nettime's_roving_reporter on Sat, 26 Feb 2000 10:18:35 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Cringely: Why DDoS May be Even Worse Than You Think


   The Cat is Out of the Bag
   the pulpit 
   Why DDoS May be Even Worse Than You Think. A LOT Worse
   Editor's Note: The following contains mostly unedited e-mails from
   readers, so don't waste your time sending e-mails about grammatical
   errors to Bob. Thanks.
   By Robert X. Cringely
   I have the best, the smartest, and the most cynical readers anywhere,
   and they came through big time when I asked for more details on
   Distributed Denial of Service. This is the last column I will devote
   to this subject, which the rest of the journalistic world has already
   abandoned. And abandoned too soon you'll see as you read some of the
   comments below. There is one important correction I need to make to
   last week's work. I blamed Solaris for the problem, primarily because
   I was hearing from folks at Sun that their software was the source of
   difficulty. This week, I have had it proved to my satisfaction that as
   much trouble was posed by systems running Windows NT, and that the
   underlying operating system makes little difference in how these
   attacks are instigated.
   Thanks to the dozens of people who sent information. Below, I have
   tried to include most of the ideas presented to me by a number of
   people. There was substantial duplication of ideas. If I didn't
   include your work here, it is because I don't want to make the column
   so long that people won't read all the way to the end. PLEASE read all
   the way to the end, especially the quite long final section. Get ready
   to be scared.
   Eric Rachner wrote:
   "Securing the bulk of Internet end systems is not a realistic
   solution. However, there is a realistic solution to the DDoS problem
   and it has been available from the IETF in RFC 2267 for about two
   years now. From a civic point of view there are a lot of safe
   practices which ISPs need to abide by in order to maintain the overall
   health of the net infrastructure. Effective spam prevention is a
   well-known example, and one that ISPs have ample incentive to
   implement. If tech journalism was more tech and less journalism, RFC
   2267-style filtering would be undergoing an awareness groundswell
   right about now. While cynics may argue that lax ISPs will always be
   numerous enough to sustain attacks like these, I expect proposals
   forthcoming from Federal committees to be even less realistic and
   probably more expensive."
   Elizabeth Olson wrote:
   "I could be wrong, but I think part of why the method of attack wasn't
   officially revealed by the FBI was the same classic security mistake
   that companies make over and over again - attempting security through
   obscurity. 'If everyone knew how to do it, everyone would do it!' is
   often the tagline to this sentiment, despite the fact that anyone who
   knows anything at all about security knows that the only way to get
   problems fixed is to expose them. Lists such as Bugtraq exist just for
   this purpose. In fact, I read through recent posts to Bugtraq to see
   what they had to say about the attacks. There was a great synopsis of
   some of the tools used to generate the attacks as well as methods for
   stopping them posted February 10.
   "While most people outside security circles (i.e. anyone who doesn't
   read Bugtraq) wouldn't have read this, the media usually doesn't pick
   up on the technical aspects of such things. When a refinery blows up
   we hear it's because a valve failed and little more. The same goes
   here and the engineers who are responsible for fixing it are well
   informed as to the causes and fixes for the problem. I don't see any
   conspiracy, just a lack of interest by the common guy. This was the
   same problem that was had when smurf attacks abounded and it took a
   very, very long time to get even large ISPs to fix their networks such
   that they couldn't be used as relays. System administrators are slowly
   wising up and the community at large is starting to realize that in
   fact no man is an island and a greater mechanism for cooperation in
   such matters is required.
   "The fact remains, the FBI didn't say how it was done for the same
   dumb reasons they probably wouldn't say anything about anything else -
   silence gives them a feeling of security they can't attain otherwise,
   because they are basically powerless against this. It is totally in
   the hands of people who operate networks to fix it. There will always
   be vandals on the Internet and the FBI catching one of them won't do a
   damned thing. In this case it's the unfortunate fact that the victims
   are responsible for preventing the actions of the perpetrator, and
   that's just life."
   Jay Kangel wrote:
   "At some point one of these hacking events is going to cost someone
   who can hire lots of lawyers with real money. At that point the
   victim, or the victim's insurance company, will want to sue for
   damages. The actual hacker will likely have little or no money. Even
   if the victim wins such a suit the damages cannot be recovered. The
   deep pockets are the owners of the zombie machines. Is it negligence
   if a machine owner does not promptly install security patches and, as
   a result, hackers take over the machine? I don't know..."
   Bob Lewis wrote:
   "Maybe the government, itslef, is launching the attacks? Nah. Well
   it's probably a couple of ---holes with an attitude about e-commerce
   or possibly people who were trying to short-sell tech stocks, but if
   you are in the mood for a conspiracy theory I would advance the
   following. It wasn't the government per se, as in an order from
   Clinton, but consider that the FBI has been trying to get telecom and
   ISPs to install the equipment and pipes to peel off all backbone
   traffic and send it to them for surveillance for about two years and
   all these pesky privacy advocates (as well as the ISPs that would have
   to PAY for this equipment) have been railing against it. The FBI is
   only trying to do what the FSB, successor to the KGB, is doing in
   Russia. So post-cold war, the FBI=KGB. Now consider if you're a real
   patriotic gung-ho FBI guy and your team stands to gain considerable
   money and clout from this kind of disruption. It's not too tough to
   set this up so it freaks everyone out, yet doesn't leave any real
   fingerprints.... You didn't do any real damage and any that was done
   could be considered acceptable losses given your righteous mission. A
   couple of days later you have a couple hundred million in your budget,
   mandate to set up ten regional response centers, etc., etc. With your
   real objective accomplished, you let the boys chase ghosts and maybe
   eventually find someone along the line who spit on the sidewalk so you
   get some kind of conviction. Disclaimer: I DO have the site, but you heard it here first. J"
   Finally, Charlie Demerjian wrote, and wrote, and wrote: "....A
   part-time employee (soon to be full time) of mine was the first person
   to characterize and post the info on these attacks. The institution he
   works for was shut down for almost two weeks last August while they
   were figuring out what was going on and how to stop it. While I am
   sure this was not the first DdoS attack, I cannot find a published
   report of anything sooner. Basically he was, and still is, on the
   front line. Needless to say he spent much of the last week talking to
   the FBI for a number of reasons. I have spent a LONG time talking to
   him about what happened, how it happened, and what the future holds,
   so here are my answers to your questions....
   "First a bit of history on DdoS attacks. The attacks that happened
   last August were simply a new usage of the DdoS tools. The first time
   I saw them was back in '93 or so. I was working nights at a hospital
   at a major midwestern university with nothing to do all night. While
   sleep was an option I live at night so I stayed up and played on the
   Net. I almost always had an IRC window up no matter what else I was
   doing at the time. If you are familiar with IRC, you know there are
   bots on most established channels to keep the peace, provide rules to
   newbies and other boring housekeeping tasks. Occasionally you need to
   remove or ban a person from a channel due to unsocial behavior,
   personal hygiene, or other things. Attack scripts developed and
   defense scripts soon followed and the cat and mouse game began. Not
   too long after that a reasonable stalemate was achieved and new ways
   of removing people were needed. The solution that no one found a way
   around was ping flooding.
   "What ping flooding amounted to was pinging someone so often that the
   ping/useful data ration on his line would be so low that his machine
   would time out and drop off the net. Because most computers at that
   time were on a dialup connection, a bot on a dedicated UNIX box at a
   large university could easily remove someone from the net. A simple
   IRC command of /flood was an almost universal way to remove anyone.
   This was fine for 99.9% of users, but those on high speed lines posed
   a harder problem. The solution came with the rise of linked bots.
   "The linked bots basically started as a way to keep control of a
   channel. If you have three bots talking to each other, if one is
   attacked the other two immediately go after the hapless attacker. This
   soon led to "bot net." Bot net was formed by 15-20 channels of
   like-minded people (*cough* pirates *cough*). Any bot linked in this
   fashion would pass a /kill command to the other 100-200 bots on the
   net and they would all flood the target. It could be called by anyone
   "authorized" on any of the participating channels and was rarely
   abused because any of a thousand people could call it. If you screwed
   around with it, you would almost certainly taste it soon. It was a
   nuclear deterrent situation. It was also remarkably effective. I
   cannot remember a single person who withstood it. I know I had three
   or so bot on a T-3 line back then and that alone was almost enough to
   remove anyone by itself.
   "That was the last I heard of the technique until last August when my
   friend was attacked. He told me about the 'new' attack that hit his
   place of work and I chuckled and that was about it. I forgot about it
   until Yahoo got hit. When it became obvious that this was the next
   thing in hacking, it started a lively discussion in the little circle
   of geeks I travel in.... Here is what I know.
   "1) How are these attacks made? Basically they are incredibly easy to
   pull off. There are attack programs readily downloadable from most
   'security' sites. All you need to do is get the programs and find a
   bunch of host machines to use it on. The hosts can be almost anything
   and if you don't know how to compromise a computer look at those s ame
   security sites. They have pre-rolled root kits for almost ANY OS.
   "While the DDoS tools have many variants, they almost all follow the
   same general outline. It goes something like this:
   "A) A 'master' box is hacked. While they have been generally reported
   to be fast machines, they really don't have to be. They don't do much
   other than signal a start and stop.
   "B) You hack a bunch of 'slave' machines. The more the merrier, and
   the faster the line they are on, the better. The speed of the machine
   is not all that important - almost any modern P-II machine can
   saturate a 100 Base-T line - so filling a T-3 or an OC-12 is no
   problem. Line speed is key here. Also there is a brisk trade for
   compromised machines. If you can find ten of them yourself (not hard)
   you can easily trade that for 100 more. If you spend a week preparing,
   it is easy to get as many slaves as you want.
   "C) You give the master a list of slaves, a target, and a time. If you
   have half a brain you cover your tracks and set the thing to remove
   "D) At the set time, the master signals all the slaves and they start
   ending data to the target. While the target may not consume a single
   CPU cycle looking at these packets, the lines leading to the servers
   will almost certainly become so clogged that nothing useful gets
   through. There are variants that will go after the server targeted,
   but they are not necessary, clogging the lines is enough.
   "E) The target sits and waits because it can't get any data in. It may
   be able to send data out at full rate, but without anyone being able
   to request that data, not much happens. To the outside world it looks
   like the site is down. Please note that NO amount of patches or fixes
   can do a damn thing about this. It's not the OS that's attacked, but
   the pipes leading up to it. A Ferrari doesn't do you much good after a
   four foot snowstorm, especially if the streets are not plowed.
   "F) The people running the servers under attack now have to trace back
   1000 machines pinging them and notify the owners that their boxes are
   causing problems. This is compounded by the fact that most people
   don't know that their computers are participating in the attack. To
   give you an idea of the task that stopping this requires, try the
   following exercise. Pick any four 8-bit numbers. Now try to contact
   the owner of that IP address. Remember time is limited and, oh yeah,
   your main Internet connection is down. Have fun. Repeat 999 times.
   Unplugging your line does not stop the attack and still leave you
   down. As soon as you plug back in you pick up where you left off.
   Basically you just sit there until the attacker gets bored and stops.
   "The end result is that almost any antisocial 14 year-old with a fifth
   grade reading level and a not-too-short attantion span can take Yahoo,
   or anyone else, down....
   "What particular vulnerabilities were exploited? Basically none. I
   know of several types of boxes that can be used as masters or slaves.
   You mentioned Solaris, and my friend turned a Redhat 6.0 box over to
   the FBI Wednesday. Almost any UNIX will do, and I am sure the software
   has been compiled for everything under the sun (no pun intended).
   There are three major variants of the DdoS tools and countless others
   that have been modified to use a different port, different packets for
   signals, etc.
   "These attacks do not exploit any particular property but can be made
   to use ANY existing vulnerability. I am sure that as each new hole
   pops up in an OS, it will be added to the easily downloadable scripts.
   Just think, when the first Win2000 hole is found, in the week it takes
   MS to patch it you can use the 17 million Win2K boxes for the next
   wave. Sigh.
   "What can be done to avoid future attacks? In my opinion, nothing. The
   cat is out of the bag......"

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: and "info nettime-l" in the msg body
#  archive: contact: