Undernet In Serious Trouble: Any Suggestions? (Updated) 501
An Undernet admin writes: "For the past 4 days, many of Undernet's servers have been hit with constant DDoS, massive stuff on the order of 100M/sec that doesn't look like it will clear up anytime soon. The major services with which Undernet is associated, including Uworld and the channel service bots X and W, have been removed because the ISP that hosts them cannot afford to have them online, and even with them offline, the ISP has continued to be hit with the DDoS. Several servers will be forced to delink permanently if this continues. And all of it's happening because a script kiddie in Romania has nothing better to do with his time, and with his head start, many other groups have decided to lend a hand and take out other servers while his main pummelling is going on. We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?" There's a notice on their Web site. Update: 01/08 09:49 PM by michael : The news story we linked to was ancient.
Re:script-kiddy culture is to blame (Score:1)
Good grief (Score:1)
Re: Ask Slashdot: Undernet In Serious Trouble. . . (Score:2)
The problem are all those unsecure-by-default linux installs. If all the linux distro companies would effectively TRY to make a secure linux distro then maybe there wouldn't be as much unsecure boxes out there.
I find it particularly damning that Debian, a non-commercial distro, is the most secure compared to all those other overfunded and undersecured distros.
It has been proved time and time again that people do NOT need all those services that are on by default in Redhat and Mandrake and all the others, yet every new version still comes with the most easily rooted apps all running in an open-to-everyone config.
Never mind the fact that it's possible to build a distro that has all these services, but none of them running as root. No, that would mean actually innovating for a change.
Jeez, man, I love Debian, but I hate linux.
A case for Internet Licenses. (Score:2)
Think about this: DDoS attacks can do much more monetary damage than car accidents can, yet we have no system of regulating just who can and cannot get onto the Internet. Would you let twelve-year-old get behind the wheel of a McLaren F1? Why, then, do we let them (and people of their maturity level) onto our global networks unsupervised? There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.
Maybe I'm elitist, but that's how I feel about it all.
- A.P.
--
* CmdrTaco is an idiot.
Re:Find the people who are doing this... (Score:2)
And probably will never reproduce anyway. Just as well. What is it that drives people to wreck shared resources that other people are enjoying for no good reason? Can they find this gonnif and get rid of him please.
The cure of the ills of Democracy is more Democracy.
Re:Try securing your boxen first (Score:2)
It is stuff like this that might cause your computer to be blocked. You may do what you want with your computer, but if your computer causes trouble on the network, don't be surprised if your service providers yank your connection. It is your right to do what you want with your computer, but the ISP has a right to not supply an open feed to problem computers.
He did you a favor... (Score:2)
you are so wrong (Score:2)
Re:Telnet access is mandatory (Score:2)
Re:script-kiddy culture is to blame (Score:2)
In the real world, tromping on someone's flowerbed is vandalism. But unless there's a serious amount of money stolen, most police agencies won't touch it.
These kids are immune to most real consequence. OK, so he's in Romainia, fine. If the US FBI finds him, they can't touch him unless the Romainian feds want to get him, too; and depending on how someone feels about the US taht day, they may just slap him on the wrist. Remember ILOVEYOU? They may not even have a law for this kind of thing.
Lets face it, until more of these waste-of-flesh dickweeds start getting gang-raped in jails, the problem won't go away.
(sorry I'm so mad. I just get sick of this crap)
Re:Try securing your boxen first (Score:2)
You do that, and you can bet your ass you'll be "ticketed" for leaving your car running unattended.
--
Choking? (Score:2)
Of course, CICSO will charge an arm and a leg for that "feature"...
--
Death of IRC predicted, Film at 11 (Score:2)
Also, why doesn't someone DDOS this kid's isp. That should make it hard for him to broadcast smurfs or control Trin00
How come we haven't seen stuff like this happen on the OpenNap networks yet?
Re:Same thing, New Medium (Score:2)
-josh
Romania e-commerce laws (Score:2)
XINHUA
January 8, 2001, Monday
HEADLINE: Romania to Adopt E-business Law, XINHUA
BUCHAREST, January 8 (Xinhua) -- The Romanian government will adopt a law package for the development of e-business, newspaper reports said Monday. The package includes the law on e-commerce, digital signature and fraud in this field, Communication and Information Technology Minister Dan Nica was quoted as saying by the daily Ziarul Financiar.
Nica said that the ministry's specialists had already consulted with specialized parliamentary commissions on the bill, which was sent to all those interested, mainly to the IT community in Romania, for their opinions. According to Nica, the law package is almost ready, and the Ministry of Justice will complete it over the next days with the stipulations of penalties for fraud on the Internet. He said that Romania would soon have a regime of fraud treatment similar to those in Western Europe and the United States.
The law on e-commerce will stipulate the rules of such activities and the consumer and seller protection measures. After this minimum legal framework is created, Romanian authorities are to initiate bills of e- document and e-archive, e-notary and e- public administration, as well as a separate set of changes of bank, insurance and capital market laws to represent the legal basis for e-financing and e-banking activities.
Re:This is why I left efnet in the firstplace. (Score:2)
Rather, I'd say it's about sex and the lack of it, just like they said. Without too much experience in issue, I'd say that it's not exactly uncommon that 'normal' kids do pretty dumb stuff too, just because they think it'll improve their chances of getting laid, or to impress their friends. Usually they just don't have enough power to do much; here they do.
I'm ashamed to admit it, but the IRC politics, wars and the attack sounded just cool when I read it. Yes, cool. In times past, weren't the kids in puberty those who fought? It's the war instinct, if there is such.
Umm. I'm not going to read that again, it sounds pretty strange.
Re:Try securing your boxen first (Score:2)
Of course, on the other hand, you aren't responsible if your car is broken into and it is involved in an accident/crime, it's NOT your problem.
So, really, it's just a matter of precedence. It's up to a judge in a case that's never been to court yet whether your misued resources are your problem. I hope the concept of negligence works its way in, because a neglegent sysadmin can be responsible, indirectly, for measurable damage/loss.
fighting dDOS attacks is hard work (Score:2)
When dealing with these problems, we had a very methodical and (we thought) reasonable way to at least diminish future attacks. Keep in mind that this applies to smurf style attacks and not ones in which floods are launched directly from hacked machines. There is little that can be done for those aside from notifying root@host and hoping they lock it down. For smurf attacks and similar, which can be identified by having multiple 'attacking' machines within the same IP subnet, indicate a misconfigured router that is allowing IP broadcast ping packets into the subnet and replies to get out. I have never seen a reason why this should be allowed, and yet for years routers shipped with this as the default. Our methods involved the following:
1. Issue a single broadcast ping packet to NNN.NNN.NNN.0 (or was it
2. Figure out to the best of our knowledge who 'owned' the routing for the IP range, typically through a traceroute or reverse lookups.
3. Contact, via standard abuse@ addresses, the network administrator of the subnets being used in the attacks, informing them of the problem and the solution.
These efforts lead to several hundred subnets being secured against use in dDOS attacks, which is a drop in the bucket but a decent accomplishment for a few guys with other jobs to do. It also lead to our being labelled by network admins as troublemakers and (often) criminals. A large percentage of net admins contacted didn't even know what we were talking about, and when we tried to refer them to well-known consultants that we had no affiliation with aside from knowing their name, we were called spammers or worse.
So until broadcast ping from outside of subnets is commonly blocked (and I believe most new routers ship this way) and the paranoid attitude that is ironically allowing these attacks to continue is reexamined, there is little hope to see it dry up. Skr1pt k1dd1e culture isn't about to go away, because wise-acre kids will always think they know best. Until then, best of luck in finding ways around this.
Power-hungry ops are to blame. (Score:2)
I've argued, even flamed (and been flamed) before, but that's the same thing that happens anywhere else. But then an operator sees this (or is told about it) and the stupid twit takes it upon themselves to save everyone from themselves, by banning them from a channel or from a server.
If someone without operator status doesn't like what you say, they either ignore you (/ignore or similar) or tell you, then the world goes on. If someone with operator status doesn't like you, you get kicked, gagged, banned, etc.
IMHO the IRC networks shouldn't have channel ops, just a
And, for the uses where a private controllable (and secret) channel is desired, unnamed (and thus undesirable to control) channels that are created when you invite someone to a private chat should let the creator add and remove people at will. So if I need to talk to someone about something I create a temporary numbered channel such as #18327349 (randomly assigned, how thrilling) where I can kick someone from and nobody can join without an invite.
This way nobody could control the obvious places of gathering, #linux, #c, #quake, etc. These would always be free and open. But if anyone really wanted to talk about something private they could go off to a special temporary channel with their friends and have all the necessary control.
But, it'll never fly. I proposed this to a few IRC addicts once and the reason they gave for not wanting this is that they couldn't give and remove power by giving certain people ops and adding them to the bot. It was all a power trip to them.
That was when I stopped using IRC except for technical matters (asking and answering questions on programming channels, etc.)
Re:How hard can it be? (Score:2)
Re:Try securing your boxen first (Score:2)
you do have the right to leave your car unlocked and the keys stuck.
even if you do lock it, someone could break the window and steal it.
do you want to be responsible for every person that the guy runs over?
greetings, eMBee.
--
Re:Try securing your boxen first (Score:2)
tongue (post #380) [slashdot.org] got it right.
greetings, eMBee.
--
It's the SAME article! (Score:2)
This is an entirely different situation.
Re:1997 Attacks (Score:2)
Re:Try securing your boxen first (Score:2)
By locking your car, you are taking REASONABLE precautions that an unauthorized user will not take it and do damage with it. Certainly, this doesn't prevent someone from breaking into it and hotwiring it, but REASONABLE precautions don't necessarily ensure no misuse, but they make it difficult.
However, if you leave your Stingray unlocked, with the keys in the ignition and the engine running in a bad neighborhood and your insurance company finds out, its a safe bet they won't pay the cost of replacement. Likewise, if someone gets killed as a result (and again, assuming everyone knows how you left it) its not a stretch to assume you will bear some liability in its misuse, though i doubt it would be criminal, probably civil.
The case of an unsecured box is the same. While a home box may be looked at as something along the lines of a pinto parked in your garage, circumstances under which i might leave my car unlocked, an ISP more closely correlates to a Stingray or even a Mac truck in a highly visible, public spot. To leave such a box unsecured is unconscionable. Additionally, if the ISP is publicly traded, the administrators are leaving the company open for a due-diligence lawsuit from its investors.
the moral? don't be an asshole. if you have bandwidth to spare, at least disable extra ports and check your logs every once in a while. and if you run an isp, for gods sake secure it. your users will thank you for it.
Okay, so... this keeps happening. Now what? (Score:2)
I'd chat with you more on this, but I can't seem to find any stable EFNet server...
Honeynet Project (Score:2)
Killing them would be a bit severe (Score:2)
So by all means, go a little vigilante and work them over with a tire iron. But don't kill them. Make an example of them, and the others will fall into line.
Re:A serious proposal for a more secure irc networ (Score:2)
Most IRC networks do this already, an alias of irc.[networkname].net (or .org, or .com). However, the names (and addresses) for the individual servers are still available, and for good reason. Users want to connect to a server which is local (networkwise) to them. Sometimes a server may become disconnected from the network, and any users on that server will want to change to a server still connected to the network.
As long as IP is used, it will be impossible to prevent users from knowing the address of the servers anyway, so there is no benefit in even trying to hide them.
Slashdot's evolving hypocracy, double-standards (Score:2)
I mean, that's the typical position one can expect from Slashdot when dealing with someone who has defaced a webpage or otherwise tampered with a system. Those people are considered noble.
Yet, I've gone through a hundred posts and not one doesn't call for the death of these alleged DoS attackers. Yes, what they are doing isn't as creative as drawing a Hitler mustache on Janet Reno on the Department of Justice's webpage, but is it that much worse? Apperently yes, because the victim is the innocent Undernet, and not the evil government. Bah.
I suggest to the Slashdot editors that they try to leave out their biases as much as possible in the headlines/stories because the biases are often flawed, hypocritical, inconsistent with previous biases, or just plain stupid.
godammit. (Score:2)
Re:Not funny. Not one bit. (Score:2)
By the way, you're cute
trace route (Score:2)
Is it possible to trace route the connections the attacks are comming through? If so, would it be possible to find the closest router points to each of the sources and have the controlling IPS become aware of the abuse and filter it out?
I'm sure this must be a very basic way to look at things but if it could be accomplished it might buy enough time to let everyone calm down and think about how to block it rather then having to think franticly which almost always allows for oversight.
IMOR ;) (Score:2)
Its time those of us at risk of losing or home server and our way of life, to take up arms against these heathens. I say it is to be war between us! We shall do as our fathers did and our fathers before that! We shall point our mice and click the buttons, type the commands, and speak the words that send Millions upon Millions of brave packets to sacrifice their lives to protect our way of life, our dignity, and our porn downloads, and teach those evil bastards a lesson they will never forget!!!!!!!!
;)
"The news story we linked to was ancient..." (Score:2)
...but somebody will repost it in its entirety anyhow, just to be safe.
Contact the meatspace authorities (Score:2)
Just because it's a "virtual" carpetbombing of a "virtual" community, people tend not to look outside all of the software-based possibilities. Like, say, the police where the kid lives.
The cute "dept" tagline asks where's the KGB when you need 'em. Well, if there are ISPs going out of business because of this kid's actions, then law enforcement agencies will take interest.
Right, so, now that we've voted to bell the cat, who wants to contact the Romanian embassy? :-)
Undernet's not the only... (Score:2)
First, it helped the users doing the DOS attacks realize that they were making a huge dent, and that if they continued, they really would lose their playground.
Secondly, it helped the network as a whole because many of the conflicting groups and users doing the DOS attacks changed networks.
Opennet has somewhat dwindled now, it was a bit of a fad, and most of the users have returned to Efnet. But I think its effects are still lasting. EFnet is without a doubt more stable.
Perhaps Undernet needs a similar approach. Just my 2 cents =)
Re:Try securing your boxen first (Score:2)
Sure. People who run servers should, absolutely, always and no questions asked, be held completely responsible if their box is used to break into another box.
Don't you realize that it is impossible, impossible to completely secure any box that has a network connection to the outside? Or, for that matter, a box to which anyone is allowed physical access? It's simply not possible. Not only that, but new vulnerabilities come out all the time! That's why we sysadmins read bugtraq, CERT and CIAC.
I strongly disagree with your assertion that people running a server should be held responsible for breakins just as though they themselves had performed the breakin. It is not always--actually, rarely--the fault of the person who runs the box that was used to leapfrog. Sysadmins do their best to secure boxes to the best of their knowledge and ability, but we are busy people, and we have many other things to worry about in addition to network security.
I would say that an ISP or a person running a server should take all steps possible to secure a server against attack, and be prepared to demonstrate that she did so if there is an investigation. Only in cases of negligence or deliberate malice should someone be held responsible for actions occuring on or through the server they run.
The link the /. crew removed as 'ancient' (Score:2)
http://www.indy.net/~sabronet/news/undernet.html [indy.net]
This isn't the first time for Romania... (Score:2)
However, the person in question made the mistake of attacking the norman.ok.us server, which is/was hosted by the National Severe Storms Lab. Attacking a government server is a big no-no. It was enough for one of the opers to contact a friend with CERT and get Romania's internet traffic blackholed. Sent to the bitbucket as it hit the major backbones. It was a quiet day, and suddenly there weren't any more problems from that person again.
So why not go through CERT again? If Romania's not going to respond to problems from its citizens, then they should be treated just like an ISP who won't do anything about spammers. They get the death penalty, except this time it's the Internet Death Penalty, rather than the Usenet version.
-Todd
---
Re:I agree... (Score:2)
Generally, they are too young to be crimally prosecuted anyway. PLUS, once you cross a country border (or several), it becomes even harder to bring legal action.
Re:Try securing your boxen first (Score:2)
I like that analogy.. let's extend it:
Wind0ze = Ford Exploders, built Ford tough - to explode!
BSD = Volvo, boxy IS sexy!
anyone think of any more?
Re:Not funny. Not one bit. (Score:2)
i just don't get the whole "usenet is dead" argument.
Re:1997 Attacks (Score:2)
Bullsh*t, what about responsibility? (Score:2)
Likewise when someone abuses a site you've left unchecked, the site owner is responsible. You can bet your ass that if this was being directed at a business instead of at Undernet, that they would be suing the pants off everyone whose systems got rooted, for negligence, aiding and abetting, you name it.
You have the right to do whatever you want with your system, but if something bad happens with them, they are ultimately your responsibility.
Fross
Re:Try securing your boxen first (Score:2)
Sure, and while you are at it, if anyone's home is ever broken into and a firearm stolen, charge the homeowner with murder. While you are at it, the next time your local corner store is robbed, charge them with a drug related offense, as we are all pretty certain that the money will go to buy drugs, anyways....
I'm tired of the 'if you would just secure your boxen' stuff. So, my servers aren't locked down - doesn't give every Tom, Dick, and 5kr1p7 kiddie the right to mess with my crap.
Hey, it's just my 2 pfennings. We are all entitled to our opinions - you, yours, and me, mine.
-jerdenn
Re:script-kiddy culture is to blame (Score:2)
I think it's a social/psychological argument - long term, if a society as a whole gets used to killing everyone who's a criminal, then the individuals in that society will be comfortable with killing as a solution to problems. Same principle behind showing many hours of mindless media violence to desensitize your population to real-life examples of that violence.
Short term, of course, killing the truly incorrigible is a "cost-effective" solution.
Re:script-kiddy culture is to blame (Score:2)
The only reason they're operating outside of the law, is that the majority of society doesn't agree with their extreme views.
Of course, they've justified their behavior by defining the situation as being in a "war", where it is acceptable to sacrifice human life to achieve some "more important", long-term goal.
What makes ME even more disgusted, are the pro-lifers who aren't willing to pull the trigger themselves, but who quietly condone (& support) the behavior of the militants because of the widespread chilling effect it has on the availability of aborton (all those agent-of-Satan doctors fearing for their lives).
Re:Jesus Christ! (Score:2)
It really doesn't matter how important the service is. What you have here is terrorists from a third world country doing major damage to our infrastructure. So today it was the undernet. What if tomorrow it's a newspaper or a dot-com business that may perhaps already be struggling. The script kiddies will become bolder as they discover that they can get a company to roll over with relatively little effort. No doubt we'll start seeing some blackmail cases; pay us $100,000 or your link will never come back up. That sort of shit. Or maybe someone out there who doesn't like AOL will just decide to take them down for good. The attacks we're seeing now are just the tip of the iceberg.
Re:Jesus Christ! (Score:2)
try a better chat protocol (Score:2)
Re:Undernet's had it coming. -- AGREED! (Score:2)
For instance, in #solaris some retard (who was an OP!) was telling the newbies to unlink /dev/zero ... they were keeping tally of how many people they'd gotten to ruin their boxes...
For some reason, the "culture" of the undernet has mutated into an angry, arrogant, mob ...
Romania, are you sure? (Score:2)
What can they do? A firewall would help, some, but not solve the problem (FreeBSD ipfw cost $30 486 w/8-16mb ram and 500 mb harddrive,).
But a firewall will not fix the problem, no not much will, except make everyone happy of which will never happen. But you cannot let them, the kiddies, walkover Undernet so it is forced to close, you must stand up so they cannot do it to another server and another.
If it is a DDoS, then obviously the kiddie got in the machines that he is using by a vunerability, and is controling them, but I doubt he fixed the bug, kill the machine? (shutdown now) Contact the dumbass admin that didnt patch his server, tell him you were forced, by 50000-60000 undernet users. But it does not really matter in the end though, he will always find more insecure boxes, and he can continue the attack, any "Romanians want to go raid his house and make his ass stop please? I really wouldnt mind, and I doubt most people would care other than him and his parents.
Oh well just my few tidbits of information.
OpenVerse Visual Chat is an alternative. (Score:2)
They are a threat to free speech and must be silenced! - Andrea Chen
Correction (Score:2)
That is all.
"The GIMP Girl"
Defensive measures (Score:2)
Once you've got the forged source address problem under control, the rest of the problem can be worked. Try turning on fair queuing at the first upstream router at a bandwidth choke point.
If you can actually find the attacker, having them visited by a lawyer and private detective working together can be very effective.
Rom != Romanian (Score:2)
Like Tetris? Like drugs? Ever try combining them? [pineight.com]
Re:Jesus Christ! (Score:2)
Re:Try securing your boxen first (Score:2)
That is, interestingly enough, not in line with traditional Anglo-Saxon common law concepts, such as maintaining an attractive nusiance. If, for instance, you have a swimming pool, you are legally responsible for taking active steps to keep neighborhood children out. If you don't and one jumps in and drowns, you can be held civilly and (IIRC) criminally liable. If you don't lock your tool shed and the neighborhood drug dealer takes it over as his place of business, you can be held liable. I am merely suggesting holding people with open network connections to a similar standard: if you have a box that's likely to attract DoS kiddies, you must take serious steps to keep them out or be held partially liable for whatever damage they do with your box.
Re:Counterefficient (Score:2)
This may not always be the case. One of the serious disadvantages to virtual "communities" (like Slashdot, or IRC, or UO, or whatever) is that it's very easy to forget that there are humans on the other end of the line. It's a whole hell of a lot easier to destroy something when the only consequences are to a group that doesn't seem real.
There really are people who like to hurt things -- people who set cats on fire. These people are broken. But just about everyone likes to destroy things -- people who built big lego cities when they were a kid, just so they could play godzilla, or play Quake deathmatches, or just see how many levels deep they can 'eval' their scheme interpreter before the machine grinds to a halt. These people are, for the most part, not broken.
The problem is that crashing Undernet is a little like watching the NASCAR crashes in the sports hilight films -- it's pretty easy to imagine that there are no real people being hurt. But, by publicizing this, there's a slim chance that this punk will realize he's actually hurting real people.
Of course, it would be nice if they provided his name and address, so someone could go explain it to him in person.
Re:What about EFNet? (Score:2)
How hard can it be? (Score:2)
To every bozo running an ISP out there, use this script on your router to prevent anyone on your net from forging an address:
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:script-kiddy culture is to blame (Score:2)
Talk to someone at MIT (Score:2)
In some places in there, they have bandwidth that makes OC48 look like a dialup modem.
Ping Flood anyone?
but seriously, maybe one of those type of places would be happy to host X and W on a really really fast machine. or a main frame, all as an experiment in internet security countermeasures.
then add in some sort of code to escalate the response is an attack continues, so that the more a kiddie attacks, the more the kiddies get hammered until they go *poof*!
Re:You guys are assholes! (Score:2)
Re:Find the people who are doing this... (Score:2)
> > already proven without a doubt that the losers
> > involved here have no balls.
> And probably will never reproduce anyway.
Maybe they will clown, hu I mean clone, themselves?
Re:Same thing, New Medium (Score:2)
Not always, but often enough. It mostly did go to poor neighborhoods and never to the elite part of town. How ever it did go to some nice country homes right on the riverbank once. About 1/4 were from cars. They were most likely to initiate flame wars thinking they were unfindable. Fortunately, they usualy parked someplace making rapid triangulation very easy. With music blaring, they seldom noticed my arrival, plate copy and departure. (I don't hang about to get shot at or identified) The DF stuff was descrete and looked like twin mirror mount trucker antennas. It wasn't the obvious loop or beam antenna. Later they get the friendly letter on the front door and under the wiper blade. Another advantage then over DOS now was the guy you were looking for was within 20 miles.
Re:Same thing, New Medium (Score:2)
IRC is in trouble anyway (Score:2)
Unless IRC gets fixed or replaced by a new open protocol, you are probably going to see more and more chatting move to proprietary protocols and servers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Important: please read!!! (Score:2)
You just wasted a lot of time writing that in response to an old troll.
Not really. Not knowing his history, I still figured on the possibility it was a troll. But I think it is always good to bring a rational thought into such a discourse. After all, if the only responses are "begone troll" and "begone pedophile," and this happens time and again, doesn't this create a potentially inaccurate representation of /. posters? He is, after all, trolling our open-mindedness. Do we want to lose that to deny him his little yuk?
Re:Important: please read!!! (Score:2)
A pedophile is one whose primary sexual attraction is to children. This does not mean s/he cannot have sex with adults, only that the most satisfying image possible is that of sex with a child. Both hetero- and homo- sexual variations are possible.
I think you should be able to entertain whatever fantasies you want, but I think I speak for the consensus when I say sex between adults and minors should not be allowed. I don't think the power relationship can be resolved in any productive way. While it might be possible to establish a relationship that even the minor party finds enjoyable and feels is non-coercive, the weight of years and experience will always be there in ways that just don't exist when two adults are thrashing out their differences.
And it is really hard to imagine a world in which this would be different, no matter what the differences in mores or technology. We are born knowing nothing and need a prolonged developmental period to establish our concept of self. Sexual experimentation between children may be a natural part of that process, but I don't think that sex between children and adults is.
I have seen indications that some so-called pedophiles area actually "getting off" on the power imbalance itself, rather than the child-adult thing. That may be an individual quirk, but it's worth paying attention to. Most of us arne't into sex with kids, but everyone understands power. In our culture, it's the universal fetish.
Re:not sincere (Score:2)
Preventing DDoS attacks (Score:2)
I'm in the security business. When trying to find chinks in the armor, I've done serious damage to checkpoint, pix, raptor, ipchains and other firewalls.
We've recently started rolling out Netscreen boxes for perimeter defense. They proxy the 3way tcp handshake and reliably deflect synflood, udpflood and pingflood attacks, among others. We can then use the flashier boxes with more bells and whistles to do more detailed inspection of what makes it through. We're deploying a good number of these becuase their ASIC architecture is so danged good at the wire level checks.
Of course, this doesn't help if you have 100MB of SYNs coming in across your T1, but they'll never make it through to the server to hog up it's resources.
If more of the backbone providers used a tiered approach to protecting their pipes, the DDoS kids would have a lot less success. Steve [integrate-u.com]
Re:BOMB ROMANIA! CR0SH THE FUXORZ!! (Score:2)
Re:Find the people who are doing this... (Score:3)
-Restil
Re:godammit. (Score:3)
Re:script-kiddy culture is to blame (Score:3)
Heh, I know the feeling. I have frequented the SlashNET network for a few years now and have developed some fairly nice friendships. Recently, the ops of radon.slashnet.org and perdition.slashnet.org decided that it would be great fun to use their IRC Operator status to harass me.
They kickban me from the main channel at random, make the servers reset my connection, set services to automatically kick me, they've even gagged me twice. The second time they would have left it on, but I was able to ssh to another box and log in from it to make it known that I had been gagged. They then removed the gag and tried to pretend that they hadn't done it.
Needless to say, IRC, which is supposed to be a recreational activity, is now a pain. I do not get on to be abused by a couple of assholes who happen to have enough access to somebody else's bandwidth that they can become 1337 s3rv3r 0pz.
If they're trying to get rid of me, they're doing a pretty good job. I'd already be gone if I was any less interested in the other people on that network.
I wonder how many of these attacks on IRC networks are caused by an Op abusing his powers and burning a few bridges with the wrong people.
Try securing your boxen first (Score:3)
The first thing to do is to stop letting the guy root computers with great connectivity and bandwidth. Secure the damn boxes and he won't be able to do this kind of thing. Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers. There's really nothing you can do as long as this vandal can get his hands on serious DoS capable hardware.
What about EFNet? (Score:3)
Also, did the DDos ever stop on the LinPeople IRC network? I know it was being hammered by someone that wanted things his way.
The real issue is that there are scripts and applications out there than make it 1-click possible to hack computers. This is to the point of 1-click to hack the whole internet. People need to learn about security and how to tighten their computers down and keep up with security holes so they are not prone to being hacked. There are a ton of linux users out there, but a very small percentage that know how to correctly use it and secure it so their computer is not part of the DDoS's.
Re:trace route (Score:3)
Second problem: These attacks are distributed hence packets come from many different places, more than one source.
Third problem: There are many different types of DOS attack, so you can't just filter on packet types.
The best analogy I can think of for DDOS attacks is this: Imagine someone had a worldwide gang of people that wrote post cards to you, they each sent you 300 post cards a day and there was a hundread people in the gang. You'd get 30,000 postcards a day that you never asked for, this would fill up your mailbox and you wouldn't be able to get your important mail. All you could tell from the post codes was that these cards came from 100 different places around the world. Furthermore the post office now want to charge you for all your extra mail and the only way to stop it is to tell the post office to throw out all your mail including important letter (or else move house).
What some of the major of ISPs are doing is running netflow accounting so they have detailed traffic logs but these tend to be huge. With these logs it is just about possible to indentify the source of the packets *IF* all end-to-end ISPs run this and are willing to co-operate. Just like traceing a telephone call in old movies this takes time and if the machine stops DOSing the target it can make this a lot harder. Once you have found a slave machine in theory you can check the netflow logs for the initial connection from the controlling machine that started the DDOS. This sounds like a pain and it is, it is my understanding that no-one has ever been caught doing a DDOS by this method.
Sniffing packets at ingress points for known DDOS master to slave commands would be a possible solution BUT every possible ingress point would have to impliment this (not realistic - massive understatment) and all the DDOS authors would have to do would be to change the used commands. This would just combat script kiddies using old software really.
Two words: Difficult problem.
(Slightly) OT - I Love Undernet (Score:3)
Really, I do.
The Undernet was a place that I was able to use like the proverbial Roman agora, shaping a lot of my political arguments and testing them against people who otherwise would not have dealt with me.
I was 15 years old and an over-bright geek girl when I discovered #debate on Undernet, which I had joined due to my recent accession to the Debate Team at highschool. I, a new anarchist, met some of the great folks who were making up the famous and oft-mirrored The Anarchist FAQ [blackened.net] . Some of the issues I discussed -- and was forced to research at a level far higher than would have been required at school -- included prisons and imprisonment, the decentralization of utilities, and other supposedly "boring" questions of public policy that I learned, early on, were fascinating to me. Like other geeks I specialized early and Undernet was my venue to this specialization.
I argued with long time anarchist theorists as well as libertarians, Democrats, Republicans, and government employees and politicians with decades of experience in politics and policy. Nobody gave a shit- or knew, without a lot of work- that I was young, Jewish, Yankee, and female. It taught me that mentality was key and that I could do anything.
I then joined up in #politics, which is slanted much further to the right and is often very silly and vapid- but still often contains some of the best and most informed argument on the Net from time to time. People have discussed foreign policy, economics, ecology, cryopreservation, and lots of other issues in there.
I have gotten jobs and close friends through Undernet. I will be a lifelong inhabitant of #politics as long as it exists and isn't overwhelmed by script kiddies or other idiots.
My congratulations to IRC's staff for keeping it up so long and my hopes that Slashdotters can help them, loan them the brains, time and other resources necessary to fend off this idiotic attack.
Counterefficient (Score:3)
Posting a Slashdot story, and making a huge deal out of this is a horrible way to try to resolve this problem.
Had no one ever mentioned anything, this "script kiddy" would have wondered what was going on and stopped the whole thing. But now he's probably seeing that "Underworld" has acknowledged the attack (it's written in a sad, melanchony tone; and it also gives the impression that they are clueless and helpless -- I know this isn't the case, they just seem to have worded it poorly.) And seeing an article on Slashdot about something you're doing is probably a good way to egg him (or her) on.
Just let it die of inattention -- it's remarkbably amazing how well this works.
Comment removed (Score:4)
A serious proposal for a more secure irc network. (Score:4)
The first step to resolving this is IP mirroring. Unless you are an irc operator, you see your own IP address on each server and each user on the network. This removes the first bit the user needs for a massive disruption of the network. Ircops need to be able to see the hostmask in order to protect the servers from the misdeeds of users.
The next step in protecting your irc network is to have no publicly listed server connecting to any other publicly listed server. All hubs should be ircop only. This makes it so that the hubs the all-important links to the edge of your network are hidden from public and from the hackers view.
Now in order to make the task more difficult simply give out only one hostname that all users will use in order to connect. Each server would be required to take users if the resources are available for them. Local users to a server would of course have priority. The single hostname may not totally protect your network however it will ensure the hackers have to work a bit harder to get the information on the server they are using to connect. No offense to any serious hackers out there is intended however script kiddies are by and by lazy creatures.
These measures will not protect the average user who accepts CTCP chats or DCC's however those who do not should have total immunity from the script kiddies.
In order to provide channel operators with a modicum of control in their channels have a bot that can see host masks and accepts ban commands via private messages giving the users nick. The bot would only allow the ban if the user issuing the command is a channel operator in the channel they are requesting the ban for.
You could also get smart and use channel services. Channel services while it might rile some of the ircops who see channel ownership as a bad thing. However a private ownership of a channel once created and registered tends to make sure that there is no point in attempting to split servers from the network in order to try to take control of a channel. If you do not like ownership of channels simply, decide on a very short-term idle channel deletion. If a channel is popular enough to have people online 24x7 then they have the right to decide who controls their community.
Many IRC networks and services packages implement these security-improving provisions already. You can look at Stratics IRC Network [stratics.com] which while small has a very effective implementation [stratics.com]. Stratics IRC is a gaming related network [stratics.com] offering these features. [stratics.com]
Comment removed (Score:4)
script-kiddy culture is to blame (Score:5)
Efnet, undernet, chatnet, all the big nets. the PFY's known as scriptkiddies (some of them not even youthful pimple faced youths anymore) go to IRC because it's somewhere that magically makes their penis extend two or three whole inches, just because they can find some person or some group of persons, cause them a great deal of displeasure, and say "Look what i did!" to their buddies.
What these twits would realize, if they had grey matter operating above the brainstem, is that by doing this, they're making everyone who has donated equipment and bandwidth to IRC networks question whether or not that was a good idea.
IRC networks are going to go away because of scriptkiddies, unless these kiddies, some of them over 20 these days (get a life, folks), knock it off.
Would YOU run a public irc server if it ment you were going to get DoSed into the stone age twice a week? I sure as hell wouldn't. Maybe that's why chatnet only has 4 servers in the US these days.
All that being said, undernet has always been a haven for oversexed, underage wankers anyway.
Go ahead, moderate this post as a flame. I'm just upset because my home channel, which has existed in one form or another since the previous bush administration, has been moving around from network to network lately trying to find one that doesn't get shut down constantly by angry users, or worse yet, angry ircops who are scriptkiddies themselves.
Re: Ask Slashdot: Undernet In Serious Trouble. . . (Score:5)
First of all let me state that I have as little to do with the actual operation of the Undernet server or the network as a whole as possible. That role if fulfilled by another group who works very hard with a real task and literaily deals with IRC problems in their personal time, so it's hard for me to comment on the politics of their situation. I can however, comment on the politics, and a few technical details (For certain reasons, I'm more than a little vage in what we observed during the attack) of the situation I was involved with at the time. What follows is somewhat of a chronology of the event.
Hr 1 - 3. The attack started pretty slowly. So slowly that it really didn't set of any alarms, though some customers on remote parts of the network did notice high latency, and a bit of packet loss. This was enough to start looking around, but not really enough to suspect an attack.
3:00 - 3:15: Connectivity is lost to nearly any network that requires crossing a border router. The traffic stats from the border routers show that nearly every bit of connectivity is full company wide. It was clear that at this point that this was probably an attack, though it was unknown what was being attacked, or where it was coming from.
3:15 - 4:00: Using historical data the sources of the attack were identified. Using this data, we initiated contact with each provider we have connectivity from to request filters be placed in their network to block the attacks. At the same time the company's tech support call center is overwellmed with calls from customers experiencing various problems. Further, all the major application servers (mail, news, etc) are also nearly unusable since they no longer have connectivity to the remote machines they were talking to. As a topper, one of the noisier (literaily) network monitoring programs our NOCC uses has gone into "make random noises mode." This is due, in large part, to the nearly 600 alarms it thinks exist because of connectivity problems to the rest of the network.
4:45: I remove the FDDI cables from the FDDI card in the IRC server.
4:00 - 4:30: The attack is starting to dissipate. It's theorized that it's because the machine that was being attacked was no longer on the Net. Also about this time, the distributed filtering should start taking place.
6:00: After spending a couple of hours cleaning up the mess that such an attack leaves on all the other machines I receive the standard email from the security people requesting time estimates for my labor on this afternoon's Comedy Hernia Hit.
This chronology is reflective of nearly every other DDoS attack I've experienced in the last 12 months. It's clearly frustrating, and a complete waste of my time (especially since it was my last working day before a very rare vacation), and it should be pretty clear why I don't want IRC servers on a network I have to maintain.
Let me be clear, at no point was the server itself ever effected (other than, I assume it lost connectivity to it's hub during the attack), but nearly other major application was affected in some way, and it definitely caused a lot of paying customers to not get the service they pay for.
Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this? I know all the machines on my network are secure, but I can't control machines I don't maintain. And that's just the problem. This isn't about the host sites securing their network, most of them do and the ones who don't learn quickly that they have to. Adding (more) security features to the application (ircd) also isn't the answer, as the machine itself was never affected. Hunting down the initiator of the attack only prevents that person from attacking anything for a while, like the death penality I see no indication that it's a real deturiant to the crime. Quite honestly, I too am at a loss as to what, if anything, will ultimately solve the problem short of completely abandoning the technological foundations that the Internet was built on.
As for law enforcement, they are generally quite interested in such attacks[2], but they have clear guidlines in what they can and can not get involved in (you have to show a capial loss grater than a specificed amount). In this case I know these guildlines were met, but generally these investigations go nowhere because the trail often leads to cracked machines that have no usefull telemetry of the attack, or the intrusion. I have often thought that companies who fail the maintain basic security on their network should be held liable to damages to other networks in these situations, but even that is quite troublesom.
Of course, there is one method that solves this problem, at least for me. It was to remove the service from our network. As a Sysadmin who has customer's who pay to use other services I have no trouble with this. As someone who tries to be a useful member of the "Internet Community" I have serous issues with this method. In this case, no good deed goes unpunished.
[1] In fact, I personally pulled the FDDI cables out of the machine during the attack once we determined the machine that was the
[2] Though, sometimes you have to work to make contacts with people smart enough to care.
Use those sources... (Score:5)
Thalia
This is why I left efnet in the firstplace. (Score:5)
But, if you don't feel like reading it, I'll sum it up here. and add a bit, now that I think about it.
-------
I used to be a script kiddie, then I hit puberty.
You either understand that last statement or you dont. Kids are kids, and having worked with emotionally hadicapped (not retarded) in a highschool setting, I know what they do with computers. I'm the one who had to fix them. (macs, no less)....
There's 3 reasons I've found that kids like to break things
1. They don't own it, so they cannot comprehend that it has value to someone. This is perfectlly normal for kids between the ages of 2-6, it varies in it's severity, but it usually goes away before kids are injected into the social realm of dealing with other people in school, so it's not a big problem.
2. Kids between the ages of 6-18 more commonly express their destructive skills on something because they do not understand it, and feel that by breaking it they have power over someone who does know how to use it. Ownership isn't a factor in this, I've seen kids break their own things because they cant make it work (you see this very commonly with "broken" toys in younger children.
Again, most kids will stop, or mellow down by the time they've hit puberty.
The third case is most common in mentally or emotionally challenged children:
3. "If I can't have fun with it, no one can." This is more common among older kids and extends beyond material items. This is the only case where I've found that ownership REALLY matters, but not in all cases. most people, however, grow out of this phase as well.
So what is someone who hasn't outgrown this state well past the time they should have? The police and doctors call them Sadists and Sociopaths. In this case however i would feel reluctant to use either of those terms. I think in this case it's more a case of a pre-pubescent pissing match between himself and another channel.
Back in my own script kiddie days on IRC I witness MAJOR network wars included the disabling of about 50% of the @home network in san diego, cutting down telephone poles, cutting off power to NOC's, angry kids beating the SHIT out of the kid who nuked him at school, calling in bomb threats to places, ANYTHING and EVERYTHING they can do to disable an ISP even if only for a second.
just long enough
All that shit I saw, was _ALL_ related in one way or another to "channel takeovers" some of them over things as petty as who's allowed to flirt with the only girl in a channel, platform debates, music debates... rarely over anything more mature than a 6th or 7th grade level.
Which brings up this point: most of the people who do this are still kids (under 18) so unless they nuke a military server or something, all their gonna get in most cases is a warning, maybe a fine.
So, what's to be done? I say it's time that the more mature half of the internet joins together to fight this in a way that younger kids have no controll over. I've had AMAZING success tracking down script kiddies and calling their parents. People who are clueless, or who have something to lose by being related to a kiddie, are VERY helpful.
Here's some ideasI've used and had VERY good success with.
1. Fight back online - Pro: it's fast and can be effective. Con: lowers you to their level.
2. Call their parents/employer/school*** - Pro: Can be VERY effecting in the long term. I've had people fired, grounded, suspended, and reprimanded with one phone call. Con: Can take a while, or you get someone who just doesn't care.
3. Call the ISP from which the attacks orginate.* - Pro: Admin's will always know what you're talking about, and they're usually helpful as DDOS through their systems reflects badly upon them, costing them dollars. Con: most dialup/residential ISP's dont really care or log things, so it's hit or miss.
4. Shut it all down, and walk away for awhile. - Pro: Best idea if you can afford this option. Most kiddies get bored after a few days, or when school starts. Con: depending on who you are, shutting down your system and doing something else may not be possible.
So, there you go... those are my loosely compiled thoughts and ramblings on the subject of Script Kiddies.... ciao
-Doug
Not funny. Not one bit. (Score:5)
Well, don't be. It's not funny. There are people losing money because of this; there are people who are becoming absolutely brainless and deciding "Gosh, it'd be fun, let's go the way of the skript-kiddie and and help the DoS'ing be even worse!"
Then there are dedicated channel ops and owners who are building bots, starting channels, writing mailing-list software to help their members and fellow ops deal with the crap that's going on. I'm a 200-level op on one of the linux channels on Undernet (check my user info for more information) and while there are those here who feel IRC is a waste of time, I believe it's one of the best ways to communicate with people all around the world about a common interest. If you don't like IRC you don't have to use it. I can see how some people think it's a waste; but it's something I enjoy. And so do 20-odd other ops and regulars in this channel.
I met these people because they helped me install Linux over two years ago; there are ops and regulars who are good friends of mine from Australia, New Zealand, Canada, the US, UK, Malaysia, Germany, Greece to name a few. We put faces to the names via webcams; we know who's going out with who, we comfort our friends when they're going through crap, and we came together and cooperated with a mailing list and new bots and new policies once W went on the blink.
Someone tried to compromise our channel yesterday (a takeover, for the unschooled) but order was restored. With W (X for other channels; we happened to have W when he was still around) the oplist, auto-kicks, and bans are very easy to store; without W, the guy managed to get ops by pretending to be one of us. Could have done some damage, but thanks to some IRCops (Thank you seti and saralee!) order was restored, new bots put in place, and new channel policies. I know there are other
Right now there's rumors that W and X will never come back. If they don't Undernet is dead...and where is a channel to go? Some IRC networks have strange ident issues; some are dying out; and some have a structure such that it's hard to even keep hold of a channel because of skript kiddies. Right now Undernet splits a lot--too many users and not-so-perfect routing. It's also hard to connect to a server. There's a lot of lag.
And now I get to a point I think bears hearing: Forking doesn't mean animosity. (Are you reading this, RMS?
To the skript kiddies out there who are continuing to pummel Undernet because you think it's cool: Stop acting lower than dirt and get a life. You can find something better to do than cost people time and money.
"The GIMP Girl"
Re:Easier to stop it in retrospect (Score:5)
quick story
I remember getting TONS of spam from a machine a major university. It appeared to be a machine running in the astronomy dept. I sent a nice friendly e-mail about it, as our users were getting 20 to 30 spams a minute through it and wanted to stop being told where to get Viagra (Bob dole already told us thank you). The official response from the sys admin was a none to polite, "Fuck you and mind your own god damn business".
My response was to cc that with a letter asking a bunch of questions to 2 local newspapers and 1 TV station and the president of the alumni association. The open relay got closed *magically*
What the point to my incessant yammering you ask? Sometimes ISP's (especially smurf sites in Japan *ahem*) need to be bullied into doing some of the most obvious, easy things. Some ISPs claim that filters cause problems, increase router load etc, etc, etc. The problem usually is that no one has brought it to their attention, or rather no one has screamed at them loudly enough.
Re: Ask Slashdot: Undernet In Serious Trouble. . . (Score:5)
DUMP THE ROUTE As soon as possible stop advertising the affected block to your peers, this is the fastest way to prevent the traffic entering your AS and saves bandwidth on your internal lines. It under your control and its faster than informing all your peers and waiting till *they* get filters in place, its not their problem and even if they filter the traffic it still takes their external bandwidth.
This depends on your BGP config and a few things will happen, firstly if you're a large ISP you're going to lose other customers as you're not advertising their IP addresses and depending on peering agreements the minimum could be as large as a /20 or /19 but its better than lossing the whole network and all your customers! If upstream peers from you are not aggregating your routes this will in effect remove the route from the whole net (might take a little while to converge the whole net) and the traffic from the attacking DDOS machines won't get very far (their own subnet). If your routes are aggregated upstream and you've withdrawn the route the traffic stops with the upstream ISP anyway.
This should give you breathing time without the loss of your whole network and (at least you'll have bandwidth to telnet to your routers) identify which machines were getting attacked. Talk to the upstreams and get them to dump the host(s) specific route to null.
I meet far to many network admins that think they know everything there is too know about networking that just state "what can I do but put filters on the border", which is fairly useless for preserving external bandwidth which of course is what your customers are paying for.
BTW, while I'm here, anyone want to give me a job?
Will configure routers for food.
Comment removed (Score:5)