-upgradeable? In that case - it should be vulnerable to computer viruses. That - is definatly not a good thing.
Anybody know if this thing is going to be software upgradeable (Something that would be both good and bad).
Anyone?
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Having said that, here's my question: You've said yourself that you are not a technical person. What makes you think that you can speak for those of us who are?
When I first came to slashdot, it was the "News for nerds" title that drew me. I'm a nerd. I'm a geek. And so forth.
Technical things are interesting. But there are other things that makes me pay attention too. For example - Jon Katz, when he is talking about the bullying of geeks.
I don't know about you, but I for one was the main "victim" of my school, from first to ninth grade. Only one slashdot poster has made me cry. And that is Jon Katz - because some of his articles hit too good.
Maybe his articles isn't interesting to you. They sure are to me. His articles are the best there is on slashdot - in my opinion.
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I think the.. uhm.. "criminal-lower-age" (uh, how the heck do I translated "kriminelle lavalder" to english?:) in Norway is 15 years. In other words, from the age of 15 - you CAN be hit by the full force of the law. In reality , you are not. But you CAN be.
-- "Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Slashdot Mirror
Its pretty obvious that you don't understand what a DDoS attack is all about. A firewall can do NOTHING about it. A DDoS attacks makes your connection 100% busy (or your cpu, or you run out of memory...)
A firewall can't do ANYTHING to kill it.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
ha.ha.ha
just change your settings to ignore jonkatz.
Some of us actually enjoy reading his insightful articles.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Correction.
net-wide, not web-wide. The web doesn't play in.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
You're right, I didn't think clearly. I forgot that you could query for the IP address through most DNS servers - as they allow querying of web-wide addresses, from anywhere.
:)
My mistake. Most DNS servers are misconfigured - I forgot.
In any case, we both agree that the essay mentioned doesn't solve anything.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I do NOT think slow propagation of DNS will be the major problem. TTL = 0 would "solve" it, but then - a lot of people scream, you would have DoS attack against the DNS servers instead. Personally I think that argument is moot - as you can have several DNS servers, and preferably on different backbones.
The problem is that EVEN if you set TTL to 0, the attacker can discover this, and since we're talking about a distributed attack -- which may be updated to attack a new address pretty quickly -- we are still talking about a devastating attack. Perhaps one could reduce the attack from 100% to 30%, but it would still be devastating.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Assuming that the attacker isn't too smart, the attacking host would be discovered - if he queries the DNS every two seconds. All they would need to do, would be to dig through the dns-server-log, to find out who queried the DNS server plenty of times. Then that host would be tracked down, and at least ONE of the servers that was used in the attack, could be blacklisted. They could simply throw in a 'deny' rule in their routers, and block DNS lookups from the host in question...
Also, your proposal says that the attackers script would re-query a dns server every few seconds -- something I don't think any of the current tools does. They do a one-time-lookup against DNS, and after that, attack the associated IP address(es).
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Sorry, this won't work.
.. I do a new nslookup .. ah, nice. new ip/new network. Then I initiate a new attack on this ip/network. Ah, good, no more bandwidth there neither. new nslookup .. ah! A third IP! new attack. maybe a forth or fifth ip .. no problem, attack them and kill'em.
.. but if it won't fool me, then my guess is - it won't fool the dedicated attacker.
I've already seen some critic of the approach here on slashdot, and I see several points myself. My points may not be the best against it - but here they are.
First, yes, this proposal will absolutely make it a tad more difficult to attack the victim. But not difficult enough. Increasing the difficulty only increases the skill level needed by the cracker, and is security throuh obscurity.
Say i want to attack yahoo.com. The first thing I do, is to scan a couple of million IP addresses for vulnerable hosts. I crack into the 0.1% (probably more..) that is vulnerable, which gives me , say, 1000 compromized hosts to play around with. Heck, lets say its only 0.01% thats vulnerable. Still leaves me with 100 machines that I've got full access to. (That's a very, VERY modest number).
Ok, now I do an nslookup against my target. Ah, nice IP. Ok, i let, say 10, of the machines I've rooted - start attacking the victim. Making it switch to the new IPs
If the attacker is reasonable smart, he does a lot of bouncing via Wingates, making it impossible to track him down. One or two bounces, and he's pretty safe. We can forget about tracking him down. Its irrelevant if its possible -- the DDos has already been executed. It could be done as a terrorist act, by someone who isn't located in a 'specific' place. Therefore depending on tracking down the culprit isn't good enough.
OK, say that the customer has enough bandwidth, to sustain an attack from a divided attack. That it takes all 100 hosts to kill its bandwidth. Ohwell, then he does attack with every single host. The victim goes down for 5 seconds, switches to new ip, the new route take [unknown time, I guess a couple of minutes, I don't know that stuff] to spread out netwide. The attacker notices this after, say, 1 minute, and takes attacks the victims new IP - full force. The victim switches back.
This would still disrupt trafic to the site. If a site if down for abour 30% of its requests - it is down for to many people. 30% of the people accessing the page will get an error message about the host beeing unreachable. That's unacceptable. The rest would find the service disrupted after getting the front page, and having 70% chance (probably less) of getting to the next page - due to the new ip address.. dns lookup, and so forth. remember, it takes time to propragate DNS too. Far too long time.
So, the suggested approach doesn't work. It may, perhaps, slow down the attack, or STOP the unskilled attacker -- but it wouldn't fool - for example - me. Now, luckily I'm not a smurfpuppy
However, there is a way to prevent, or at least slow down / make it easier to track DOS attacks (not DDOS..or it would take some more time). If ISP's there came new router software, making it possible to grep the packet stream for certain packets (ICMP for example), and giving access to this - to other ISP's... then it would be possible to speed up the tracking. This, however, has severe privacy issues. As well as the load probably would be far to much for the router to handle. I'm not skilled enough in router-related things, to know if it would be possible (load-ways) to apply -- but I think it would be a possible solution, if implemented in all core-routers. possibly with limited information (only what router the packetstream is coming from)
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
What the fuck? Are you serious?
The timestamps on the articles posted to advogato is Mars 31.
I really, really, really hope this is a bad joke!?!?
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
19932845 Mar 23 23:52 linux-2.3.99-pre3.tar.gz :)
.. which is considerable less than the kernel.
21544357 Mar 30 19:49 03302000linux-2.3-xfs.tgz
Finally! A filesystem which is larger than the whole OS!
From the announcement: "A complete linux 2.3.99pre2 tree including the XFS filesystem is available forcvs checkout."
If I understand the above correctly, the Filesystem is 21544357 - 19932845 (= 1611512)
Sorry if i misunderstood anything.
--
Rune Kristian Viken
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
First off, its closed source. If we find bugs, we have to report them to the company, which in turn needs to fix them, release a fix (after a looong while), and so on. It won't be good enough.
:-)
Secondly, the company is saying "we're doing it the legal way, use us!". eh? They are saying DeCSS is illegal? They are indirectly saying that reverseengineering should be illegal? Excuse me, I don't want to buy ANYTHING from such a company.
What we need is a fully opensourced DVD player for Linux. With "all keys" included. If it violates a couple of copyrights - then who cares? Who is going to stop it?
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
What if someone found a hole in Apache? Should they post it far and wide, or should they quitely pass it along to the main developers so that the hole can be closed before half the world's websites are replaced by "ThiZ Site HAXed by KeWl d00d"?
It should be openly published. Nobody can know for sure that they are the first to discover the bug. It could've been circulating in hidden circles for years - without anybody knowing.
It is blatantly disrespectful to the customers not to open the bugs to the community. Only that way they may secure themselves.
--
Rune Kristian Viken
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
My site DOES NOT mirror the source and binaries anymore. I cannot see how I possibly can stand up legally when Mattel suddenly has copyright on the program / essay.
They are TAKEN DOWN.
(But I still link to relevant sites. Oh, and the openpgp mirror should still be up..)
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I don't think it's appropriate to characterise this as Microsystems et al "winning". The document is out there, I know the mirror sites aren't going to take it down without a fight
My mirror of the files is going down now. I'm not interested in fighting the fight for you. Sorry mate, you made a great program - you made a fool out of mattel, but now you've made a fool out of us who supported you.
I feel like a fool. I've recomended people to mirror the stuff, I've put up a pretty decent mirror myself with links to the relevant articles and stuff. And now - you go ahead and do this.
Wellwell, my mirror is taken down effective immediately. (At least the mirror of the essay / files).
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I usually hate this kind of messages, but:
:)
I agree!!
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Download from the source, but do make mirrors! Just don't download from them .. yet !
Mirror it all over the net!
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
http://arcade.kvinesdal.com/cyberpatro l.html
:)
My little contribution.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
My little mirror.
Of course, everything there is downloadable from the swedish site, but its important to get it mirrored fast.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Oh please, shut your hole. If you have a problem with katz, register and disable him in your profile. nobody is forcing you to read his articles.
I for one enjoy katz articles, and love his writings here on slashdot. I'm really FED UP with all you AC's shouting every time he writes something. Register yourself, and make yourself a katz-free profile. I'm sick and tired of your stupid rantings.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
First of, there is nothing new in censorware malfunctioning like this. There is nothing new that censorware block sites they shouldn't. Take a look at peacefire.org for lots of examples.
.. and so forth.
.. I *am* my abuse department. When I answered to their complaint that they were being childish, and that they should stop sending *fake* abuse-messages (complaining about SPAM? When I send them opinions and feedback?). The freaking head of solidoak answered that they had sent the case to the "FPI" for investigation (I have a feeling that the nutcase have some problems with writing "fbi" or something ;)
beaver.com should pursue every maker of censorware that blocks their pages. They block legitimate pages, legitimate universities
Furthermore, I read that the inquerier article "promoted" cybersitter from solid oak software. Well, take a look at the aforementioned peacefire site. Solid Oak software don't want criticism. They block every page that critizises their software. Like www.spectacle.org which has delivered quite a lot of criticism.
Not to mention. I wrote to solid oak once, and told them my opinion about them blocking peacefire, and that I would NOT buy any form of product from them, as long as they had that kind of attitude. You know what the jerks did? Heck, they mailed my abuse@department. The funny thing is
Ohwell. Enough ranting.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
You should be aware that toywar managed to get several people to QUIT etoys ?
:)
I am pretty certain that it was toywar that did most of the stock-crashing. They drove the stocks down with false orders, threatening emails, flaming emails, and so forth. The entire company got the "wrath of the internet" poured down their shirts. They didn't have a chance.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
First, I didn't see the "not" .. then I started wondering wtf you were posting with Score 1 .. and then I noticed the "not".
Please, stop abusing someones name. Register as yourself, damn it.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Heh, the first thing I started wondering about, when I read about the crusoe chip was .. will it be software-upgradeable? In that case - it should be vulnerable to computer viruses. That - is definatly not a good thing.
Anybody know if this thing is going to be software upgradeable (Something that would be both good and bad).
Anyone?
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
Having said that, here's my question: You've said yourself that you are not a technical person. What makes you think that you can speak for those of us who are?
When I first came to slashdot, it was the "News for nerds" title that drew me. I'm a nerd. I'm a geek. And so forth.
Technical things are interesting. But there are other things that makes me pay attention too. For example - Jon Katz, when he is talking about the bullying of geeks.
I don't know about you, but I for one was the main "victim" of my school, from first to ninth grade. Only one slashdot poster has made me cry. And that is Jon Katz - because some of his articles hit too good.
Maybe his articles isn't interesting to you. They sure are to me. His articles are the best there is on slashdot - in my opinion.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I think the .. uhm .. "criminal-lower-age" (uh, how the heck do I translated "kriminelle lavalder" to english?:) in Norway is 15 years. In other words, from the age of 15 - you CAN be hit by the full force of the law. In reality , you are not. But you CAN be.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet
I disagree. It cannot be proved that Jon - or more correctly - the person that reverse-engineered the program - ever clicked 'yes' to any agreement.
Therefore, it should really be a non-issue.
--
"Rune Kristian Viken" - arcade@kvine-nospam.sdal.com - arcade@efnet