Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Undernet In Serious Trouble: Any Suggestions? (Updated)

michael posted more than 13 years ago | from the where's-the-KGB-when-you-need-them dept.

The Internet 501

An Undernet admin writes: "For the past 4 days, many of Undernet's servers have been hit with constant DDoS, massive stuff on the order of 100M/sec that doesn't look like it will clear up anytime soon. The major services with which Undernet is associated, including Uworld and the channel service bots X and W, have been removed because the ISP that hosts them cannot afford to have them online, and even with them offline, the ISP has continued to be hit with the DDoS. Several servers will be forced to delink permanently if this continues. And all of it's happening because a script kiddie in Romania has nothing better to do with his time, and with his head start, many other groups have decided to lend a hand and take out other servers while his main pummelling is going on. We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?" There's a notice on their Web site. Update: 01/08 09:49 PM by michael : The news story we linked to was ancient.

Sorry! There are no comments related to the filter you selected.

Good grief (1)

Anonymous Coward | more than 13 years ago | (#521684)

Stupid, stupid, stupid. It's a shame that DDOS hax0r t00l5 are available as binaries. If the lus3rs had to configure;make;make install they'd probably never figure it out. =)))

Solution: (1)

Wakko Warner (324) | more than 13 years ago | (#521686)

Find him. Shoot him in the head.

Problem solved.

- A.P.

* CmdrTaco is an idiot.

Posted on slashdot... (1)

oGMo (379) | more than 13 years ago | (#521691)

"For the past 4 days, many of Undernet's servers have been hit with constant DDoS..."


Update: 01/08 09:49 PM by michael [mailto] : The news story we linked to was ancient.

Not anymore. ;-)

...and you're clueless! (1)

db (3944) | more than 13 years ago | (#521695)

Take a look at some traceroutes.

Dave Brooks (

Easier to stop it in retrospect (1)

Anthony (4077) | more than 13 years ago | (#521698)

ISP terms of service to connect to the Internet should include ingress filtering to stop IP spoofing and a patch management plan. Running vulnerable servers is not acceptable if you are a frontline ISP with oodles of bandwidth. There is a duty of care expected of them that is not being exercised.

Re:EFNet (1)

wik (10258) | more than 13 years ago | (#521710)

A quick search of /. stories with the keyword EFnet shows:

A very similar article [] about EFNet in September

Another article [] on the death of EFNet.

There are still some decent smaller networks out there which are mostly free of these problems. Unfortunately, it only takes one bad user to make a lot of people (clients, IRCops) mad. A network that I run a server on just had a major split. However, after that, we got back a few servers with friendly admins who were upset by the previous network.

For some reason, whenever you get a bunch of people with H*'s next to their names on an IRC network, tensions are greatly amplified. I think that some of the newer IRC services daemons are helping to ease the administrative load on individual admins by giving some power to the clients and delegating a few dedicated and trustworthy non-IRCops to help run the services/support systems. For at least two networks (unnamed, but if you really want to know, that's what email is for), this system has worked very well.

Re:Do we resort to revenge? (1)

ShinGouki (12500) | more than 13 years ago | (#521715)

instead of wasting more bandwidth, why don't we just track the kid down physically and remove his net access the good ole fashioned way.

in short, let's find him and break his damn fingers.


Re:What's wrong with this reaction? (1)

ShinGouki (12500) | more than 13 years ago | (#521716)

if his cause was noble (this is assuming he even has a cause), WHY would he pick such an ignoble method for getting his (as yet nonexistent) message across? you don't communicate anything with [D]DoS attacks, you simply shut stuff down.


Re:Old school hacking (1)

Cheeze (12756) | more than 13 years ago | (#521717)

or you can:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

and i'll do the same, 'cept no recompiling, and no rebooting.

Re:...and you're clueless! (1)

Roofus (15591) | more than 13 years ago | (#521724)

Well, it could make sense. I'm guessing that if I were to bother to do a traceroute, I'd find that the web server is not located on the same network as the irc servers. In that case bombarding the web server doesn't do any damage, except maybe to the effnet admins pride...or something...

Re:IRC is in trouble. (1)

BilldaCat (19181) | more than 13 years ago | (#521727)

Shut up.

Really. I'm tired of this stereotypical slashdot whine.

Blah, this sucks, let's do it ourselves, the only alternatives are by corporations and ALL CORPORATIONS ARE EVIL.

God, I hate this place sometimes.

:( Grow up.


matth (22742) | more than 13 years ago | (#521733)

Go DALNet! :)

hi guys. (1)

krog (25663) | more than 13 years ago | (#521740)

hi guys. you. the ones who are doing this and reading this page, and giggling.


you've had your moment in the sun; now let's have our servers back, ok?

Decentralize (1)

RovingSlug (26517) | more than 13 years ago | (#521743)

A possible fix: decentralize IRC in the sense of GNUtella. If there aren't any primary server and what "toplevel" server there are aren't static, DDoS brings down at most a small portion of the service. It's time to evolve.

Re:You guys are assholes! (1)

jellicle (29746) | more than 13 years ago | (#521751)

Yeah, those script kiddies would never have found

That's a tough one, real inconspicuous.

It embarasses me that someone moderated your post up. It isn't even funny.

Re:Do we resort to revenge? (1)

queef (39232) | more than 13 years ago | (#521767)

Nah, we'd be snooping down to his level. Unfortunately, he's getting what he wanted in the first place with these attacks....attention.

Re:Explanation (1)

Isomer (48061) | more than 13 years ago | (#521771)

This article is from 1997 when the *same guy* did more or less the same. But it's not whats happening this time. No undernet/isp mahcines have been compromised, just DoS'd into oblivion.

Re:You guys are assholes! (1)

Isomer (48061) | more than 13 years ago | (#521773)

The website is hosted well and truely away from the rest of the network AFAIK. It was also an 'Undernet Admin' that requested the post. Undernet can hold up to a little /. - it's about the equiv of DoS on a good day, but on a bad day things get *Real* bad.

Re:A case for Internet Licenses. (1)

ftobin (48814) | more than 13 years ago | (#521781)

There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.

This sort of approach does not if you take the position that one's computer is merely an extension of one's self onto the Internet, a global community. Just because others can affect parts your behaviour without your knowing doesn't mean you are incompetent and should not allowed to exist within the community. You are responsible for what you do, but you shouldn't need to pre-prove yourself.

Take for instance marketting. Marketting is about getting people to change their behaviour in some manner, with or without their knowledge. However, one wouldn't expect to enforce a sort of compentency test for being exposed to marketting.

An analogy of driving licenses does not really hold, since in a car, each person has a tremendous amount of power to destroy property and life. However, though, with computers on the internet, each single person is not that powerful; it is only collective (distributed) power that is massive (just like with marketting).

There are solutions to this sort of problem, but your solution is not a good one.

Re:You guys are assholes! (1)

MustardMan (52102) | more than 13 years ago | (#521786)

YHBT. (Stands for you have been trolled, in case you didn't know)

That's not really the /. Michael, just a cheap imposter.

Maybe... (1)

eric17 (53263) | more than 13 years ago | (#521788)

it's time for some new UnderWear!

Sorry. Back to coding.

Stupid Question (1)

zentropy (54955) | more than 13 years ago | (#521792)

I don't understand the TECHNICAL aspects very well, but could multiple servers form a sort of alliance where if one is attacked, the others respond automatically to form a mutual defense or neutralize the threat with counter attacks? What about those software agents based on hive insects?

Re:IRC is in trouble. (1)

NtG (61481) | more than 13 years ago | (#521806)

How is this situation any different to the web servers (and associated networks) that were DOSed last year? Is the web in trouble? The only thing this has to do with IRC is that the servers targetted are IRC servers.
The IRC protocol(s) are being actively developed by different groups every day. Why reinvent the wheel?

Gee whiz (1)

Chris Brewer (66818) | more than 13 years ago | (#521815)

The last modified date and time on their main page is a bit of script that displays the time on loading.


Re:Telnet access is pretty dumb (1)

gilign2b (72795) | more than 13 years ago | (#521823)

For a lot of smaller ISP's, root access through telnet is the easiest way to monitor their system and to manage accounts. That's the way it is at the ISP I work, (no you can't figure out who that is by this e-mail so don't bother trying). It's easy for you to complain about how "incompetent" the server operators are when your not the one, being DDoS'ed right now. Maybe some helpful replies would be nice instead of a bunch of comments about how the server owner is "fucking" moron. Price

IRC is in trouble. (1)

scumm (80325) | more than 13 years ago | (#521826)

I know it's been said many times before, but I think this is just another indication that IRC, as much as I've loved it in the past, has grown stale. It was never designed for the number of users it's now forced to deal with, nor the level of abuse.
It really saddens me to see something that I used to glean so much enjoyment from withering away because of a few script-kiddie jerks with nothing better to do than annoy people.

Are there any major non-commercial (as in, non "Yahoo Chat" web-based style) projects underway to replace IRC, and if not, should one of us get around to starting one?

Mike Thacker

Find the people who are doing this... (1)

Dirtside (91468) | more than 13 years ago | (#521834)

...and kill them.

I'm serious. Some peoples' entire goal in life is to piss in every still-crispy bowl of corn flakes they can find; all they want to do is ruin the fun for everyone else.

These people cannot be reasoned with, because given the opportunity, they will do it again.

They can be imprisoned for life, sure. But we're better off if they're dead.

Maybe this is a bit extreme... but fuck 'em.

Re:Important: please read!!! (1)

}{@wkmooN (101161) | more than 13 years ago | (#521842)

You are a fsckin' idiot... That's all I got to say...(and don't ever touch a kid again or I'll kid the crap out of ya...)

Re:Find the people who are doing this... (1)

fracus (103664) | more than 13 years ago | (#521844)

Good Point! But let's not just kill them, can we make it really painful too???

Castration would be a fun way to start the process or maybe that would just be enough redemption!

Re:EFNet (1)

Rakarra (112805) | more than 13 years ago | (#521852)

This has been happening to EfNET for damn near a year now and no one has said anything.

Actually, Slashdot has run a few [] stories [] about this before.

A big problem is that "a new network with an improved ircd" will solve nothing. It will still have the same problems: people will attack client servers because they will always have a valid IP address for the client server. That's how TCP/IP works. Ok, they have to go through some type of gateway? Then the script kiddies will attack the gateway.

The only solution I can see that could solve this is to make it impossible to perform these huge DDOS attacks. IPv4 was designed 20 years ago for a world where idiots did not have access to tools like smurf. IPv6 holds promise, but that's a very long-term solution.

EFNet (1)

fliplap (113705) | more than 13 years ago | (#521855)

This has been happening to EfNET for damn near a year now and no one has said anything. Efnet is losing servers left and right and there's talks of the major hubs dropping and forming a new network with an improved ircd. A major problem is that dropped because they were getting packeted, which left all the @home users to emory, primenet, mcs and prison. Well if someone wants to IRC war (stupid) its a lot easier to bring down all four of those servers than it is to take down every @home user on them. All you stupid packet kiddies need to grow up, get jobs and move out of your parents house, idiots.

Could this be the canary in the mine? (1)

Kwelstr (114389) | more than 13 years ago | (#521856)

I have noticed a lot of trouble lately in all of the IRC networks. The latest came when the Undernet bots dissapeared. If you go to their webpage at Http:// they have a short statement of what is going on.

As more and more users get faster connections maybe this will become the norm for the internet, and the IRC servers could be just the proverbial canary in the mine.

This is really sad.

Re:You guys are assholes! (1)

0siris (123757) | more than 13 years ago | (#521861)

I don't agree with the assholes bit, but it is true that many a DoS attack is in reality just a slashdotted site ;-)

probable cause (1)

oliphaunt (124016) | more than 13 years ago | (#521862)

the "wired" article says this l33t h4X0r hit his ex-isp first. Any word as to why he might have been disgruntled? And does Romaina extradite crackers, or have they not yet bowed down to the jack-booted thugs of George the Younger?

READ: do we get to watch this kid get raked over the coals on local TV, or will he get away with it?

"He's not too bright" (1)

MotorMachineMercenar (124135) | more than 13 years ago | (#521863)

From the "news" article:

"Fortunately, he wasn't too bright because he left a lot of trails"

Then this mentally challenged kid went on to obliterate Undernet, brought down ISPs in Oslo and the UK and obtained root access to (several?) servers.

We are so lucky he's not too bright!

"I think TRUE happiness can only be found in the wanton indulgence of animals."
- Hobbes from Calvin & Hobbes by Bill Watterson

come on now, seriously (1)

Lord Omlette (124579) | more than 13 years ago | (#521865)

What part of F B I do you not understand? Look at how seriously everyone took the DDOSing of some silly dot comes... Call in the FBI to investigate. Guy's in Romania? No problem, the FBI will talk to their European friends who will talk to Romanian authorities. No treaties necessary folks, this involves computers, therefore, we break out the big guns.
Lord Omlette
ICQ# 77863057

Re:IRC is in trouble. (1)

gengee (124713) | more than 13 years ago | (#521866)

This may be true if we still only had EFnet, Undernet and Dalnet. But we don't. There are 10's of large servers, and hundreds of smaller. People find their niche, and become loyal to certain networks.

IRC as a whole can continue to grow - The individual networks cannot. It simply isn't fun anymore to see "/me whacks yourmom about with a big trout" scrolling by 10-lines a second.
signature smigmature

DOS the DOSer's isp (1)

ralian (127441) | more than 13 years ago | (#521871)

Wonderful idea. Unfortunately, that's just as wrong as what he's doing. Consider all the other users on the ISP, and consider whether they ought to be punished for one lamer's way of expressing his total lack of testicles. The best way would probably be to contact his ISP to cancel his account, even if it might take a while. Undernet could always sue the loser for damages.

Re:Mask the flooder from clients (1)

ralian (127441) | more than 13 years ago | (#521872)

The server would still be just as smashed. Clients need a server, right :)

We already saw this loser... (1)

ralian (127441) | more than 13 years ago | (#521873)

He posted the same piece of crap several times already, word for word. If only I could remember where :\

Sure... (1)

ralian (127441) | more than 13 years ago | (#521874)

..nothing like netsplits by the quadrillion...

Ahem, sir? (1)

ralian (127441) | more than 13 years ago | (#521875)

You are lower than shit.

Do we resort to revenge? (1)

x-empt (127761) | more than 13 years ago | (#521877)

Lets get some backbone providers to cooperate and track the true origins of the attacks (they probably spoof). Once we get the true origins, post the IP#s of systems on those networks to slashdot and we will give them the /. effect ... times two :)

TUH (1)

Dungeon Dweller (134014) | more than 13 years ago | (#521881)

When are these kids going to learn? They should be taking down DALnet, not Undernet.

What's wrong with this reaction? (1)

chrispgh (148328) | more than 13 years ago | (#521900)

I haven't seen one intelegent and positive post on this entire article yet. Yes you may say that majority of the people are aginst what the [Romainian?] is doing because it is another hassel of your job that you do not like to deal with(security). You have to look at the other side, this person(or group of people) has declared war on undernet for what reasons have not been stated but you have to wonder. I guess in all of our(americas) minds Iraq was a threat to our oil therefore he should be shot down but you must hear the other side of the story first. Maybe, just maybe it is not our oil to kill for.

I may be 150% wrong about this person by even defending thier right to fight but when EVERYBODY that could help a cause like his is crying wolf to babylon it leaves big brother no choice but to 1)Put someone who may have a noble cause in prison forever then 2)Make sure nobody ever has another chance to act anonymously online EVER AGAIN!

Re:Find the people who are doing this... (1)

jrcamp (150032) | more than 13 years ago | (#521901)

Or better yet, why don't we get them a nice job at the AOL 'Technical' Support.

Script Kiddies (1)

ende (154873) | more than 13 years ago | (#521905)

My question is, where did all these script kiddies come from? I remember in the early 90s we did have our "irc warriors" .. but the most we'd do is throw up a link looker, find a split server, and take advantage of a bug to collide someone off.. or use a packet program like pepsi or smurf to kill off a person or two.. is there any real point to what these kids are doing? They arent doing this to gain control of a channel or get back at someone, they are just doing it because they feel like it? It was pretty sad a couple weeks ago when I saw some kid who was probably still in junior high, boasting the fact that he has over 400 rooted shells.. is there no security anymore that these kids can go around trading shells to run floodnets and packetnets off of? Down with script kiddies, we need to take EFNet (and other servers) back. nd [DeSynK/Havok]

Re:Survival of the Fittest (huh?) (1)

AndyChrist (161262) | more than 13 years ago | (#521911)

I'm afraid it doesn't.

Telnet access is pretty dumb (1)

Calyth (168525) | more than 13 years ago | (#521912)

I don't see there's any reason that an ISP should allow telnet access, even if it's needed, there's a better alternative (ie SSH). Any computer enthusiast who have read a couple of security articles would know that telnet access is a huge can of worms, and frankly, the ISP who got rooted by telnet should be also partly responsible. I don't know if the sysadmins are incompetent, but they're sure stupid not to lock down such a big security hole.

Re:IRC is in trouble. (1)

Calyth (168525) | more than 13 years ago | (#521913)

I do not see IRC as being stale or it was IRC's fault (by being IRC) that lead to this attack.
As noted by the post, it was a DDos attack, which the cracker took over an ISP using telnet and rooted it, then took control over more computers.
Anyone who've read a security computer book (or even just a couple of related articles) would know that telnet is just a big freaking can of worm, and any ISP that got rooted by it should be also held responsible. I don't see there's any need to use telnet myself, even if it's needed there are better alternatives (ie SSH). Although not without its exploits, I believe its better built against such attacks.
I don't run a true full time server with linux, but I have block out such vulnerable services, at least all but local access.
It's sad that IRC is in trouble dued to a bunch of stupid sysadmin in an ISP that allow crackers to root them.

Re:Telnet access is pretty dumb (1)

Calyth (168525) | more than 13 years ago | (#521914)

Note: I'm not blaming owners, but I'm blaming the sysadmins. They're the guys who maintains the servers and should not have allowed root access over telnet whatsoever. It may be the easiest way to maintain the server with root access with telnet, but that's the easiest way for some script kiddie to get in and f^&* around with the computers, and launch DDoS around and think they're the top of the world.
If the server owners are the sysadmins, then yes I would say they're f&(*ing morons because if they don't know how to maintain a server properly, then don't start a freaking ISP.
When my dualbooter is in linux, I could maintain it basically anywhere around the world, but would you think I would be that stupid to use telnet? At least use something that actually puts a better fight against those script kiddies and use SSH. Afterall some ISP do use *nix and could have assign certain users with more permissions than others (like sudo), at least it would not be that obvious to some script kiddie to say, hey this box is wide open and let f&(* around.

Much Ado About Nothing... (1)

h0mer (181006) | more than 13 years ago | (#521937)

All this just because he got KB'ed from #ereethaxorjuarez.

This sounds a lot like... (1)

AaronStJ (182845) | more than 13 years ago | (#521940)

The stuff that was/is going on in Efnet. It seems that IRC servers have always been popular targets for attacks because of all the personall politics that whiz around on IRC. A lot of Efnet servers have been suffering downtime lately due to a bunch of DDoS attacks.

I see two solutions, neither of which I have much faith in. The first is to make the existing IRC servers much less rpne to DDoS attacks, and from what I know, there isn't really a way to do this yet. The second would be to try to migrate all the "serious" users to some other IRC network (a new one perhaps) while leaving behind all the squabbling lusers. Of course, the lusers would hop onto the bandwagon, and we'd be back to square one.

Re:Find the people who are doing this... (1)

ZeroConcept (196261) | more than 13 years ago | (#521949)

Lets submege them in boling oil during prime time television...we could get sponsors like...Crisco?

Danger! (1)

robt (197463) | more than 13 years ago | (#521950)

Just what the world needs. An armed gypsy!

Re:Do we resort to revenge? (1)

atrowe (209484) | more than 13 years ago | (#521959)

Only now, half those IP's will be from Slashdot users trying to read the article.

Am I Missing Something here? (1)

darrad (216734) | more than 13 years ago | (#521964)

....come on. "logs on to the server and gains root access"!!! Who is in charge of securing these boxes? I know that it is not impossible to hack a root pwd, but give me a break, this is supposed to be one of the most secure OS's on the market. It would almost make you think there is a MAJOR security hole in the OS. My next question would be, if it is a smurf attack, why not filter the traffic? block udp, ping or whatever port he is coming in on. And then there is the obvious, if he has root access, what is the reason for the smurf attack, that seems a little redundant to me....
Hell, I dont know what the hell I am talking about...........

Money Talks (1)

Cyclone66 (217347) | more than 13 years ago | (#521967)

It seems as though if big business gets hit with a DOS then the authorities look into it (Ebay, Yahoo, etc.). But if its a free service like IRC then they can't be bothered. Typical!

Re:Important: please read!!! (1)

mr.nicholas (219881) | more than 13 years ago | (#521970)

As I said, I've never done anything illegal with a child, mainly because I know the consequences for both the child and for myself if caught.

So you've never done it because of the fear of getting caught, not because it is immoral or improper, or because an underage child isn't mentally capable of understanding the nuiances of the situation? Hmmm. I would have hoped that the fear of getting caught wasn't your primary motivator. The fact that it is says something about you.

Welcome to efnet... (1)

Verteiron (224042) | more than 13 years ago | (#521980)

These sorts of attacks have been hitting efnet across the board for the past year or two, though nothing quite on this scale from a single source...

Re:Welcome to efnet... (1)

Verteiron (224042) | more than 13 years ago | (#521981)

Whoops. Minus several million, redundant. Good reason to read the current posts before posting.

DoS the DoSers... (1)

kenthorvath (225950) | more than 13 years ago | (#521983)

Find out the ips of each and every DoSer and post'em riiiight here.... Let /. take care of the rest. =)

We must collectively have the equivelent of 8 or so OC12's

Explanation (1)

zoomba (227393) | more than 13 years ago | (#521985)

Here's an explanation of what happened to the Undernet...

Romanian teen takes down IRC network
By by Kristi Coale, Wired

A Romanian teenager bent on revenge brought significant portions of the Undernet and several Internet service providers to a halt when he launched a series of smurf attacks.

The unidentified youth launched smurf attacks against at least five hubs operated worldwide by the Internet Relay Chat network Undernet, obliterated an Internet service provider's server in Oslo, Norway, and took down servers operated by AOL, said Undernet system administrators. The FBI's computer crimes division is investigating the incidents.

"We have some of the greatest minds in Internet technology here, and they couldn't do anything [to stop the attack]," said one Under Net operator who would not give their real name.

AOL representatives were unavailable for comment on the extent of damage they incurred.

Another Under Net operator stated that the attack began Saturday when the unidentified youth telnetted from Romania to FishNet, a Ventura, California-based Internet service provider. Once he obtained highest-level "root" access at FishNet, the youth launched at least smurf attacks - one against his former Internet service provider, the Romania-based Logicnet, and another against a UUNet service in New York.

"Fortunately, he wasn't too bright because he left a lot of trails," said Bill Benefield, a system administrator with FishNet.

Benefield said the youth entered FishNet services via news and mail server daemons, leaving his electronic footprints in the server logs.

The youth, who is believed to be between 16 and 19 years of age, then went on a juggernaut across the global network, stopping first at ISPs in Oslo, London and other parts of the UK, as well as hitting Chicago ISP Napnet.

At each stop, the youth would log onto the server, obtain root access, then delete files, canceling accounts. In some cases, it wiped out the entire businesses such as the ISP in Oslo.

Re:Explanation (1)

zoomba (227393) | more than 13 years ago | (#521986)

I suppose I should read the articles before I make posts... *sheepish grin*

Re:Do we resort to revenge? (1)

Luti (231772) | more than 13 years ago | (#521991)

We could collect between the hold /. community, more bandiwth than probably any place in the world. Now I'm not particularly big Underworld fan, I stay ith EFnet but I never like to see shit like this. I say since there is not real agency with power doing anything about this we "take it to the streets" and fight back by all means we can. Knowing my own capabilities and those of other /.'ers plus the level of intelect of many others we would shurely come out on top. And think about it, there are so many of us that them retaliating would be impossible we must outnumber them by tremendous odds!!

Re:godammit. (1)

Luti (231772) | more than 13 years ago | (#521992)

Thats fucking rediculous. How could he just get root acess. I am no great sys admin but I like to believe my server is rather secure. The ISP's should fire those sys admins. This is truly sad.

Humm (1)

ceide2000 (234155) | more than 13 years ago | (#521995)

It would be nice to find out what kind of DDos they are doing. For some reason I belive that someone is missing something here. A good firewall & security could really help. I am not talking about your $35 version. You pay for what you get. Chris

Take a pair of scissors... (1)

MikeLRoy (246462) | more than 13 years ago | (#522007)

And cut the line till you can sort things out.

Its very simple. This kid is causing a problem for several ISP's, their users, and many Undernet users. Trace back some of his smurf attacks as far as you can with reasonable certainty, call up the ISP, and politely ask them (since they apparently don't have root on their own boxen anyways) TO UNPLUG THE #(*(@*& THINGS!

As my brother demonstrated to me a few months ago, computers don't run without power.

Old school hacking (1) (256280) | more than 13 years ago | (#522019)

I haven't actually done this, but a friend of mine that's an old school hacker told me this trick that he used to use back in day on IRC. Go to your /usr/src/linux/net/ipv4 directory and edit the icmp.c file. Look for a section in there that says: Handle ICMP_ECHO ("ping") requests.

Immediately below that comment is a function that handles ping echo requests. simply comment out the body of the function. Here's what that part looks like.(roughly, I didn't spend that much time formating this.)

static void icmp_echo(struct icmphdr *icmph, struct sk_buff *skb, int len)

if (!sysctl_icmp_echo_ignore_all)
{ struct icmp_bxm icmp_param;
icmp_reply(&icmp_param, skb);

Comment out the code between the first set of curly braces, recompile your kernel, and your machine won't answer pings anymore ;-p

Isn't it great having the source code to your OS?

Re:Important: please read!!! (1)

localroger (258128) | more than 13 years ago | (#522021)

I have been a member here for quite a while

Then you should know that there is no general discussion board or its equivalent here. Your topic has not come up for a good reason -- the website operators haven't seen fit to give it a forum.

OTOH you sound sincere (maybe even desperate) enough, so I'll bite.

We are tricked, trapped, harassed, arrested, and seen as dirt by our government, authorities, and most of the people in this country. It reminds me very much of stories I've heard about Nazi Germany.

Unfortunately, I have to agree with you here. What you want to do, what you dream of doing, is repellant to most of us and highly illegal. But our Founding Fathers had clear ideas on this which are being ignored. It should not be illegal for you to write your stories, draw your graphics, and prosyletize for your position such as it is. It should IMNSHO be highly illegal for you to actually do anything about your fantasies with another underage human being, but that's just me at this time. Joe Haldeman painted a vivid picture of a society in which homosexuality is normal and "us heterosexuals" were treated about as you and your lot are (in The Forever War), very discomfiting that. The theory of relativity does not just apply to physics.

I always find it astonishing that erotic training is termed "child abuse",

Here you are so close to the line that an electron microscope could not detect the separation. How convenient it must seem to you that this necessary "erotic training" might require your services, eh? While there is a part of me that feels you are right in principle there is a much larger part that feels you are exactly the person I would NOT want any dependent of mine going to for advice. You are right that sex in general is not inherently harmful, but you are wrong in assuming that sex in coercive relationships is not inherently harmful.

I would have an even less hospitable view of you than I do had I not read Pat Califia's amazing writings. She and her comrades in a related sexual minority did come out in public for your cause -- at some cost to themselves -- but even they were reticent about your actual practices. You are on better ground when you demand your right to write and speak and draw and even make highly realistic 3-D graphic simulations. I will defend those rights, well, not to the death (coward alert) but at least until it doesn't seem worth my while to live in this country any more. You reach a point when an honestly corrupt place like Mexico looks positively wonderful by comparison.

I did not choose my sexual orientation, and even though many people say it's a sickness or a disease, it's just as valid as homosexuality, bisexuality, and many other orientations whose members were once persecuted as we are, but are now seen as being normal

While I agree that you did not choose your orientation, I disagree that we have to consider it "just as valid" as any other. There are degrees of validity in all things. Most of us here would, I think, draw the curtain and turn the eye at anything nonlethal and non-crippling between consenting adults; but what about those Victorian fetishists who got off on their own amputations? Similarly, our society has drawn a firm line this side of children. Don't cross it. Not in deed, at least.

As for word and thought and image, those should be free. As they aren't, and you are rightful in your protest. But don't ask for the right to touch our sons and daughters if you want to live very long.

The best solution to this problem (1)

geomcbay (263540) | more than 13 years ago | (#522024)

Is to post a Slashdot article about it every 2 hours for the next week. Be sure to include as many links as possible to the sites being DoSed!

Full Discloser!!

Re:Telnet access is pretty dumb (1)

Primer 55 (263965) | more than 13 years ago | (#522025)

I'm sorry, but there is NO FUCKING EXCUSE to allow telnet access, no matter how big/small/secure you are. Your server need not run more than SSH for shells and have sudo for useradd, etc.

Of course, both the ISP I used to work for and the ISP I use now have open telnet access, despite having SSH also...

What's in romania anyway? (1)

mrcutrer (265376) | more than 13 years ago | (#522041)

Couldn't we just blow em up? How big is Romania? Is it part of Rome? How does such a desolate country breed such a destructive genius? I don't know?

Oh yeah, that was facetious. Except for the genius part. Don't want to piss any more of you Romanians off!

Re:Try securing your boxen first (1)

zcat_NZ (267672) | more than 13 years ago | (#522045)

If you own a firearm you should take reasonable precaution to make sure it doesn't get stolen. If someone can come up your driveway, climb in a window and walk away with a loaded shotgun then perhaps you _should_ be charged with murder when they subsequently use it to shoot someone.

Solution (1)

deran9ed (300694) | more than 13 years ago | (#522047)

Find someone else on IRC (efnet, etc) who lives in Romania, track the idiots info and we could all chip in some money and have this kiddiot wacked.

Or we could send him a ticket to India where the government can hire the script kiddiot for his skills

removing the dot in []

Survival of the Fittest (1)

Super1-Dave (302174) | more than 13 years ago | (#522049)

The subject line says it all.

An opensource solution (1)

DanMerritt (302844) | more than 13 years ago | (#522053)

The Corridors project was created to solve this exact problem. See [] for information.

A case for Internet Licenses. (2)

Wakko Warner (324) | more than 13 years ago | (#522087)

These days, when any moron can hook up a DSL or cable modem box and any moron can have his shitty unsecured Linux box hosted at a lousy datacenter with a fat pipe to the Internet, is it any wonder Distributed Denial of Service attacks are as common as they are?

Think about this: DDoS attacks can do much more monetary damage than car accidents can, yet we have no system of regulating just who can and cannot get onto the Internet. Would you let twelve-year-old get behind the wheel of a McLaren F1? Why, then, do we let them (and people of their maturity level) onto our global networks unsupervised? There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.

Maybe I'm elitist, but that's how I feel about it all.

- A.P.

* CmdrTaco is an idiot.

Re:Find the people who are doing this... (2)

Zachary Kessin (1372) | more than 13 years ago | (#522088)

>Castration probably won't be effective. We've >already proven without a doubt that the losers >involved here have no balls.

And probably will never reproduce anyway. Just as well. What is it that drives people to wreck shared resources that other people are enjoying for no good reason? Can they find this gonnif and get rid of him please.

The cure of the ills of Democracy is more Democracy.

Re:script-kiddy culture is to blame (2)

banky (9941) | more than 13 years ago | (#522093)

The complete inabilty for the legal system to get their act together is to blame.

In the real world, tromping on someone's flowerbed is vandalism. But unless there's a serious amount of money stolen, most police agencies won't touch it.

These kids are immune to most real consequence. OK, so he's in Romainia, fine. If the US FBI finds him, they can't touch him unless the Romainian feds want to get him, too; and depending on how someone feels about the US taht day, they may just slap him on the wrist. Remember ILOVEYOU? They may not even have a law for this kind of thing.

Lets face it, until more of these waste-of-flesh dickweeds start getting gang-raped in jails, the problem won't go away.

(sorry I'm so mad. I just get sick of this crap)

Death of IRC predicted, Film at 11 (2)

Ex Machina (10710) | more than 13 years ago | (#522096)

Just like EFNet undernet is dying. Here's an idea, why not hide the bot's ips from clients and hide server links from clients?
Also, why doesn't someone DDOS this kid's isp. That should make it hard for him to broadcast smurfs or control Trin00 /TFN zombies.
How come we haven't seen stuff like this happen on the OpenNap networks yet?

Okay, so... this keeps happening. Now what? (2)

Hadean (32319) | more than 13 years ago | (#522109)

Considering this keeps happening (including how another Romanian script kiddy did this to Undernet in 1997 [] ... this isn't just an isolated event. What can we ALL do? Or should we even care anymore, and just let IRC fall once and for all?

I'd chat with you more on this, but I can't seem to find any stable EFNet server...

Honeynet Project (2)

joshamania (32599) | more than 13 years ago | (#522110)

It's things like this that make things like the Honeynet Project [] look more and more attractive to me every day. I think that it would behoove more than a few of us to install honeypots on our networks and then prosecute anyone we catch. If there were enough honeypots around, we might start catching a higher percentage of the PFY's and getting Johnny Law knocking on their doors. While we may not be able to get the bastards in Romania, there are quite a few countries that don't look kindly upon this type of thing...

Killing them would be a bit severe (2)

cje (33931) | more than 13 years ago | (#522111)

However, I think the case can be made for beating them within an inch of their lives, to the point where they are unrecognizable. My logic is as follows: The primary reason that script kiddies pull shit like this is so that they can get recognition. If they have been worked over to the point where they are unrecognizable, what's the point? You'd see incidents like this drop like a rock.

So by all means, go a little vigilante and work them over with a tire iron. But don't kill them. Make an example of them, and the others will fall into line.

godammit. (2)

Zurk (37028) | more than 13 years ago | (#522114)

"in each case the teenager telnetted to the server and obtained root access". what the FUCK ? he obtained ROOT access to the ISPs servers and they couldnt stop him ? people - this is fighting the wrong battle. any joe random cracker should NOT be able to obtain ROOT access to ANY server at ANY ISP. period. if those servers had been locked down tight and the sys admins at the ISPs werent so freaking incompetent this would never happen.

trace route (2)

Calimus (43046) | more than 13 years ago | (#522116)

I don't know much about DDOS so if I'm talking out my arse, just ignore me.

Is it possible to trace route the connections the attacks are comming through? If so, would it be possible to find the closest router points to each of the sources and have the controlling IPS become aware of the abuse and filter it out?

I'm sure this must be a very basic way to look at things but if it could be accomplished it might buy enough time to let everyone calm down and think about how to block it rather then having to think franticly which almost always allows for oversight.

IMOR ;) (2)

AnalogBoy (51094) | more than 13 years ago | (#522117)

Incredibly Massive Orchestrated Retaliation.

Its time those of us at risk of losing or home server and our way of life, to take up arms against these heathens. I say it is to be war between us! We shall do as our fathers did and our fathers before that! We shall point our mice and click the buttons, type the commands, and speak the words that send Millions upon Millions of brave packets to sacrifice their lives to protect our way of life, our dignity, and our porn downloads, and teach those evil bastards a lesson they will never forget!!!!!!!!


Contact the meatspace authorities (2)

devphil (51341) | more than 13 years ago | (#522119)

Just because it's a "virtual" carpetbombing of a "virtual" community, people tend not to look outside all of the software-based possibilities. Like, say, the police where the kid lives.

The cute "dept" tagline asks where's the KGB when you need 'em. Well, if there are ISPs going out of business because of this kid's actions, then law enforcement agencies will take interest.

Right, so, now that we've voted to bell the cat, who wants to contact the Romanian embassy? :-)

Re:Try securing your boxen first (2)

Myrrh (53301) | more than 13 years ago | (#522121)

Sure. People who run servers should, absolutely, always and no questions asked, be held completely responsible if their box is used to break into another box.

Don't you realize that it is impossible, impossible to completely secure any box that has a network connection to the outside? Or, for that matter, a box to which anyone is allowed physical access? It's simply not possible. Not only that, but new vulnerabilities come out all the time! That's why we sysadmins read bugtraq, CERT and CIAC.

I strongly disagree with your assertion that people running a server should be held responsible for breakins just as though they themselves had performed the breakin. It is not always--actually, rarely--the fault of the person who runs the box that was used to leapfrog. Sysadmins do their best to secure boxes to the best of their knowledge and ability, but we are busy people, and we have many other things to worry about in addition to network security.

I would say that an ISP or a person running a server should take all steps possible to secure a server against attack, and be prepared to demonstrate that she did so if there is an investigation. Only in cases of negligence or deliberate malice should someone be held responsible for actions occuring on or through the server they run.

Re:Try securing your boxen first (2)

jerdenn (86993) | more than 13 years ago | (#522129)

Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers...

Sure, and while you are at it, if anyone's home is ever broken into and a firearm stolen, charge the homeowner with murder. While you are at it, the next time your local corner store is robbed, charge them with a drug related offense, as we are all pretty certain that the money will go to buy drugs, anyways....

I'm tired of the 'if you would just secure your boxen' stuff. So, my servers aren't locked down - doesn't give every Tom, Dick, and 5kr1p7 kiddie the right to mess with my crap.

Hey, it's just my 2 pfennings. We are all entitled to our opinions - you, yours, and me, mine.


Romania, are you sure? (2)

ruckc (111190) | more than 13 years ago | (#522136)

Having being a undernet frequent visitor over the past few years, and knowing most of the wrong people, makes me doubt Romania.

What can they do? A firewall would help, some, but not solve the problem (FreeBSD ipfw cost $30 486 w/8-16mb ram and 500 mb harddrive,).

But a firewall will not fix the problem, no not much will, except make everyone happy of which will never happen. But you cannot let them, the kiddies, walkover Undernet so it is forced to close, you must stand up so they cannot do it to another server and another.

If it is a DDoS, then obviously the kiddie got in the machines that he is using by a vunerability, and is controling them, but I doubt he fixed the bug, kill the machine? (shutdown now) Contact the dumbass admin that didnt patch his server, tell him you were forced, by 50000-60000 undernet users. But it does not really matter in the end though, he will always find more insecure boxes, and he can continue the attack, any "Romanians want to go raid his house and make his ass stop please? I really wouldnt mind, and I doubt most people would care other than him and his parents.

Oh well just my few tidbits of information.

Preventing DDoS attacks (2)

sgoldsby (302843) | more than 13 years ago | (#522163)

Applicable to the DDoS problem.

I'm in the security business. When trying to find chinks in the armor, I've done serious damage to checkpoint, pix, raptor, ipchains and other firewalls.

We've recently started rolling out Netscreen boxes for perimeter defense. They proxy the 3way tcp handshake and reliably deflect synflood, udpflood and pingflood attacks, among others. We can then use the flashier boxes with more bells and whistles to do more detailed inspection of what makes it through. We're deploying a good number of these becuase their ASIC architecture is so danged good at the wire level checks.

Of course, this doesn't help if you have 100MB of SYNs coming in across your T1, but they'll never make it through to the server to hog up it's resources.

If more of the backbone providers used a tiered approach to protecting their pipes, the DDoS kids would have a lot less success. Steve []

Re:Find the people who are doing this... (3)

Restil (31903) | more than 13 years ago | (#522165)

Castration probably won't be effective. We've already proven without a doubt that the losers involved here have no balls.


Try securing your boxen first (3)

rgmoore (133276) | more than 13 years ago | (#522168)

We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?
Well, how about trying to secure some of the boxes that are being used for the attacks first? According to the second linked article:
Another Under Net operator stated that the attack began Saturday when the unidentified youth telnetted from Romania to FishNet, a Ventura, California-based Internet service provider. Once he obtained highest-level "root" access at FishNet, the youth launched at least smurf attacks - one against his former Internet service provider, the Romania-based Logicnet, and another against a UUNet service in New York...

Benefield said the youth entered FishNet services via news and mail server daemons, leaving his electronic footprints in the server logs.

The youth, who is believed to be between 16 and 19 years of age, then went on a juggernaut across the global network, stopping first at ISPs in Oslo, London and other parts of the UK, as well as hitting Chicago ISP Napnet. At each stop, the youth would log onto the server, obtain root access, then delete files, canceling accounts. In some cases, it wiped out the entire businesses such as the ISP in Oslo.

The first thing to do is to stop letting the guy root computers with great connectivity and bandwidth. Secure the damn boxes and he won't be able to do this kind of thing. Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers. There's really nothing you can do as long as this vandal can get his hands on serious DoS capable hardware.

What about EFNet? (3)

LightningTH (151451) | more than 13 years ago | (#522169)

EFNet has been under a constant DDos for awhile now. It has been to the point sometimes that chat is impossible and almost all servers delink. Upon looking at [] it is obvious how many servers have permamently left.
Also, did the DDos ever stop on the LinPeople IRC network? I know it was being hammered by someone that wanted things his way.

The real issue is that there are scripts and applications out there than make it 1-click possible to hack computers. This is to the point of 1-click to hack the whole internet. People need to learn about security and how to tighten their computers down and keep up with security holes so they are not prone to being hacked. There are a ton of linux users out there, but a very small percentage that know how to correctly use it and secure it so their computer is not part of the DDoS's.

(Slightly) OT - I Love Undernet (3)

perdida (251676) | more than 13 years ago | (#522171)

Really, I do.

The Undernet was a place that I was able to use like the proverbial Roman agora, shaping a lot of my political arguments and testing them against people who otherwise would not have dealt with me.

I was 15 years old and an over-bright geek girl when I discovered #debate on Undernet, which I had joined due to my recent accession to the Debate Team at highschool. I, a new anarchist, met some of the great folks who were making up the famous and oft-mirrored The Anarchist FAQ [] . Some of the issues I discussed -- and was forced to research at a level far higher than would have been required at school -- included prisons and imprisonment, the decentralization of utilities, and other supposedly "boring" questions of public policy that I learned, early on, were fascinating to me. Like other geeks I specialized early and Undernet was my venue to this specialization.

I argued with long time anarchist theorists as well as libertarians, Democrats, Republicans, and government employees and politicians with decades of experience in politics and policy. Nobody gave a shit- or knew, without a lot of work- that I was young, Jewish, Yankee, and female. It taught me that mentality was key and that I could do anything.

I then joined up in #politics, which is slanted much further to the right and is often very silly and vapid- but still often contains some of the best and most informed argument on the Net from time to time. People have discussed foreign policy, economics, ecology, cryopreservation, and lots of other issues in there.

I have gotten jobs and close friends through Undernet. I will be a lifelong inhabitant of #politics as long as it exists and isn't overwhelmed by script kiddies or other idiots.

My congratulations to IRC's staff for keeping it up so long and my hopes that Slashdotters can help them, loan them the brains, time and other resources necessary to fend off this idiotic attack.

Re:script-kiddy culture is to blame (4)

nightfire-unique (253895) | more than 13 years ago | (#522175)

some of them over 20 these days (get a life, folks)

Um. Have you considered the irony of posting something like this to slashdot?

All men are great
before declaring war

script-kiddy culture is to blame (5)

alhaz (11039) | more than 13 years ago | (#522176)

Face it. IRC is the universal home of Those Who Have No Hope Of Ever Having Sex.

Efnet, undernet, chatnet, all the big nets. the PFY's known as scriptkiddies (some of them not even youthful pimple faced youths anymore) go to IRC because it's somewhere that magically makes their penis extend two or three whole inches, just because they can find some person or some group of persons, cause them a great deal of displeasure, and say "Look what i did!" to their buddies.

What these twits would realize, if they had grey matter operating above the brainstem, is that by doing this, they're making everyone who has donated equipment and bandwidth to IRC networks question whether or not that was a good idea.

IRC networks are going to go away because of scriptkiddies, unless these kiddies, some of them over 20 these days (get a life, folks), knock it off.

Would YOU run a public irc server if it ment you were going to get DoSed into the stone age twice a week? I sure as hell wouldn't. Maybe that's why chatnet only has 4 servers in the US these days.

All that being said, undernet has always been a haven for oversexed, underage wankers anyway.

Go ahead, moderate this post as a flame. I'm just upset because my home channel, which has existed in one form or another since the previous bush administration, has been moving around from network to network lately trying to find one that doesn't get shut down constantly by angry users, or worse yet, angry ircops who are scriptkiddies themselves.

Use those sources... (5)

Thalia (42305) | more than 13 years ago | (#522178)

I expect this is the Trinity attack that is described in considerably detail here [] by X-Force [] . You can find the actual article and anlysis of the Stacheldraht tool here [] written at the University of Washington. The author of that article claims that he wrote a program [] that detects Stacheldraht on a system. Of course, getting the ISPs that are sending these DDOS messages to actually use some security might be a bit difficult. By the way, this is old news, since the CERT advisory [] is dated June 99.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?