Gran DDoS del 2000
From Hack Story
EL DDoS HA VENIDO Y NADIE SABE COMO HA SIDO
Mercè Molist ¿Por qué tanta publicidad a los ataques-avalancha contra Yahoo! o Amazon mientras hordas de ladrones se hacen con listas de tarjetas de crédito en la red y nadie dice ni pío? ¿Qué internauta que se precie iría contra quienes le ofrecen información buena y 'hardware' barato? ¿De veras cree el FBI que la gente va a instalar su programa detector de troyanos para ataques de Denegación Distribuida de Servicio (DDoS), sin poder ver el código fuente? Todo son preguntas y pocas respuestas el día después del llamado Gran Hack del 2000, aunque los hackers van a colgar en cualquier momento a alguien por mezclarles en tal desaguisado.
Durante toda la semana pasada, servicios tan emblemáticos como Yahoo!, ZDNet, CNN, E-Bay, E*Trade, Amazon, quizás también Excite e incluso Proflowers.com (?) denunciaron haber caído durante una o más horas bajo un ataque de DDoS, consistente en lanzar toneladas de datos o instrucciones amañadas desde decenas de ordenadores contra un mismo objetivo y hacerlo caer. La acción dio rápidamente la vuelta al mundo a lomos de los medios de comunicación, que pronto achacaron el misterioso ataque a una protesta contra la comercialización de la red, mientras la comunidad hacker se desmarcaba desde el primer momento. Nada que ver con la comunidad, por muy harta que esté de empresas y lo demás. Brian Martin, reputado hacker norteamericano, decía por todos: "No hay ninguna gracia, ninguna habilidad, ningún intelecto tras estos ataques. No eres un hacker y no te respetamos por tus chiquilladas".
Al otro lado del espejo, el Federal Bureau of Investigation (FBI) investigó tres días para llegar a vía muerta: los ataques, en los que participaron ordenadores poco seguros de universidades norteamericanas, usaron la técnica del "spoofing", que enmascara la auténtica dirección IP de origen. Otras voces empezaron a glosar la técnica de los atacantes, que parecían conocer bien la topología de las redes invadidas, y creció la teoría conspirativa en los foros de Internet. ¿Quién y por qué? siguen siendo, una semana después, las preguntas sin respuesta, aunque crecen a su alrededor los posibles candidatos. En todo caso, quien más ha ganado de momento ha sido la educación en seguridad informática, en forma de coloreados diagramas en los medios de comunicación de todo el mundo.
"¿A quién le puede servir la denigración de la imagen del hacker y más restricciones en las libertades individuales? Quien sea el responsable, o es totalmente tonto o sabe exactamente qué está haciendo". La revista "2600" iniciaba la paranoia, aún en medio de la tormenta, con un comunicado que apuntaba a la responsabilidad del FBI en los ataques, para conseguir más fondos y credibilidad en sus demandas de espiar la red. Pronto, alguien implicaba a la NSA, otro al Mossad, a Microsoft, a la coincidencia de fechas con la firma, en 1996, de la Telecommunications Act, o en 1933, la quema del Parlamento alemán, a consultores de seguridad y compañías aseguradoras en busca de clientes atemorizados, a empleados descontentos, a la conjura judeomasónica, a los interesados en que haya más leyes para Internet, a una fiesta por la liberación de Kevin Mitnick, a los mismos de Seattle y, como alguien decía en "Slashdot", "a cualquier ciudadano insatisfecho de cualquier lugar del planeta".
Agotadas las vías del quién, la atención se centra ahora en el cómo y la prevención. En una acción sin precedentes, el FBI regala detectores de Tribal Flood Network 2, uno de los programas utilizados en los ataques de DDoS, a quien no le importe instalarse un programa del FBI, sin código fuente público. Los principales sitios de seguridad informática ofrecen información detallada sobre lo que para muchos podría haberse evitado si los administradores de sistemas hubiesen hecho caso de los avisos del Computer Emergency Response Team que, desde mediados del año pasado, había avisado sobre este nuevo tipo de ataque. Otros cargan contra los "hackers psicópatas que escriben programas destructores", aludiendo a Mixter, autor del Tribal Flood Network, un alemán de 20 años quien, en una entrevista en ZDNet, carga a su vez contra los ordenadores inseguros y aboga por la autentificación y el nuevo protocolo IPv6 para acabar con los DDoS.
Aunque bullen los rumores y opiniones en los foros, alimentados por los medios de comunicación, el escándalo parece estar más fuera que dentro y pocas organizaciones de ciberderechos han opinado sobre el "catacrac". Al cierre de esta edición, sólo People For Internet Responsability (PFIR) y el Center for the Democracy and Technology (CDT) habían abogado porque las firmas comerciales tomen nota, asegurando sus máquinas, y avisado contra los peligros para la privacidad que pueden suponer las demandas de un endurecimiento legal y técnico en Internet, atendidas ya por el presidente Bill Clinton, quien el viernes pasado prometía hacer la red tan segura como un banco.
Lecciones en DDoS. http://www.hackernews.com/bufferoverflow/00/dosattack/dosattack.html CERT http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html http://www.cert.org/advisories/CA-2000-01.html
¿QUIÉN Y POR QUÉ?
Mercè Molist Los ataques de Denegación de Servicio (Denial of Service, DoS, en inglés) son uno de los estratos más básicos de la seguridad informática y de los que más difícil es estar a salvo. Consisten en enviar mucha información a una máquina, en forma de cartas electrónicas (el llamado 'mailbombing') o paquetes de datos, hasta que ésta no lo soporta y deja de funcionar. Pura fuerza bruta donde gana quien tiene más ancho de banda para lanzar contra el otro.
La racha de ataques de estos días se inscribe en una nueva forma de DoS, los DDoS (Distributed Denial of Service), experimentados desde mediados del año pasado por alguna universidad y centros militares de los Estados Unidos: el atacante tiene previamente el control de decenas, cientos de ordenadores, en los que ha instalado un programa que los convierte en sus esclavos. A una orden suya, se lanzan todos contra el objetivo, multiplicando la potencia del ataque hasta conseguir los aterradores niveles de 1 GibaByte por segundo que ni Yahoo! pudo soportar. Al proceder los disparos de tantos sitios, se dificulta la tarea de cerrarles el paso y, posteriormente, deshacer el camino para dar con los atacantes.
"Es muy difícil estar protegido contra esto. No tiene nada que ver con la seguridad del lugar atacado sinó de las máquinas atacantes", explica Jordi Linares, del Computer Emergency Response Team (CERT) español. Hay programas en Internet, como Trinoo o Flood Net (usado por los "hacktivistas" en sus manifestaciones virtuales), que permiten llevar a cabo una de estas guerras de las galaxias en solitario. Pero, dice Linares, "por cómo lo han montado, tiene la pinta de ser un grupo de gente que ha unido sus máquinas comprometidas".
Podía pasar cualquier día, pero esta nueva demostración de la levedad de la red ha sorprendido e indignado. ¿Quién y por qué? son las preguntas. Algunos recuerdan ahora el apagón informático que sufrió la National Security Agency a finales de enero, otros lo ven como una protesta por la detención, la semana pasada, de uno de los creadores del programa DeCSS, desencriptador de DVDs, y hay quien habla de demostración de fuerza ante el Gran Hermano y la comercialización de la red. En todo caso la acción, recuerdan los viejos del lugar, no tiene nada que ver con la ética "hacker".
----------------------------------------------------------------------------- From Wired News, available online at:
A Frenzy of Hacking Attacks Reuters
6:00 a.m. 9.Feb.2000 PST SAN FRANCISCO -- Hackers pulled off a series of brazen attacks on major Web sites Tuesday, leading to shutdowns at Buy.com Inc. and eBay Inc. after a similar assault hit Yahoo! Inc. the day before.
Datek Online Holdings Corp., the No. 4 U.S. online broker, on Wednesday said its Web site crashed for 35 minutes as it became the latest apparent victim of computer hackers that have wreaked havoc across the Internet this week.
Was Yahoo Smurfed or Trinooed? Support your self with Infostructure Keep up with the candidates in Politics
Meanwhile, the CNBC television business channel and investors posting messages on Yahoo! Inc.'s (YHOO.O) message board reported that E-Trade Group Inc. (EGRP.O), the No. 2 U.S. broker, was also having problems earlier in the day. E-Trade's Web site, however, was The attacks followed the same pattern, with a massive flow of automated Internet messages landing on the sites and swamping them with millions of messages, effectively blocking them to routine traffic. Other sites, too, appeared to be operating slowly, suggesting even more might have been targeted.
Late Tuesday, online retailing giant Amazon.com Inc. (AMZN.O) also appeared to have fallen victim to an attack, according to Internet monitoring firm Keynote Systems Inc. Hackers also did serious damage to the CNN Interactive, which administers the Web site of Cable News Network, cnn.com, slowing content flow to a trickle for nearly two hours, a CNN official said.
Keynote, which tracks Web sites' speed and reliability, said it noted a sharp drop in Amazon's ability to let customers into its store and minutes later was able to enter only about 1.5 percent of the times it tried.
"Its inaccessibility looks very similar to what we saw with Yahoo and eBay and Buy.com," a Keynote spokeswoman said, adding that the exact cause of the failure was still unclear.
Amazon's site appeared to be back up and running normally about an hour later. Amazon officials were not available for comment.
CNN Interactive spokeswoman Edna Johnson said hackers attacked the site from 7 p.m. EST until about 8:45 p.m.
"We were seriously affected. We were serving content, but it was very inconsistent and very little," Johnson said in a statement. It was the first attack on the site since it was launched in August 1995.
By 8:45 p.m., the company's upstream providers had put blocks in place to shield the site from further attacks.
The Federal Bureau of Investigation in San Francisco met Tuesday with Yahoo, the first to be hit. The government has bolstered its efforts to track down electronic crime on the Internet since e-commerce has turned into a serious driver of the economy over the past two years.
"We are in a dialogue with Yahoo," a spokeswoman for the agency said. "I can't comment further right now."
The FBI had no immediate comment on the eBay and Buy.com situation.
The rapid succession of disruptions on a massive scale suggests that the same group was behind all of the attacks, said chief technology officer Elias Levy, of Securityfocus.com, computer security information service.
"It would be very difficult to assemble this level of attack so quickly if it were a copycat," said Levy. "That doesn't mean it couldn't happen. But to generate this level of traffic requires a lot of machines working together."
By repeating the attacks, the perpetrators are raising the possibility that they will be apprehended, he said, but because their attacks can be directed from anywhere on the globe they could be difficult to find.
The incidents have relied mostly on brute force, not obscure technology, to do damage. The hackers are simply inundating the commercial Web sites with so much traffic they can no longer operate. Yahoo's site was pounded with one gigabit, or one billion bits of information, per second, or about what some sites handle in an entire week, at the height of Monday's attack.
The data was sent from "zombie" machines taken over by a single person or group of people from a remote location.
"The problem is to find the command center that's controlling all of the machines," said Christopher Klaus, chief technology officer of Internet Security Systems Inc. "This is a nontrivial problem."
The hackers avoid detection by jumping from one computer network to another to cover their tracks, and by immediately erasing any data that might identify them.
Yahoo, the biggest stand-alone Web site and the first to be hit, was almost completely shut down for over two hours on Monday, although the company said it expects no financial impact from the incident.
"From a financial standpoint, there isn't any impact," said a Yahoo spokeswoman.
Yahoo, which generates much of its revenue through advertising, was able to reschedule ad spots. But since an estimated 100 million pages would have been viewed during the two hours the site was down, the company could potentially have lost as much as $500,000, analysts said.
Yahoo said the attack on its site has been narrowed to 50 Internet addresses, though computer security experts said that even with that number, it would take time to track any hacker or hackers with the skill to shut down Internet giant Yahoo.
The attack is called a distributed denial of service attack, a concerted move to inundate a site from many points. Since computer programs are used, a single person could launch the attack, although it seems to be coming from many points.
But investigators need to go behind the target computers to find the command center that directed the attack and Gordon predicted an answer would be elusive in the near future.
Buy.com became the second major site hit, as its operations were shut on what should have been a big day for the Internet shopping service, which completed a successful initial public stock offering and saw its stock nearly double in price from the $13 offer price. It closed at $25.125. EBay later reported it had been hit by "a coordinated denial of service attack."
Wall Street analysts have shown more tolerance for companies which are hit by outside hackers than those whose own systems have failed or whose data has been corrupted. Yahoo stock was up despite the raids, gaining $19.125 to stand at $373.125, in a day of strong trading in Internet issues.
But despite Wall Street's willingness to shrug off the shutdowns, security experts warned that the industry needs to deal with the issue or it will continue to disrupt the emerging e-commerce economy.
"This should remind us that the Internet is fairly new and fragile," said Securityfocus.com's Levy. "E-commerce is growing faster than the building blocks underneath the Internet, and we have to go back and take a look at them."
E-Trade officials were not immediately available for comment.
Datek said one of the three routers that it used crashed earlier in the day after getting overloaded with traffic.
"It seems to be related to the 'denial of service' attack," Chief Technological Officer Peter Stern told Reuters, referring to the attacks on Yahoo!.
The router was down from 9:30 to 10:05 a.m. EST (1430 to 1505 GMT) before going back into operation, he said, adding that Datek customers had trouble logging on to its site as a result.
"I don't know if they were hackers, but I find it highly unlikely that someone just pulled the plug," he said.
Some Datek customers were able to log on to the site by using one of the other two routers that the broker had at its disposal, according to a spokesman.
Officials at TD Waterhouse Group Inc. (TWE.N), which apparently uses the same troubled router as Datek, could not be reached for comment.
Copyright 1999-2000 Reuters Limited.
Copyright 1994-99 Wired Digital Inc. All rights reserved.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[: hacktivism :]
txt below was sent to some people at major ISPs and firstname.lastname@example.org
feel free to pass it on to HNN people -- i know they are trying to separate between FUD and whatnot...
what follows is some detail into some of the problems we've seen here at yahoo over the past several days.
sorry for not getting this information out there sooner -- we needed to be sure we are well protected first...
we've had at least 4 separate attacks to our globalcenter hosted network over the past week. we have fewer details on the earlier ones, but they all seem to have similarities. they all seem to at least have a large distributed smurf component to them. we haven't been able to verify anything more than icmp smurf attacks, but as stated, early attacks had little or no data to base this on.
from what we've heard from other sites, many of the other attacks have been similar to what we've seen, while some have been completely different. e.g. we've heard of a syn-attack that was either single sourced or at most had a few sources. one would assume there has been a fair amount of copycat activity.
the only attack that had a significant impact on us was the highly publicized one that began monday morning at about 10:30am PST. at that time we didn't realize that we had been attacked earlier (on a smaller scale) and therefore an outside attack wasn't at the top of our list of troubleshooting. definitely a surprise attack.
the initial flood of packets, which we later realized was in excess of 1G bits/sec, took down one of our routers. after the router recovered we lost all routing to our upstream isp. having had recent problems with some of our network gear we were sidetracked for the first hour+ trying to eliminate other possible issues.
we finally had all traffic to us turned off upstream. this allowed us to get basic routing back up and then realize that we were under a DoS attack. it was somewhat difficult to tell what was going on, but at the very least we noticed lots of icmp traffic. it took us and our isp sometime to stabilize things: basically temporary filtering all icmp - we were then able to glue things back together.
getting things back up then caused major disruption as pent up real traffic began to overwhelm the system. things finally stabilized and at the time it wasn't clear whether the reason for recovery was due to the fact that the attack had ceased. our isp managed to log only a few packets during this time. our isp did record that a significant percentage of their peering circuits were taking part in this attack. i.e. it was widely distributed.
subsequent attacks have had little to no effect. of course we were better prepared and knew what to expect. but most importantly because of measures our isp took to limit such attacks.
currently our isp is using CAR to rate limit icmp at various points within their network. important things to note is that doing CAR or filtering on echo request / echo reply is probably not enough.
these icmp types can probably also replace echo packets during an attack:
router advertisement information request router solicitation information reply
timestamp request address mask request timestamp reply address mask reply
while an attacker(s) won't be able to generate these packets with a large payload (my guess, i don't have time to verify specific icmp protocol details), these packets can come in at the same high rate as echo packets would.
these rate limiters did their job nicely on subsequent attacks. the most recent one resulted in a manageable 150M bits/sec coming through to the yahoo site. our isp was able to log quite a few of these packets during this bout. we noticed at this time that most of the icmp packets were destined to www.yahoo.com servers as well as our nameservers. i.e. "well-known" servers were the focus of the attack.
now about 'no ip directed-broadcast' business. it won't help with DDoS. the whole point of DDoS is to get by that countermeasure. if you have for example 2,000+ hosts and you want to make sure you can't be an amp site, you put 'no ip directed-broadcast' .. well .. if i can break into one of those 2,000+ hosts, i just ping from within that network.
in fact, on one of the traces we got, this is exactly what it looks like. the destination ip was 255.255.255.255 and the source was us.
the attack was against our routers (spoofed src ip was that of our router interface). it seem that attacker(s) knew about our topology and planned this large scale attack in advance. in talking to different other companies it seem they also were hit "where it hurts" the most"
it seems that this is definitely a DDoS attack, with attacker(s) been smart and above your average script kiddie. attacker(s) probably know both unix and networking (cisco, etc) pretty well and learn about site topology to find weak spots.
we have a few emails sent to us from people who's sites been used as a amplifier. our isp probably has better/more logs then we do.
if you would like more information or have question about anything above, please feel free to drop me email: email@example.com
btw, here is a last minute note from our isp on measures taken:
Currently, we've throttling all forms of ICMP at our borders, so other ICMP messages types wouldn't be all that effective either. (We plan to modify to permit ttl-exceeded so traceroute still works under an attack).
During the large attack, upstream sources were restricted to a single gigabit ethernet denying ICMP and throtting syn-- we recovered routing at this time, and applied the same filters to all 4 Gigabit interfaces.
Making the attack a bit harder to diagnose was the loss of OSPF adjacencies-- when routing would get hosed, the attack would be sunk at the hold-down routes on the route reflectors. Once the router(s) had time to recover, the attack would resume.
FBI posts software to combat hacker attacks (US)
By Stephen Shankland Staff Writer, CNET News.com February 10, 2000, 1:20 p.m. PT http://news.cnet.com/news/0-1003-200-1547115.html?dtn.head
Software that can help Web sites neutralize the sort of denial of service attacks that felled Yahoo and others in recent days has been posted by the FBI and computer service organizations and can be downloaded for free.
The FBI and security site Packet Storm have posted software that can detect whether a site is being attacked. Once an attack is identified, Web site managers can implement plans to deflect the crippling amount of traffic generated by the assault.
Several distributed denial of service (DDoS) attacks this week left Web surfers unable to access sites including Yahoo, eBay, E*Trade, Buy.com, Amazon.com and others. The FBI has pledged to track down the parties who have been performing the attacks.
DDoS programs such as Trinoo, Tribe Flood Network (TFN) and Stacheldraht enable an attacker to use other people's computers to overwhelm a target with packets of information sent over the Internet. The packets typically are constructed to take up an inordinate amount of the target computer's attention.
Though the attack doesn't typically result in the loss of private information, it can halt e-commerce operations such as stock trading, because the Web sites get overwhelmed with the Internet equivalent of junk mail.
The FBI's tool examines programs on a computer for "signatures" that indicate the presence of the attack software, much like the way antivirus software looks for telltale signs. So far, several computer experts have said that the recent attacks appear to be based around TFN or a close relative.
A programmer living in Germany named Mixter created TFN. Mixter said he wrote it last year as a way to dissect how attack programs like Trinoo work and adamantly denies any involvement in the recent invasions.
Those who download the FBI's software "are asked to report significant or suspected criminal activity to their local FBI office or the NIPC Watch/Warning Unit, and to computer emergency response support and other law enforcement agencies," the FBI said.
Naturally, the FBI's National Infrastructure Protection Center (NIPC) wants to know when agents and other software that is part of the attack are found. Computer forensics--the electronic equivalent of dusting for fingerprints--can help identify who launched an attack and how.
Despite the free help, some people are nervous about running software supplied by the federal government. The software being distributed by the FBI is not being distributed as an open-source program. Therefore, users can't tell exactly what is going on under the hood.
"Unfortunately, they are only distributing executables and not source," wrote an author at the Hacker News Network site. "With all the recent cases of the FBI and NSA (National Security Administration) trying to pass legislation that will allow them to backdoor various communications systems, computer networks and everything else, how could anyone trust these?"
Like viruses, however, the attack software is expected to change to evade detection.
"Because of the rapid and continual evolving nature of DDoS tools, there is no warranty that all occurrences of different mutations of these tools will be identified," the FBI said. Security experts also add that these programs are relatively simple to create, increasing the ease of making mutations.
The FBI wrote the program so that it has to rely as little as possible on system programs that can be corrupted by "root kits," software used by computer intruders to hide their activity on computers they've broken into.
Who Are These Jerks, Anyway? February 10, 2000 by Richard L. Brandt
The real question about the "denial of service" (DoS) attacks on major Web sites this week is: Just who are these jerks, anyway?
It could be virtually anyone. Except for non-jerks. You have to be a jerk to pull this kind of stunt. It seems to be nothing but a prank. There is no political ideology, no monetary gain, no anger against the sites being attacked. There is just the thrill of having done it and knowing that all those important newscasters on television are talking about something you did. Gee, aren't you special?
If it were political or a protest against particular sites or e-commerce in general, there should be some sort of manifesto, someone claiming credit. The point of a terrorist attack is to let people know why you did it, in an attempt to change something you don't like. But in this case, no one is claiming credit or telling us why it's happening.
Further, although there are certainly unscrupulous people who would attack a site in order to make money -- say, short a stock before the attack -- usually such a person would be smart enough to keep a low profile. When a lot of prominent sites are attacked at once, investors realize this is an anomaly and not a problem unique to the company being attacked. The stocks of these companies did not decline as much as some observers thought they might.
That's why the main speculation seems to be that this is being done by adolescents (in mind if not in body). "The people who have done this in the last couple days are amateurs," says Alex Samonte, chief engineer at SiteSmith, a company that helps build Web sites. "It appears to be just for the fun of it."
Samonte has a lot of experience on this issue, as someone who has been building Web sites for a long time. He did some of the work on the original Yahoo site.
We should distinguish between these amateurs (or "jerks") and that underground computer community that calls itself "hackers." The hacker communities are really pissed off right now, because every television news program in the universe is talking about the "hacker attacks."
Hackers like to figure out how systems work. They like to find obscure weaknesses that can be exploited. The more difficult, the better. There is status in being able to do something sophisticated. And many of them try to demonstrate their power by showing it off in some relatively harmless way, posting an obscene message, say, rather than shutting down a site.
Most hackers do not consider DoS attacks to be true hacking. You can do it automatically, using one of several rogue programs available on the Internet. (One early program, still popular, is called Smurf, although there are a lot more sophisticated programs these days.) Using such a program makes this kind of attack a simple process that we used to call "cookbooking" in chemistry lab. You don't have to know how it works, just follow the directions and you get the reaction you want. The problem in this case is that we don't know what reaction the attackers want.
Hacker news sites are complaining. On 2600: The Hacker Quarterly, for example, writers say they're insulted to be linked to these attacks by implication. The site's editors do concede, however, that the attackers have a reasonable knowledge of Internet topology.
(Suggestion to the hacker community: Find a new name for yourself. The term "hacker" has been co-opted by the press to mean any computer attacker, malicious or not. The public's definition of the word is different than yours. You can't change that now.)
The reason these attacks are so disturbing is that it could be some 14-year-old jerk doing it. And some of the recent attacks could be done by copycats, an even more despicable breed of jerk, because they don't even show any originality.
And it's not that I agree with hackers who may be trying to prove a point or make a statement, but the randomness of these attacks is clearly worse. The world is moving toward e-commerce, and it can be halted by some pimply-faced kid who doesn't have a life. Isn't that a pleasant image of the information revolution?
When I was in college at a really geeky school called Harvey Mudd College, there were lots of phone phreaks and geeks who liked to show that they could make free calls off the college president's phone line with their homemade blue boxes. I'd hang out with them sometimes and get a giggle out of doing something naughty. But then I grew up.
The current attacks demonstrate the double-edged sword of any new technology. The Web empowers the individual to do great things. It can also amplify his or her tendency to be a jerk and hurt a lot of people. With every new privilege comes a new responsibility, and these folks are irresponsible. They don't deserve access to the Web, but we don't know how to deny them service, unless they are caught.
Apparently, that will be difficult to do. It is not difficult to disguise yourself, or make it appear that you are operating from a different address. It's called spoofing. According to Samonte of Sitesmith.com, in order to trace the attack back to the origin, you have to do it while the attack is occurring, probably tracing back through several different servers, ISPs and network providers -- with their cooperation. But the people operating the target sites are too busy putting out fires, trying to get their sites back up, to spend time doing the tracing.
Here's another difficult problem: DoS attacks use innocent computers to do the attacking. They do not exploit security problems in the target sites, they attack security problems in other computers on the Internet. They get other computers -- and it could be your home computer with a DSL connection -- to send hundreds of messages to the target site. Enlist enough of those computers and you can overwhelm a site with too much traffic.
Therefore, companies that can best prevent such attacks are the Network Service Providers or Internet Service Providers, not the target Web sites themselves.
The ISPs know all the network addresses that should be routing signals through their services. These spoofed messages would have strange IP addresses on them. So theoretically, the ISPs could block any messages with the wrong address.
But they may have thousands of legitimate addresses to keep track of, and those change every day as new clients join up and old ones drop off. It is not that trivial or cheap, and the ISPs themselves have nothing to gain by it. They would only do it to prevent another company from being attacked.
In other words, "What's my motivation?" To be nice? Government subsidies might do the trick, but we know how bad government subsidies are. Right?
Longer term, there are solutions. Major sites need to distribute their servers and add as much redundancy as possible. That will make it harder for the attackers to find and target all their servers, increasing the odds that the site will keep running. But that's not an overnight job.
But in the meantime, this is a perfect example of the difficulty of putting a powerful tool in the hands of the people: Some people are jerks.
"Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC
C4I Secure Solutions http://www.c4i.org
This week's orchestrated hacker attacks resulted in disruptions of service at such major Web sites as Yahoo!, Buy.com, CNN, Amazon.com, E*Trade, eBay and ZDNet.
Armed with computers and software programs, such as "Tribe Flood Network," a hacker or hacker group flooded the Web servers that are the backbone of prominent Internet sites.
== 02/11/2000 08:53 PM from: mixter@NEWYORKOFFICE.COM Re: [ISN] Who Are These Jerks, Anyway?
> * 2600, "The Hacker Quarterly", can in no way act disgusted by these attacks > > and hold insult for being linked to them. When I was a teenager, sitting > > around with an all powerul 96 modem (speed!) the magazine was a good read. > > Informative, and fun. Now however, it panders to nothing more than the > > scr1p7 k1d33. Disseminating information is one thing - tell me how to > > propogate an attack in rough technical terms, and I would be able to work it > > out, probably learning a lot on the way. It is doubtful that I would take > > the attack beyond my own network and my friends, though. However, 2600 is > > guilty of providing source code directly and/or direct links in several > > cases. This is not passing the information under the ideal of "free speech". > > This is passing the gun to a teenage idiot with a seriously bad attitude. I disagree. What is the difference between posting ready-to-use Denial Of Service programs and posting ready-to-use security vulnerability exploits? Both of them can and often will be (ab)used, but people need them as a proof that an attack is feasible. Tons of exploits are being posted on full disclosure sites and lists such as Bugtraq - would you disagree to their philosophy of combating security through obscurity by providing them?
> > * Innocent is in one way correct, William, but in another I think not. DoS > > attacks are older than my cleanest pair of socks, and this particular type > > is not new. The information pertaining to it, and ensuring that your system > > is not amongst those compromised is freely and easily available. Steps > > should have been taken by now to ensure that your machine is not one of > > those used. Whether it be a home box or not - people need to act in a > > responsible way. You would lock your guns in a cabinet, rahter than leave > > them outside on the window ledge, wouldn't you? What I'm saying is that > > security is only as good as the next weak machine, and we should not > > tolerate weak machines. Correct. These sites are in fact one of the most responsible party. I do not suggest in any way that they should be persecuted, because it is hard enough for them to understand what is going on. My proposal is to solve the whole problem like netscan.org and other organisations did successfully while defeating the "smurf" attack. Form an organization who scans the complete Internet - non-intrusively - against vulnerable versions of server software on publically reachable hosts. Contact the administrators systematically and urge them to update their software. Something like this has already been attempted by Liraz Siri and the Internet Auditing Project (search securityfocus for BASS). That way, we had a chance of eliminating security through obscurity on the Internet, systematically.
HACKERS TO BLAME? DOUBTFUL
We feel sorry for the major Internet commerce sites that have been inconvenienced by the Denial of Service attacks. Really, we do. But we cannot permit them or anyone else to lay the blame on hackers. So far, the corporate media has done a very bad job covering this story, blaming hackers and in the next sentence admitting they have no idea who's behind it. Since the ability to run a program (which is all this is) does not require any hacking skills, claiming that hackers are behind it indicates some sort of knowledge of the motives and people involved.
This could be the work of someone who lost their life savings to electronic commerce. Or maybe it's the work of communists. It could even be corporate America itself! After all, who would be better served by a further denigration of the hacker image with more restrictions on individual liberties?
Let's look at the headlines:
"Government sees cyber-attacks as disruption of commerce."
"Justice Department wants more funds to fight cyber crime."
Didn't take them long, did it? And later in the same story: "But the FBI may never know who is responsible for the cyber-attacks, due to the difficulty in tracing the electronic trails, a senior law enforcement source told CNN."
How convenient. An unseen villain. No need for any actual FACTS to be revealed, but plenty of blame to be cast on hackers everywhere. We find it to be a bit too contrived.
Whoever is responsible is either completely clueless or knows EXACTLY what they're doing. It's the latter that should concern hackers everywhere.
02/14/2000 07:22 PM
see http://www.mixter.void.ru/ for more info
Inside the hacker's web The computer genius whose virus crippled global websites has defended his creation.
Arnold Kemp and Burhan Wazir Sunday February 13, 2000 The Observer
The man who calls himself Mixter is a German who has been in trouble with the law, but claims to be on the side of the angels. He is the inventor of the cyberweaponry which last week brought chaos to at least seven of the world's most important websites.
In an electronic interview with the New York Times, Mixter, who identified himself only as a 20-year-old German from the Hanover area, said last week's attacks had been 'stupid and pointless'.
He defended his publishing of the cyber disruption program 'Tribal Flood Network' on the Internet four months ago as a necessary step in the evolution of defensives measures which the Web must develop against the army of black-hat (malign) hackers motivated by mischief, spite, greed or, more honourably, by a desire to keep the Internet free from commercial and political control.
While Mixter said he was 'not trying to play down the negative aspects and dangers of this decision', he called last week's attacks 'an inevitable price to pay to be able to develop counter-measures and fixes'.
He said that security sites on the Internet were posting details which meant that 'everyone has an equal chance of informing himself about them and coming up with counter-measures'. This was 'only fair' because everyone on the Net could be affected by security issues.
But security experts, and even other hackers, criticised his explanation as disingenuous. One said it was like 'leaving a loaded gun in a room full of kids'.
Significantly, two of the computers believed to have been used to launch the 'denial of service' attacks - so called because they swamp target sites with millions of messages, causing them to crash - were located at universities in California, spiritual home of the Web as a liberating and democratic force.
A desktop computer at the University of California at Santa Barbara was used for the attack on CNN on Tuesday, while eBay was hit the same day by data transmitted in part from an Internet router at Stanford University. Investigators were also 'zeroing in' on locations in Oregon. Another source was said to be a computer in Germany, since disconnected.
The US Justice Department wants much tougher penalties for malign or mis chievous hacker attacks. FBI investigators - spurred on by the direct interest of President Clinton, who has called a 'summit' in Washington this week - are searching for the origins of the attacks.
The 'cybervandals' planted 'daemons' (disk and execution monitors) on hundreds of unwitting 'zombie' computers. They were programmed to launch 'co-ordinated packet flooding denial of service attacks'.
The US National Infrastructure Protection Centre posted a warning about 'Tribal Flood Network' earlier this month. It said it was 'highly concerned' because it had been reported on so many systems and appeared to be 'undergoing active development, testing and deployment'.
Mixter is one of thousands of computer virtuosi who inhabit an ambiguous world in which good may masquerade as evil and vice versa.
The computer industry has an established tradition of hiring 'tiger teams' of professional hackers who attack systems to test their security.
But that tradition has grown to embrace unauthorised attacks in which programmers find a way to invade or cripple a system, publish the details of the vulnerability and often accompany them with software that exploits the weakness.
The terms 'white hats', 'black hats' and 'grey hats' are used to classify hackers, but the lines are often vague. White-hat hackers grew out of the tiger teams. Since the Seventies, a number of US government laboratories have deployed special groups of employees who try to bring down systems in 'digital war games'.
Charles Palmer, manager of network security and cryptography at IBM Research, leads a squad of white hats who are paid by companies to attack their computer systems.
'A white hat does it when asked, under contract, with a "Get out of jail free" card,' Palmer said. 'We'll do the job, evaluate it, and tell the customer what we're doing.'
The grey-hat hackers straddle both worlds, sometimes acting like malicious hackers but in pursuit of some greater good, real or imagined.
Mixter says he is a grey-hat hacker who recently turned white hat. He said the conversion came when he crossed a few 'legal borders' in 1998 and 1999 and fell foul of German law officials.
Now, Mixter said, 'I am a white hat, the definition meaning that I am trying to contribute to improving security by doing what I do, and completely acting within the law and hacking ethics.'
Mark Rasch, a former federal prosecutor who is now a vice-president at Global Integrity, a computer security consulting firm in Reston, Virginia, said: 'There's always been a hacker ethos, and even the bad guys have thought there are some things you can do and some things that are off limits,
'I think we've reached a point where this kind of activity is almost universally decried as being off limits.'
Still, he added, even if Mixter had posted with the intent that attackers would use them, 'it's wrong, but probably not a crime'.
A member of the hacker group Cult of the Dead Cow, who goes by the handle Death Veggie, condemned the attacks as 'digital vandalism'.
'It doesn't take any skill, and it's purely destructive,' Death Veggie said. 'Once a hacker starts becoming really destructive, they stop being a hacker and become a criminal.'
Yet the Cult of the Dead Cow itself produced a program that enables a hacker to control another computer from a remote location.
Palmer consorts with such groups but refuses to recruit from their ranks, even if they claim to have gone straight. 'I don't hire reformed hackers because, let's just say, I've never really found one,' he said. 'It's like hiring an arsonist to be your fire marshal. Can you ever really sleep at night?'
At the same time, Palmer occasionally attends Defcon, an annual three-day hacker gathering in Las Vegas. He said: 'A lot of these guys get enough money to keep them in pizza. So many of them are so talented and a lot of these kids are absolutely gifted.'
Rasch, who was the lead prosecutor in a high-profile computer crime case from 1988-90, said he did not entirely agree with his former employer, the Justice Department, which is calling for stiffer penalties.
'There isn't a single case that we can point to and say, "If only the penalties were greater, the person would not have done this",' he said.
The denial of service attacks did not compromise data or sensitive commercial information like credit card details. But perceptions of Internet security took another hit on Friday when a small California Internet company said an unrelated hacker attack on its system last week had apparently gained access to consumer credit card numbers.
RealNames, a business in San Carlos, California, said the extent of the damage was hard to assess because the attack had come through mainland China, and the connection appeared to have shut down while the hackers were downloading data.
'Our best guess is that this was done by a traditional hacker, whose goal is not to steal but to prove that he has the ability to steal,' said RealNames chief executive Keith Teare, whose company sells an Internet address system.
Clinton's summit is expcted to increase co-operation in a young industry that is growing fast but has not made security a priority. The industry, in turn, wants to give advice to federal regulators who are seen as too unsophisticated.
Additional reporting by Katie Hafner of the New York Times
What drives the digital destroyers
Since the Seventies, government laboratories and some corporations have deployed special groups of employees who test computer security by trying to compromise a system or bring it down in 'digital war games'.
Adhere to the philosophy that information should be free - including information about security weaknesses. For these people, 'breaking into a system or exposing its weaknesses is a good thing because truth and knowledge must win out,' says Dan Farmer, a network security specialist.
These straddle both worlds, sometimes acting like malicious hackers, but in pursuit of some greater good, whether real or imagined.
Three days of web mayhem
Hackers paralysed seven service providers last week with a blizzard of signals.
CNN, eBay, Buy.com, Amazon
German programmer "Mixter" addresses cyberattacks By Stephen Shankland February 14, 2000, 12:35 p.m. PT http://home.cnet.com/category/0-1005-200-1549399.html
The federal investigation into last week's attacks on major Web sites has reportedly turned to at least one anonymous programmer believed to have written software that may have been used in the assaults.
A programmer known only as "Mixter," who says he resides in Germany, has not been publicly accused in any of the cases and denies any responsibility for the "distributed denial of service" (DDoS) attacks. Mixter is part of a small group of underground programmers who say they create assault
technologies that can be used in testing to improve Internet security.
The recent attacks have renewed controversy over this practice, raising questions about whether these programs increase the potential for misuse when they are posted publicly online. In an interview Wednesday with CNET News.com at the height of last week's shutdowns, Mixter explained his
actions and philosophy on technological security.
CNET News.com: Were you in fact the author of the attack tools? (Several versions of the attack tools exist, including Tribe Flood Network, its sequel TFN2K, Trinoo and Stacheldraht.) Mixter: I am in fact the author of the programs called TFN and TFN2K, but not of Trinoo. The original Trinoo was made some months earlier than the first TFN, but unlike TFN, (it's) not distributed publicly...Stacheldraht isn't written by me. There have been many false rumors about this. There
is another German hacker who goes by the name "Randomizer" who wrote that one.
Why did you write the software? I first heard about Trinoo in July '99, and I considered it as interesting from a technical perspective, but also as potentially powerful in a negative way. I knew some facts of how Trinoo worked, and since I didn't manage to get Trinoo sources or binaries at that time, I wrote my own server-
client network that was capable of performing denial of service; later that month I published a working version of TFN on a handful of security sites to make the information public and generate awareness of the issue. The original Trinoo and other distributed tools existed since 1998.
Were you involved directly or indirectly in any of the recent high-profile attacks on Yahoo, eBay, CNN, Buy.com or Amazon? No. The fact that I authored these tools does in no way mean that I condone their active use. I must admit I was quite shocked to hear about the latest attacks. It seems that the attackers are pretty clueless people who misuse powerful resources and tools for generally harmful and senseless
activities just "because they can."
What is your real name? I really prefer not to give you my real name. On the one hand it is a sad fact that many, many people have a bad opinion of anyone involved with "this strange hacking stuff" and that they make no difference between pointing out security weaknesses and exploiting them, and on the other hand,
I'm using my handle, Mixter, because I do believe in privacy, and I simply want to keep my privacy on the Net, like many other nonmalicious people who care about security do.
What is your occupation? I finished school approximately half a year ago, and I have been getting some offers from security companies since then. However, due to personal issues I haven't yet been able to start an employment, but I will probably be going to work in the area of source code security auditing, where I
will have a great potential of improving both my knowledge and network software.
How difficult is it to write the distributed denial of service attack tools? Not very difficult. The main concept is simply the client-server concept present in almost all Internet applications. Packet flooding and similar attacks are publicly known and available and can easily be implemented. When it comes to implementing stealth features, it might get a bit
trickier. But factually, DDoS tools just make an old concept easier. Before DDoS, an attacker would just have to log on to every compromised machine, (then start) a flooding tool from each machine against the target.
How difficult is it to take over a sufficient number of computers to mount a distributed denial of service attack large enough to take down Yahoo? Unfortunately, it is quite easy. It is safe to assume that all of the flood servers are installed on hosts compromised through vulnerabilities that are publicly known, rather old, and can easily be patched. Most attackers use automated...scripts to do long-range scans for known
vulnerabilities. This procedure can take some time, but the concept is really easy. They also do this from compromised and specially modified machines to be sure that their origin cannot be traced back.
How many computers would you estimate were used in the Yahoo attack? The amount they need depends. It isn't only the number, it is the bandwidth of each of these. From what I've heard from security mailing lists, attackers have already compromised Internet2 and other high-speed machines.
Given that TFN2K uses master and slave computers and encrypted communications channels, how diffi
cult is it to find out who originally sent the order to attack?
Remote detection is practically impossible unless the attack goes on for a timed amount of days
. In that case, if all backbone providers would cooperate and monitor their routers, the origin of some of the "slave" servers could be tracked. That was a point I wanted to prove.
Since the other existing DDoS tools weren't totally anonymous and untraceable, I saw the possibil
ity that security people would waste their time trying to find ways to track the attacker, while th e DDoS tools would sooner or later become sophisticated enough to make this impossible. There is st ill the chance of finding attackers if they aren't extremely careful and leave traces on the compro mised hosts or manipulate and damage things on the compromised hosts enough so that the administrat or detects them locally.
Do you know if TFN or Trinoo were used in the Yahoo, eBay, Amazon, CNN or Buy.com attacks, or wa
s it other software?
I'm pretty sure a tool derived from TFN and/or Trinoo was used. Currently, many people seem to
be modifying those tools, or developing new, similar ones, and keeping them private. This is becaus e when a program is publicly known, people have a chance of identifying it locally when it is installed on their server by searching for binary patterns, as the FBI (National Infrastructure Protection Center) proved. This is basically the Trojan/virus problem, where antivirus vendors continuously bring out updated scanners, and virus authors continuously bring out new or modified viruses.
Anything else you'd like to say? I'd like to remind people that the real problem is the insecurity of the huge amount of servers, and not the people that are exploiting it. If security companies and governments are starting a "hunt" against the people they call "hackers," they might succeed in tracking and persecuting some
of them, but the real problem remains: Everyone who can manage to learn a handful of Unix commands and to set up a tool can commence DDoS attacks, as long as the overall Internet security is as bad as it is now.
I found it really disturbing and scary when I read that President Clinton is intending to dedicate $240 million for the sole purpose of wiretapping and domestic surveillance. In my opinion, no amount of denial of service attacks or computer intrusions could ever cause a comparable amount of
money to be lost in the future. Additionally, such methods and laws can easily be circumvented by malicious people using compromised systems to relay through a number of encrypted channels and are therefore affecting everyone except the people they are intended against.
(Pretty clueless ideas regarding a society as far as I see it. It's simply not acceptable for a lawful society that vandalists can produce damage worth of millons of dollars without much chance of getting cought.)
It might well be that just tapping personal or business communication won't be enough to stop digital vandalism in the near future and police needs a sight at the traffic like they can look at numberplates of cars in a city...
Oops! The net really starts growing up with both pain and joy...