re: Speculation concerning the denial of service attacks
Hi Ray,
Despite all of the spin in the press and out of Washington these past two days (wowser, those folks put on a good, convincing show, don't they?), there is no consensus as of this time, this evening, concerning the actual nature of the attacks that have taken place. Nor, if they were all done by the same crackers. Nor, if they were consistent in their makeup. If someone suggests otherwise, then you should advise them that they should pass the news along to the ISPs, because they are still trying to sort things out.
If there is a tool which the kiddies have used (the term which the ISPs sometimes use to describe the attack scripts: kiddie-scripts, kiddie tools, etc.), or one that has been listed in the CERT advisories that you listed (uplinked post), it's been mentioned on the ISP lists today. Everything from Distributed DoS's to Smurf Attacks, to the favorite term which the press has picke up on, "coordinated denial of service" attachs.
Speculation is still in large supply right now, and clue is in rare supply. To highlight these facts, here are two posts from network operators who are in the midst of ducking bullets right now. The first is from a regional ISP and the second is from an ILEC's Internet Services Division, who I suspect just heard one of those bullets zing right by his ear. Enjoy.
Frank
-----------
One ISP admin wrote:
"On the subject of cooperation, has anyone set out to catalog where these
attacks are coming from, at least in terms of compromised networks, and
share said information? I know similar catalogs sprang up in response to
smurfs ... is it time to start listing offending networks? Even better,
does anyone know if the attacks are using something like TFN2K and using
dummy addresses to obfuscate real attacking hosts?
I see a lot of talk of attacked sites putting up router filters to
stop attacks. Can anyone who knows let the rest of us in on what was
filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP,
SYN floods, or what? If this is a DDoS, the attack could probably be
fingerprinted ... this would be very useful information if we are going
to see more tomorrow. Do we know if the source addys are spoofed, and if
an attacker could turn off spoofing, revealing the source of the traffic
but getting around some filtering?
I am making the assumption that the last three days' attacks were caused
by the same person or persons. But the intent is the same regardless
... we can all go back and forth on NANOG about what might be happening,
and wait for the feds to chase down the attacker(s), or people who have
been attacked or might be attacked can compare notes and try to get an
idea of where the attacks are coming from and exactly what they are.
Any relevant info would be appreciated. Nobody knows who is next.
-travis
On Wed, 9 Feb 2000, [poster] wrote:
>
>
> Make it a law, and they will. But I don't think laws are the answer
> to cooperation. The Tier1's should take the time to work together on
> their own before they are forced to in a way they may not like.
>
> --
> <delete>
>
> On Wed, 9 Feb 2000, [another poster] wrote:
>
> > they should be made to co-operate with the backbone provider and not have
> > much choice in the matter.
>
>
>
On the subject of cooperation, has anyone set out to catalog where these
attacks are coming from, at least in terms of compromised networks, and
share said information? I know similar catalogs sprang up in response to
smurfs ... is it time to start listing offending networks? Even better,
does anyone know if the attacks are using something like TFN2K and using
dummy addresses to obfuscate real attacking hosts?
I see a lot of talk of attacked sites putting up router filters to
stop attacks. Can anyone who knows let the rest of us in on what was
filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP,
SYN floods, or what? If this is a DDoS, the attack could probably be
fingerprinted ... this would be very useful information if we are going
to see more tomorrow. Do we know if the source addys are spoofed, and if
an attacker could turn off spoofing, revealing the source of the traffic
but getting around some filtering?
I am making the assumption that the last three days' attacks were caused
by the same person or persons. But the intent is the same regardless
... we can all go back and forth on NANOG about what might be happening,
and wait for the feds to chase down the attacker(s), or people who have
been attacked or might be attacked can compare notes and try to get an
idea of where the attacks are coming from and exactly what they are.
Any relevant info would be appreciated. Nobody knows who is next.
[Regards]
On Wed, 9 Feb 2000, [poster] wrote:
>
>
> Make it a law, and they will. But I don't think laws are the answer
> to cooperation. The Tier1's should take the time to work together on
> their own before they are forced to in a way they may not like.
>
> --
> "I hack, therefore I am."
>
> On Wed, 9 Feb 2000, [poster] wrote:
>
> > they should be made to co-operate with the backbone provider and not have
> > much choice in the matter.
-------------------------------------------------------------------
Later, this ILEC Internet Services Manager wrote:
I spoke with a person that claimed to understand the attacks that are
going on, while I have no proof, I offer this as an example of what to
look for on your own systems. So I am presenting this only as a possible
example of what has taken place, and until proven correct I concede this
is only a "rumor."
Basically it began by combining many scripts already in use for scanning
system security holes, the script initially scans a range of IPs scanning
each target system for various known exploits, once a system is
compromised, the second half of the attack goes into effect. I believe it
uses some form of remote execution via rcp once its been compromised to
copy and execute what seems to be a specially made "DoS Daemon" to the
host, once there it this daemon runs waiting to receive its orders from
the people who put it there. Therefore, once enough systems were
compromised in this fashion and enough systems on the net were unknowingly
running this daemon, the attackers simply gave the order to hit the
targets this week and their daemon's went to work. With this in mind we
would need someone to find a box with this daemon on it so we can find a
way to detect its existence on other systems. Logically, since the
compromise of the systems was done with a script, this "DoS Daemon" would
be setup the same way on every compromised system. Therefore, if someone
can find it on one box, we will know exactly what to look for on other
hosts. This of course will only help us if our own systems have been
compromised and wouldn't be of any use at all for those boxes not within
our control.
One final note, a friend from Verio suggested that in the above scenario
that this daemon would probaly be using TCP to be communicated with as UDP
is more difficult for alot of people to code.
=========================================================
And just a few minutes ago while editing this piece, a widely trusted Internet consultant wrote this:
On Wed, 09 February 2000, [an ISP poster] wrote:
> From my perspective, corporations are filtering information through
> clueless PR flacks to a (relatively clueless) media. I can't buy that sites
> hit by an attack 48 hours ago "have no idea what is going on." If that's
> the case, some people need to be fired real quick.
I'm not too concerned about clueless media and PR flacks.
But at NANOG I spoke with several people I thought would know, who didn't.
I didn't talk to any GlobalCenter folks because I couldn't find any. They
disappeared on Monday. But I did speak with several security people with
other providers, and they hadn't heard any confirmed technical details. Just
speculation about what had happened. In particular, everyone was wondering
what made the attack so hard to detect as a DoS.
Ok, I know, I don't work at an ISP anymore, so I'm not a member of the club.
I think several departments at WorldCom are under orders not to speak to me.
But instead I found the security folks at other providers were happy to talk
about it, but didn't know any more than me. This worries me.
|
