Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Expert Dave Dittrich on DDoS Attacks

Roblimo posted more than 14 years ago | from the straight-from-the-source dept.

The Internet 139

We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!

Dave:

First off, I'd like to thank Slashdot for giving me an opportunity to spew my opinions. Since Slashdot readers look for "stuff that matters," I'll #include [std/disclaimer.h] and say that this is me talking, not my employer, and I'll be honest about what I think the issues are (and hopefully not ramble too much).

Is a network proof against DDoS possible?
by Paul Crowley

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

Dave:

There are flaws in anything created by humans. Sure, the TCP/IP protocols we are using today have some weaknesses, but they also work amazingly well, don't you think? And all things created by humans are improved over time as new ideas are developed and known problems are identified and solved. Its just a matter of how quickly these improvements can be implemented, and as we've seen with GOSIP, IPv6, etc. change can come very slowly. (A good book on this topic if you are interested is "Diffusion of Innovations", by Everett M. Rogers, The Free Press, ISBN 0-02-926650-5.)

Denial of service attacks are one of the easiest forms of attacking systems and networks; resources can easily be exhausted, programming flaws in network stacks and devices can be exploited to cause failures, covert channels can be created allowing hidden and practically unstoppable communication and control. In other words, there is no single "this problem" to be solved here, but rather a hole bunch of little "these problems".

In fact, the current DDoS tools implement UDP large packet floods, TCP SYN (session setup resource exhaustion) floods, ICMP "echo" floods and "Smurf" (directed broadcast ICMP "echo reply") floods, and other DoS techniques could easily be added (and many other exploits exist).

Yes, there are some proposed fixes that can address some of these problems. I'll get to them in a minute.

Other methods?
by Dr Caleb

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? >From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Dave:

I don't claim to be enough of an expert on IPv6 yet to say which of the current set of DoS attacks are eliminated by its features (better to ask the real experts like Steve Bellovin). Perhaps IPv6's Quality of Service features, IPSec authentication features, etc., *may* provide a means of defeating some packet flood attacks by rate limiting flows, allowing quicker discarding of "invalid" packets, etc., but I'm not sure if it will entirely eliminate DoS attacks.

There are other new proposals that have recently been put forward for consideration, such as Bob Moskowitz' "Host Identity Protocol" (which addresses some problems in TCP session establishment and identification of "valid" packets) and a proposed method of tracing packet flows (independent on ISP involvement) that uses a probabilistic packet marking technique developed (coincidentally) by researchers at the University of Washington. Documents describing both of these are available at:

http://staff.washington.edu/dittrich/misc/ddos/

Since IPv6 is *still* not widely implemented, and these other proposals are likely years from implementation as well, it is probably best to focus now on the fundamental issue in large scale DDoS attacks, and that is we need to put a MAJOR emphasis on minimizing the population of systems that can be trivially root compromised. (I didn't say it would be an *easy* solution, but it is one thing that can be started immediately.)

Stop Spoofing At The Backbone?
by Effugas

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation (their backup networks will cease to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Dave:

Eliminating IP source address spoofing would eliminate attacks such as forged DNS query attacks and the MacOS 9 TCP/IP stack bug (both packet size/number amplification flood attacks), and would definitely make it easier to trace packets back to their source networks, greatly simplifying and speeding up the (still major) task of stopping the agents from sending out packets and doing forensic investigation. Add to that the elimination of incoming directed broadcast packets and you also get rid of "Smurf" amplification attacks.

Not only do I think this should be done at a site's border routers, but also on all routers within the network. Programs like stacheldraht attempt to determine if they can successfully send packets with forged source addresses, and both it and TFN2K have code to randomize packets on a per octet basis (not exactly CIDR compatible, but still pretty clever and effective.) This means that if you have a /16 network with several hundred subnets, the agents could forge the final two octets, looking like they are coming from hosts on all of a site's subnets at once. Depending on your network infrastructure and political organization and authority, this can either force you to have to sniff on *each* subnet, or do your own router-by-router debugging of packet flows to locate the actual host(s) sending the packets (links to various documents on packet tracing are found on the page I referenced above.) If no host can forge source addresses beyond its own subnet, the task is greatly simplified (and you only need to put filters on one router to stop the flow from one agent host.)

Practices like those described in RFC 2267 should, in my opinion, be a standard requirement under any network peering agreement and AUP, but what motivation do ISPs and NAPs have to enforce them? Its not common for a company to say to a customer, "Hey, I don't want to take your money!" It tends to be a matter of waiting for an attack to happen for upper management to start asking the techies how to react, but by then the damage is already done. More emphasis on prevention and preparation for possible attacks seems to me to be more prudent (some ways of mitigating DDoS attacks are also listed on the page referenced above). If it costs more, so be it. That is the price of betting our economy on the Internet as its fundamental infrastructure.

The bad news here is that this tactic of filtering does nothing to deal with bandwidth (or other resource, like half-open socket) consumption attacks -- e.g., large packet UDP or ICMP floods, or SYN floods to random ports -- so again we've only solved a subset of the problems (forged addresses and directed broadcast), not to mention this solution doesn't help at all with the initial compromises and installation of agents.

Firewalls for Dummies?
by hiendohar

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Dave:

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

Not only that, but most broadband ISPs have user bases far larger than they have staffing to support, so even trying to contact them, find your way through the tier1/tier2/first line manager/Nth line manager hierarchy, and actually identify the owner of a compromised cable modem or DSL served system can take days. These customer's systems make excellent bases for scanning/attacking other sites, running eggdrop bots, or "bouncing" connections to make it harder to trace attack activity, and the intruders know this.

As for education, I am not quite sure what can be done there. Mandatory "driver's license" style tests before getting a DSL account? Forget it. "Tickets" handed out by the Net Police for allowing your system to be compromised and used to attack other sites? Not likely, and I don't think anyone wants that. Law suits by victims of attacks against the owners of compromised systems? That is already starting to happen, but do we really want people to learn as a result of law suits, to throw lawyers at the problem, diverting badly needed system admin funds to pay $200 an hour to the suits?

There probably will need to be some monetary incentive to securing systems (because people pay attention to money.) The federal government is passing laws about privacy of personal, medical, and credit information (and these can't be private if the systems that house them are not secure), and insurance companies will likely start charging higher rates for systems that are not managed well and become involved in security incidents with high dollar damages (but PLEASE, first raise the rates on anyone who drives a car while talking on a cell phone!)

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

"Personal firewall" software is also becoming popular, but I've wasted many an hour explaining to someone reporting an "attack" that what his program was reporting was either a false positive, or was mis-categorized, and not at all what they thought. Feature filled packet filtering programs allow users to shoot themselves in the foot and break TCP/IP applications, while overly simplified programs leave gaping holes or users turn off too much and only think they have security. A lot more work and education is needed in this area.

A fruitless exercise?
by john@iastate.edu

Isn't the intersection of the sets:

  • Clueless enough to allow massive DoS out of their network.
  • Yet likely to install this detector.
pretty darn small?

Dave:

Yes. Next question?

Seriously, the detection of agents/handlers on a system, and on the network, let alone doing forensic data gathering to assist in stopping a distributed attack and identifying the attacker, is not easy. There are too many ways for an intruder to disable logging and accounting, conceal programs and files using "root kits" and loadable kernel modules, and change the defaults for commands and packet contents that will defeat the file system and network scanners that have been developed to deal with these DDoS programs, and the learning curve is steep to counter the intruders' anti-detection measures.

This is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

The fundamental requirement for securing (or breaking into) any system is knowing how the system works, how to take it apart and how to put it back together again. These DDoS attacks over the past six months have been made more costly to respond to because of things like "root kits", which exceed the average admins ability to get around. For more on why, see:

http://staff.washington.edu/dittrich/misc/faqs/roo tkits.faq

I think a big reason that Universities, K-12s, small businesses and non-profits, and home users with cable modem and DSL lines have their systems regularly compromised is because these systems are often deemed a necessity for research or business, but the only money that goes into them is the money it took to buy the hardware in the first place. They very often do not have tape drives, software upgrade licenses and regular patch application, sufficient manuals or books on system administration, and the person administering the system is usually the first person who can spell "U-N-I-X" and has a "real" job doing research, programming, or Web page design.

People need to start thinking about today's top of the line computers on gigabit networks as the equivalent of a BMW, a Range Rover, or an Audi A series. You would be an idiot to only put gas into it and never take it in for regular maintenance, instead trying to do the work yourself in the garage, and to leave a spare set of keys in plain view on the dashboard. No, you take your car in regularly to a trusted and trained mechanic (and pay $50 an hour for their skills), change the oil and rotate the tires regularly, and do your best to keep it from being stolen (including buying those annoying car alarms that nobody pays attention to when they go off.) But that is basically what too many people do with computers; don't take care of them, don't hire skilled people to regularly maintain them, don't adequately monitor them, and don't really care if someone else hijacks them.

I regularly hear people say, "I don't care about securing my system. I don't have anything important on it. What could they steal?" Well, there are gigabytes of disc space these days, REALLY fast CPUs that can spit out lots of packets, and high-speed network connections. It is when tens or hundreds of thousands of people think and act this same way that someone else suffers. This attitude HAS to change and people HAVE to learn about the risks and ways to address them.

Should security research be done in obscurity?
by crush

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Dave:

Yes, I think the open research model is justified. There is a passage in the Bible (John 8:32, and on a plaque in CIA HQ), "And ye shall know the truth, and the truth shall set ye free." But that only works when everyone knows the truth (and uses that information wisely in their design and purchasing decisions). Until that balance is reached, those who wish to abuse this knowledge win out over those who have not yet attained it. It's that simple (and that hard - ooh, how Zen like.)

As you point out, there is a large percentage of system admins that don't have the same knowledge as those who break into their systems. If that percentage (of a very large, and growing number of powerful computers on fast networks) isn't reduced, the total number of systems that can be compromised and controlled by an attacker grows to the point where its now possible to build attack networks of two or three THOUSAND computers.

What I think needs to happen is to follow the advice of someone (I forget the source) who said, "There should be a hacker on every board of directors," and I would add on every development team. I don't think it helps to ignore weaknesses, or keep them quiet, because they will eventually cause problems. And it is not enough to identify the weaknesses if nobody learns from the mistakes of the past and actively tries to avoid them in the future. One reason that these changes occur so slowly, in my opinion, is that the people who really know the technical details of security are too far removed from the real decision makers, and the layers of managerial filtering inbetween often filter out the security voices in favor of the "lets please the masses" voices.

Engineers are not taught simply how to construct buildings, they are taught how to know when they will fail so they don't come crashing down and kill everyone. There are standards and codes that say how buildings should be constructed, and we (for the most part) don't have much trouble with buildings killing us in the U.S. But software and operating systems are designed for ease of installation and use by the largest number of (untrained) people possible and practically nobody complains. Where is this same sense of "we must build it so it doesn't break?"

I hear an ad for a new online bank and think, "Great. Now all my bank Web based business communication site and think, "Great. Now the people discussing business plans will have their discussions at risk." I hear a news story about a company that facilitates designing buildings online and think, "Great. Now the plans to unknown office buildings are at risk." I can just picture the CEOs and the stock analysts drooling at how cool and efficient these new web tools are, and how much money the company that produced them is going to make, but unless they are designed with security in mind from the start, they should all be considered very risky to use.

Somebody in a position of decision making authority for any e-business needs to understand these weaknesses that are discovered and publicized, and to make sure these weaknesses are acknowledged and addressed in ALL computer based system and application designs.

Recognizing DoS
by angst_ridden_hipster

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30 p.m. in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing them. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home e-mail and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the Web?

Dave:

Not necessarily. Sure, normal usage may exceed capacity. But a protest by thousands of people is not "normal usage;" that is a mass exercise of individual rights in a democracy to gather and express their opinions. [I live about four blocks from where the tear gas and concusive grenades were being lobbed at protesters, and I personally think the response was excessive and the protesters had a right to protest. They weren't damaging property in my neighborhood, they were chased into it, and traffic could simply go around it. Seattleites are used to backups, like you point out.]

I'm really don't know if I'd have a problem if 3,000 people decided to all individually use their browsers and click away at a major Web site as a form of protest, using their own computers and risking possible legal action as a price. (The JavaScript used to protest the WTO was a cool hack, and quite publicly known and used by individuals with their choice. That is less quesionable in my mind as a means of protest.) That's what it means to have freedom of assembly and freedom of speech; you protest in person, gathering with like minds. I marched against the Gulf War bombing, and was glad I could exercise that right when I felt it was important.

I *don't* think it is OK for a single individual (or small group) to take control of the resources of 3,000 *unknowing* individuals' resources and anonymously force them into that individual's service. That is not an exercise of democratic speech, that's theft of private resources. That's what DDoS attacks are.

If there is a problem with truly normal usage exceeding capacity, you could argue that capacity simply needs to be increased, and there is a cost associated with that increase. I start to question things when this increase in capacity is made on an insufficient budget, so there is nothing left for people and tools to protect the new "required" infrastructure. If the infrastructure is so vital, should its proper monitoring and administration be neglected? Is it wise to use this as the infrastructure for our record-setting-growth economy? If we build a fragile infrastructure for our economy just for the sake of growth and short term revenue (and pandering to customers demanding more and more services at lower and lower prices), and the result is that an individual can wage an anonymous protest and take parts of it down. I'd rather that the growth was a bit slower and infrastructure was more secure.

Antionline: True help?
by cswiii

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Dave:

I have not seen any news reports that Antionline was enlisted to assist the FBI (and don't see anything searching CNN online.) I also read a Reuters article that claimed Mixter wrote stacheldraht (he did not), and that stacheldraht is used to break into systems (it has nothing to do with breaking in, just sending packets -- the break-ins are done using other tools, which usually implement buffer overflows in services like rpc.cmsd, rpc.ttdbserverd, amd, named, etc.)

Just because the media says something (or worse, one reporter quotes another reporter) that doesn't mean it is true. They make plenty of mistakes, especially when reporting on tight deadlines (I have published corrections to some articles in the DDoS page I referenced above.)

Government
by interiot

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

  • Understand the problem well enough
  • Spot good solutions if they come along
Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Dave:

"The government" is a pretty big population, which includes federal law enforcement (as you point out), as well as a huge slew of departments and agencies, their state/local equivalents (including public schools and universities). In such a large population, you will find both skilled and unskilled members of that population (fitting a bell-shaped curve like most populations).

If we don't like it that all attacks are attributed to "hackers", we should likewise have some respect and not just jerk our knees and say anyone who works for the government is automatically clueless.

The Government Accounting Office (GAO) has been auditing and analyzing many of the federal departments and agencies for years, and some of its reports (I have a number linked on my home page) are pretty critical, while others highlight agencies that have done a lot to secure their systems and provide "best practices" advice to improve the situation.

As for law enforcement, the FBI has been doing a lot recently to create a skilled central core of computer crime analysis and investigation resources, and in establishing training facilities and developing working relationships with their peer agencies in other countries (since the Internet is global, response must be global). Since they haven't been at this very long, of course this will be a bumpy and sometimes inconsistent process, and it will take time to build depth and breadth of computer forensics skills (and there is usually a LOT of forensic data to process and understand), but they are working very hard.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

If you've read the National Plan -- subtitled "An Invitation to a Dialogue" -- you will see that a great deal of thought has gone into dealing with infrastructure protection, and that they are asking for cooperation and input from the private sector security experts, which means us. (Now is the time to make your opinions known, and that doesn't just mean ranting on the dc-stuff list, where you are preaching to the choir. Of course, people there will agree with you, but does that change anything? You need to write your Congressional representatives, the President's Council, and vote.)

I, too, question the amount of emphasis in the current budget being placed on surveillance, but I'm really happy to see money being allocated to programs like better forensic analysis capabilities and identifying talented high-school students and helping them to study computer security in college, rather than ignoring their talent (a form of disrespect or a result of fear) and risking losing them to a life of attacking systems instead of securing them.

For example, I know at least one admin (who was 15 at the time I met him) who knows more about securing Unix systems than many admins I encounter on a daily basis. Sure, he was 15 and had some issues with judgment that 15-year-olds have that caused friction with his employers, but he was just 15! Give him a break, and respect his talents! If he was managed more closely, his obvious skills would *still* be an asset to his former employers. I don't want to see someone like this get frustrated at not finding a place to get paid for what he loves to do, and land in jail for following his curiosity and passion in his own way (which usually involves making an eventual mistake in judgment that draws the attention of law enforcement). I already pointed out there is a lack of skilled system administrators, and I'd rather see young talent be put to use to solve these problems, and the National Plan addresses this.

Internet Worm
by Ex Machina

What do you have to say to the idea that this could be a DoS attack launched by computers infected with a Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a synchronized DoS?

Dave:

Given what I've seen as far as these particular tools go (including the scanner used by one group), I have no reason to believe the current attacks are automated and worm-like.

That said, I think it won't be long before someone *tries* to take that next step and further automate the process of scanning & intrusion to constitute DDoS networks.

Think about it, though, for a moment. Using the current DDoS tools, the intruders need to create a large network, without losing agents due to attrition as system/network admins notice the initial "setup" intrusions, and they would have to control the growth of this network so that the handlers are not crushed under the weight of an overly large network (or exposed because the agent "Hi mom!" traffic gets too noisy), hope that clocks are synchronized well enough to not expose the attack too early, and to control the resulting network during an attack, all without being detected. There are some tricky issues of coordination and communication that must be dealt with to prevent such a worm from running wild and disclosing itself. Whoever wants to try this should probably ask rtm about what it feels like to make that kind of mistake.

The alternative is to not use a coordinated/distributed model, but instead use the more standard model of propagating uncontrolled attack agents using a combination of social engineering and trojan horse programs. This has already happened.

In early February, 1999, a message faked to look like it came from Microsoft, claiming to be an upgrade to Internet Explorer (with an attached program named "ie0199.exe") was sent to many thousands of users on the Internet. Those who ran this program got what appeared to be an innocuous error message about a missing DLL, and most just gave up and deleted the message. What they didn't realize was that they had just unwittingly installed a program on their system that set itself up to run on boot the *next* time the system came back up. At next system startup, the program then started sending packets (as a self-described act of revenge) to random hosts on the Bulgarian Telecommunications Company network, causing them significant problems for who knows how long.

Worms also seem to work best against a single, self similar operating system/architecture/service combination, which means the attackers would have to do the same recon scanning they do now to get a list of these hosts, so why not just stick with what they know works and infect systems on the list in parallel, instead of by some non-deterministic spreading behavior?

Sorry! There are no comments related to the filter you selected.

Re:a waiters union == DDoS (0)

Anonymous Coward | more than 14 years ago | (#1267572)

so what is the difference between a DDoS and a strike? Or between a DDoS and picketers? Or between DDoS and crowds of people before you at a popular restaurant? Would you sue all the people before if you had diabetes and needed food? What if they weren't legitimate customers and they were just looking at the menu? Why is this different on computers than real life. Issue violations for loitering or trespassing or distubring the peace. But these are all misdemeanors - not federal or even global offenses.

Re:Linksys (0)

Anonymous Coward | more than 14 years ago | (#1267573)

IpRoute [mischler.com] DOS (no, not DoS) based tcp/ip router using common packet drivers and 386/16 or higher PC. Supports NAT and packet filtering.

Re:Linksys (0)

Anonymous Coward | more than 14 years ago | (#1267575)

Get yourself a used 486 on ebay for about $25 and do the same thing with ipchains with more control.

for about $50 you can get a pentium that can be a firewall, sql server, web server, and a lot of other junk too.

Re:Teach Me How To Be Secure (0)

Anonymous Coward | more than 14 years ago | (#1267576)

Disable unneeded services (you probably don't need any services running, not even inetd), and block SYN packets at your firewall. You can also block UDP packets going to ports 0-1023. Don't run untrusted programs (like email attachments), and don't run anything as root unless absolutely necessary. For a home computer, this is probably good enough.

Re:Teach Me How To Be Secure (0)

Anonymous Coward | more than 14 years ago | (#1267577)

download and print

this [freshmeat.net]

Read it a few times. Eventually it will click for you. Then read the actual IPCHains howto. You will learn a lot about some of the things you can do to protect your system.

Re:YOU ARE NOT TRUE NINJA! (0)

Anonymous Coward | more than 14 years ago | (#1267578)

I wonder...is anything this deep moderated.

Thanks! (0)

Anonymous Coward | more than 14 years ago | (#1267579)

Guess I should have been reading /usr/src/linux/net/ipv4/icmp.c, eh? :-)

Dunno why, but I just was stuck on the idea of using ipchains.

Thanks for the info!

Re:Me Average Joe (0)

Anonymous Coward | more than 14 years ago | (#1267580)

I suspect that tools like ICQ need incoming TCP/IP connections.

Certainly that's how my monitoring software (FireEyes) on a Wintel box reports it.

Re:Teach Me How To Be Secure (0)

Anonymous Coward | more than 14 years ago | (#1267581)

Slightly off topic, but relevant to your sig: No one *taught* the cat to type ctrl-alt-del, he/she figured it out for his/herself. My life long experience with felines has shown that they love to pretend to be stupid animals when it suits their purposes, but are remarkably intelligent when there is good fun (mischief) to be had.

Re:Learning "Good" system administration? (0)

Anonymous Coward | more than 14 years ago | (#1267582)

Linux Firewall Tools [linux-firewall-tools.com] is a nice resource for those starting out in the security game, and is highly recommended for all those who are 'rolling their own' Linux Cable/DSL router/firewall.

Re:Hackers. (0)

Anonymous Coward | more than 14 years ago | (#1267583)

I like this guy jus because he wore a blue shirt while writing his responses. Unlike those people at Microsoft, etc who wear white shirts.

Re:Linksys (0)

Anonymous Coward | more than 14 years ago | (#1267584)

I use the exact same setup and it works well...the thru-put is consistently high and the firewall/dhcp/filtering software on the box is nice...BE VERY SURE YOU SECURE THE WEB PORTS for ADMIN....but otherwise GOOD TOOLS CHEAP PRICE

Re:Hackers. (0)

Anonymous Coward | more than 14 years ago | (#1267585)

I like this guy just because he pronounces the word tomato, toe-may-toe. Unlike those people at Microsoft, etc who pronouce it toe-mah-toe.

Re:Hackers, and why you are an idiot (0)

Anonymous Coward | more than 14 years ago | (#1267586)

A Hacker in computer terms is someone who finds crative new ways to do stuff. This means that they are almost necessarily good computer programmers. Most crackers (people who break into systems) are also good programmers (if they write their own utilities).

Re:Average Joe and PHB (0)

Anonymous Coward | more than 14 years ago | (#1267588)

I heard on the radio that Clinton has requested $9M for cyber security, White House officials and the Internet community say they will band together to make computer security a high-profile issue. Hee hee, what do they really expect to do with only $9M?
The actual budget request for the next fiscal year is $2 billion (with a b). The $9 million is a supplemental appropriation that he's requesting now to jump start a few initiatives.

The White House Briefing Room at
http://www.whitehouse.gov/WH/html/b riefroom.html [whitehouse.gov] will provide links to the fact sheets and such. (Careful, URLs there change regularly.)

Re:Average Joe and PHB (0)

Anonymous Coward | more than 14 years ago | (#1267589)

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

Not terribly surprising, given that in 1992 (when Clinton was elected), the internet wasn't on the national spotlight the way it is now. There was some initial recognition of computer/internet security as a problem on the national political scene during the Gulf War, but as a major national issue it didn't emerge until after he was elected. There were a few of us poor geeks howling in the wilderness on talk.politics.crypto and suchlike, but the general reaction when you mentioned the internet and network security was "huh?".

Re:Hackers. (0)

Anonymous Coward | more than 14 years ago | (#1267594)

Most hackers are hacks who wish that they were good programmers. Most hackneys are cab drivers and they smell. Maybe hackers and hackneys should get together and make smelly programmer babies?

Joe DSL will be told by isp "All servers banned" (0)

Anonymous Coward | more than 14 years ago | (#1267595)

While this solves the problem for the ISP, it leaves Joe DSL without a way to run his own apache server, ftp server, telnet server, for hiw own low-volume stuff, even if he knows how to secure his machine. The only "option" for Joe DSL in this cast is to "upgrade" to $800/month commercial service just to get the ability to run servers. This is hardly fair to Joe DSL.

Why should the h4x0rz be able fuck over all the users at Joe DSL's ISP?

Re:Perhaps a NINJA should be consulted. (0)

xodarap (65815) | more than 14 years ago | (#1267598)

Normally im anti-troll but I'm all about Ninjas. Have you ever stormed a ninja stronghold? I didnt think so. Ninjas should definitely be consulted on all security issues.

Way to go.

Josh
Founder of the sXeVN Society.

Re:YOU ARE NOT TRUE NINJA! (0)

eAndroid (71215) | more than 14 years ago | (#1267599)

learn to spell seppuku!

you are obviously not fit for ninja yet!

This is supposed to be engineering (0)

chrisbell (101789) | more than 14 years ago | (#1267600)

First of all, I want to complement Dave on some very well written and intellegent answers. I guess he has had some practice lately, though . Dave made several comments that I think are key to the issues. Computers are not toasters and they are now (and increasingly) used as the support structure of our society. This is familiar territory to geeks but is a concept that most of the rest of the world doesn't get. Buildings are not built without plans. They are not maintained without maintenance workers. They are generally reliable, safe and clean. Society accepts and understands that the (expensive!) blueprinting and planning and ongoing maintenance costs are a part of having a building. Yet governments, companies and individuals somehow think that they can have computer based solutions without those costs. The result is that we have software development programs that don't work. We have "secure" systems that are not. And we have an "internet economy" that can be taken out by pretty much anyone. This is a commonly expressed thought; I'm not saying anything new. But I agree wholeheartedly with Dave; get used to the idea that you need to pay for your technical resources. And listen to the people that you pay for the care and feeding of your systems.

Hackers. (0)

kwsNI (133721) | more than 14 years ago | (#1267601)

I like this guy just because he didn't call the people responsible for the attacks "hackers". I think that shows his intelligence compared to FOX, CNN, NBC, etc. that keep talking about all of the attacks by hackers.

kwsNI

Re:Ninjas are so dated (0)

geekoid (135745) | more than 14 years ago | (#1267602)

Yes, thats right, there are no Ninjas. Please rest easy.

Re:a waiters union == DDoS (1)

Anonymous Coward | more than 14 years ago | (#1267603)

What's the difference between DDos and a strike? One hopes that in a picket line, the picketers have not had control-units implanted in their wetware, but are actually expressing their own views.

In a DDos attack, the attackers are "pods" - Watch "invasion of the body snatchers" to get the picture...

Re:Linksys (1)

Anonymous Coward | more than 14 years ago | (#1267604)

The Linksys and other router/firewall/hub systems are a better solution than buying an old PC and making one. Here's why:

1. You have to remember the full cost of the old PC. Monitor. 2 NICs. Software. Shipping. Usually will work out to more than $150

2. The Linksys and other small hardware router/firewall products use less power, take up less space, create less noise, generate less heat.

3. The hardware solutions are simple, quick, and reliable. The PC solution takes time / effort / and can break easier.

4. With the hardware solutions (the Linksys at least) a 10/100 switched hub with the firewall/router. Which you would have to buy on top of the old computer as well.

With my linksys setup, I have 3 computers on a switched 100Mbps lan, and a Cable modem providing IP to all of them. It does DHCP, and firewalls my LAN.

And there are new products competeing with the Linksys:
http://www.timhiggins.com

At $130 - $170 a pop, they are a MUST for home LANs and a good idea for home broadband access in general.

Also check out the links for "Securing your System" at the above tim higgins site. The "Shields Up" site is a great resource!

Re:Linksys (1)

Anonymous Coward | more than 14 years ago | (#1267605)

Linksys makes a cheap (~$170) 4-port 10/100 switch that connects to DSL/Cable. Includes NAT/DHCP and a firewall. Once I get my DSL hooked up I plan on getting one, so the SO and I can both be connected

Re:Perhaps a NINJA should be consulted. (1)

Anonymous Coward | more than 14 years ago | (#1267606)

Whoa whoa whoa wait a sec!! Since when does a ninja use a katana? A katana is a sword used by samurai not a ninja. There are DISTINCT differences in armory of both. I think your girlfriend must be a Ronin that once was Samurai, now posing as a ninja... Its the only plausible awnser! (pssst... aim for the ribs, it always gets 'em ;) )

Re:Me Average Joe (1)

Nick Ives (317) | more than 14 years ago | (#1267607)

Then you have a problem for services such as ICQ. If you block incoming packets, how are you supposed to recieve messages?
I'm sure there are other examples, ICQ is just the obvious one that springs to mind.....

Nick

Re:Personal Firewalls - try SonicWall (1)

bobalu (1921) | more than 14 years ago | (#1267608)

SonicWall makes a nice little personal firewall starting at about $400. Easy to setup and use, works great, doesn't care what kind of OS you're using because it's a stand-alone box.

Re:Joe DSL will be told by isp "All servers banned (1)

trog (6564) | more than 14 years ago | (#1267611)

While this solves the problem for the ISP, it leaves Joe DSL without a way to run his own apache server, ftp server, telnet server, for hiw own low-volume stuff, even if he knows how to secure his machine.

If Joe DSL is running telnet or ftp, he MOST CERTAINLY doesn't know how to secure his machine.

Re:Joe DSL will be told by isp "All servers banned (1)

trog (6564) | more than 14 years ago | (#1267612)

telnet and ftp send all data back and forth in plaintext, INCLUDING YOUR PASSWORD. Any network sniffer between you and your box now has captured that account's password. Account compromised. Game over.

Your ignorance on this issue illustrated my point.

Re:Getting /.ed (1)

Zygo (8449) | more than 14 years ago | (#1267616)

The vast majority of Slashdot-effect traffic is going to have Referrer fields pointing to the article in question. Simply grabbing any 10 requests and analyzing them will usually tell you where they're coming from...unless it's a DDoS attack, of course. ;-)

Re:Average Joe and PHB (1)

GRH (16141) | more than 14 years ago | (#1267619)

It may be pesimistic, but I can't see Average Joe ever understanding the issues and the tech to the point where they could adequately protect themselves.

This section:

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

Gave me an idea... What if there were an OS (I'm talking Windows/Mac) option to not allow outsiders to initiate a socket? Such that all traffic in/out of Average Joe had to be initiated by Average Joe. For people on @home (or similar) this should not be a big limitation as they're not suppossed to be running servers anyway! (which is why I'm not a customer).

The implementation of this is left as an exercise for the reader.

GRH

Eggdrops are legit (1)

Chris Pimlott (16212) | more than 14 years ago | (#1267620)

There's nothing bad about eggdrop bots. Eggdrop is a well respected bot to manage an IRC channel and are quite popular on all the networks. I myself have run a few and they're quite fun to play with. While there are eggdrops scripts aimed at more malicious uses, the vast majority of eggdrops are just used to keep the peace and keep channels organized. eggdrop homepage [eggheads.org]

Re:Personal firewalls, perhaps something for cobal (1)

kmactane (18359) | more than 14 years ago | (#1267622)

Linksys is already doing one, and it looks pretty sweet. It's called the "EtherFast Cable/DSL Router", and acts as a router, hub and switch with firewalling, NAT and IP masq abilities.

It's right on their front page at www.linksys.com [linksys.com] .

Re:Perhaps a NINJA should be consulted. (1)

austad (22163) | more than 14 years ago | (#1267623)

Damn. I knew she was lyin' to me. I should've guessed when she tried to stab me with the handle and cut all of her fingers off. Ninja's with no fingers don't make very efficient killers. Plus the blood drips down the wall when they try to blend in.

Forget it; 'Hacker' has stuck. (1)

Remus Shepherd (32833) | more than 14 years ago | (#1267625)

Folks, forget trying to correct the media when they call criminals 'hackers'. The term has stuck, and popular culture is going to keep using it in spite any attempts to educate them. I suggest that you pressure the media to call them 'criminal hackers', to distinguish them from the law-abiding people who prefer to wear the 'hacker' label.

Re:Teach Me How To Be Secure (1)

Broccolist (52333) | more than 14 years ago | (#1267626)

If you're almost always at your computer when it's on, a neat trick is to trigger a sound effect whenever someone uses one of your services. For example, put something like this in /etc/hosts.allow (assuming you have TCP wrappers):

in.telnetd: ALL: spawn (cat /usr/local/share/audio/telnet.au > /dev/audio) &

A good way to make those sounds is the web text to speech converter [bell-labs.com] .


Broccolist

Re:Personal Firewalls (1)

Brew Bird (59050) | more than 14 years ago | (#1267627)

Of course, and free unix system for intel has all the 'firewall' tools you need built in. don't pay an 'ignorance tax' to these people.

Re:Learning "Good" system administration? (1)

sparty (63226) | more than 14 years ago | (#1267628)

Read bugtraq, visit packetstorm [securify.com] and Security Focus [securityfocus.com] regularly. Keep an eye out for weird utilization on your box, read your logs, and make sure you have as much locked down as possible. If you don't need a service, don't run it.

Re:University Crackdown (1)

ucblockhead (63650) | more than 14 years ago | (#1267629)

Not just universities! My ISP (att.net) pulled their pop server behind the firewall four days ago with absolutely no warning, making it impossible for me to get my e-mail without dialling in at 56k. Blech.

And, typically, all the support people I talked to claimed that it was "always that way".

Its the Certifications (1)

kkelly (69745) | more than 14 years ago | (#1267632)

I think a big problem right now is the great deal of certifications available to anyone with the money. For $1000 and 3 days of class you too can become a system administrator. A person with a MCSE can get a job anywhere anytime, I have a friend with a 2-year accounting degree who spent 1
week studying for the MCSE and tripled his salary
in less than six months. Needless to say he doesn't have a clue but no one seems to notice. I think these quicky certifications are a big part of the problem.

Re:Teach Me How To Be Secure (1)

jdigital (84195) | more than 14 years ago | (#1267634)

Dont tell a forum on slashdot which will be a magent to script kiddies that you are a sitting fat duck.

If I had any clue about anything more than the technical side of cracking, then perhaps i would be enticed to your claim of being 'on a constant cable' & 'clueless newbie'

For starters close off your ports, they're all open.

A firewall is a great place to start

Re:Broadband providers getting a little smarter. (1)

nezroy (84641) | more than 14 years ago | (#1267635)

A lot of cable/dsl bridge group users raise issue specifically about others being able to see their computers in the windows Network Neighborhood, which is why your NetBIOS port is gone. The ISP hasn't really done anything to increase security; instead, they are responding to a general customer complaint in order to make everybody happy again. Since the majority of serious attacks and intrusions don't provide so obvious a sign as showing up in the Windows Network Neighborhood, chances are ISPs are still a long way off from providing any tighter security, since no one will be wise enough to complain...

Re:Personal firewalls, perhaps something for cobal (1)

|ckis (88583) | more than 14 years ago | (#1267636)

A lot of DSL Routers/Modems have this functionality built into them. I just finished a consulting job where I set up a network for a small business. I got them a DSL Line, and the router that the provider gave us does DHCP, NAT and portmapping. This way they get their high speed access, but no one can come into the network since no portmapping is being done. Cheap simple security for a small company, and you can always set up portmapping if you want to add a Web Server, etc. Unfortunately to get a router like this you have to buy business class DSL which is considerably more expensive than home class. It's still pretty cheap on the grand scale of things, they pay about $300/mo for 1.1Mbit both ways.
-

Fixing the Problem (1)

hburch (98908) | more than 14 years ago | (#1267637)

Dave skirted around the issue, but didn't really address what needs to be done: fix the problem. Making system administrators more 'clueful' isn't a reasonable solution, as truthfully, there aren't enough sysadmins with enough experience for all the positions available, and the problem is, as far as I can tell, getting worse. Moreover, the ie0199.exe demonstrates that unclueful users can be as bad as unclueful sysadmins. A majority of Dave's points about 'fixing' the problem deal with identifying the source of a packet. In the case of a smurf attack, for example, you know who's responding to the attack, you're just not certain who is sending the initiator of the attack. Finding smurf hosts is easy, so you could probably automate the process to find tens of thousands of them, which would be difficult to handle. Even if you get 'security' which ensures that the packets initiate at the source host in the IP header, if you can break into enough machines, there's still a problem, although not nearly as bad. Either I have to get my local ISP to install a filter on their end, or I have to contact the sysadmins for each of those cracked machines and get them to fix their machines. DDoS is a problem without a good solution at this point, and I'm not sure if they'll ever be a good solution. If I can get 50,000 users to install a program on their Windoze box that will, at my command, continually initiate web connections to a host, how can we distinguish this from 50,000 people really trying to talk to that web site (one could argue that posting a URL on /. is a DDoS for that web site :)

My beef (1)

Raindeer (104129) | more than 14 years ago | (#1267638)

First of all, great interview. Definitely one that should go in the Good Stuff of Slashdot book.

I think one point that is overlooked or underemphasized is the out of the box security. I am not a technical dude, just read my info. What I mean is that when I buy a car (to use that analogy) and I buy a good one like a Mercedes, it has features to keep me from f@cking up stuff. A standard Mercedes can only go 250km/h, has side impact protection, well you know the drill...

With computers I have to install the airbag myself, seatbelts are an option. Yes for large sites we need better administrators, no doubt about it. But imagine that in 10 to 20 years everybody is lugging around a Tramsmeta powered screen, which interacts with their home-server, at school they get the sheets and the notes downloaded to it etc. and all that on *high* bandwith. They have no time to think about all the security. It should be taken care of allready in stead of implemented later on. Why can't a system be build with all the features turned off... instead of everything turned on and open wide?

Re:Average Joe and PHB (1)

Arctic Fox (105204) | more than 14 years ago | (#1267639)

It takes 9 million dollars to rent office space to set up a "command-center" for the use of the new "cyber-czar" which I guarantee will be nominated.
My guesses for "cyber-czar":
  • Major campaign contributor
  • Al Gore, he invented the damned thing, you'd think he'd be #1 choice.
  • That Wen-Ho-Lee guy. He's an expert on computer security. Like letting his daughter play MUDs on a supercomputer.

-=-=-=-=-=-=-
This signature contains text from the worlds funniest signature.

Re:Hackers. (1)

WauloK (111758) | more than 14 years ago | (#1267641)

Yes.. exactly what I have been saying all along. Why is everyone reporting them as "Hackers"? Flooders maybe.. but they sure aint hackers.


I mean, if I went round saying I was an Emporer just because some moistened bint had lobbed a scimitar at me, they'd put me away!

Re:Average Joe and PHB (1)

madbomb (123832) | more than 14 years ago | (#1267642)

I think one of the major problems now a days is the lax attitude taken towards mailicious events such as this. I understand that to the ignorant public, this is meaningless, but the knowing (nerds of the world) should help to stop some of these "attrosities".

I am not talking about government interjection either. The last thing the intelligent internet public needs is more censorship by the government. The whole should not be punished for the actions of a few. The fact that they want to put $9M dollars into security is ridiculous. Leave security in the hands of the administrators. If they don't feel that security is important enough to look into, then they deserve to be taken down. We all know that security is an important issue. It should be dealt with on every machine; even going as low on the food chain as the average home user.

The idea of security should not just be left to the computer junkies who know everything about everything. Security should be a concept that is driven home to more people than just SysAdmins and Webmasters. It is a net-wide problem that has to be dealt with at the core. And in this case, the core is the incompetent, otherwise known as average users.

I think that if the government wants to spend $9M dollars on cyber security, they should spend it where it counts and drive the point home. It should be spent on educating the average Joe. They do it with every other major problem: drugs, pregnancy, smoking...so why not hit home with a problem that we can foresee getting worse rather than waiting to the real problem hits. Get the point out to the average user that they need to be careful. If they are not, they are then succeptablet o any number of possible problems. Of that this is just my opinion, but usually its right :). I know this is a strong viewpoint, but hell, we all have our own opinions.

Re:Average Joe and PHB (1)

jimbobborg (128330) | more than 14 years ago | (#1267643)

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues Seeing how they have been the ONLY administration since the Internet became what it is today, I think that quote is quite silly. Don't you?

Re:Proper Systems Administration (1)

dpilot (134227) | more than 14 years ago | (#1267646)

Wouldn't a proper sysadmin also have reported this to someone like CERT?

Re:Average Joe and PHB (1)

qirien (140383) | more than 14 years ago | (#1267647)

When you break through all the hype that the press has put on this and boil it all down, it is just common sense. It's a shame that it takes events like this to have "the average Joe" . . . finally understand that a little caution and a little foresight go an awful long way.

Unfortunately, I don't think the "average Joe" will make his system any more secure now than it was before. Most people don't even know how their systems might be compromised (by DoS or otherwise) let alone know how to make them more secure.

While average citizens may now be more inclined to approve of allocating resources towards computer security issues, most still don't know (or refuse to know) enough to make it a more important issue than, say, taxes, or gun control, or things that affect their lives in a more obvious manner.

-- Qirien, Academy of Defenestration

Broadband providers getting a little smarter. (1)

lilnobody (148653) | more than 14 years ago | (#1267649)

I'm just your average, leisure cable modem user. I admit to having only taken basic steps to protect my system. Ive shut off netbios and all the other useless things, I could probably still be nuked, but I dont keep anything critical on this computer, and I'd rather have the performance. I can replace just about everything on my drive in a day or two. But I like to think I'm reasonably secure against script kiddies trying to get control.

Now, the other day, when running my not-so-regular port scan, I noticed that port 139 (netbios) wasnt just closed, but gone! I'm not running any kind of firewall, and my only explanation (remember, im not so good at this, though) is that @home has cut off incoming traffic to port 139 to their end users on my segment, at an unknown router/firewall somewhere.

Its a tiny step in the right direction, I suppose.

Re:Joe DSL will be told by isp "All servers banned (1)

elbuddha (148737) | more than 14 years ago | (#1267650)

Because you should be using ssh and scp for telnet/ftp.

a waiters union == DDoS (1)

trollking (153214) | more than 14 years ago | (#1267651)

if only one waiter refuses to work, thats a denial of service. If a whole union of them refuses to work, thats a distributed denial of service. the solution is better pay and benefits.
Thank You,
Troll King

Request for Practical Advice (2)

Anonymous Coward | more than 14 years ago | (#1267655)

I'd like to secure my Linux PC. I've edited inetd and turned off everything I'm not using--finger, ftp, http. I've looked at the SysV editor and turned off a few more things--sendmail, identd, for example. I need Samba, I need telnet, but only on the local network--not the internet.

I've set up a simple ipchains firewall. It allows local network (192.168.x.x) traffic and loopack traffice, but not over ppp. It lets eth0 (but not ppp0) packets access the NetBIOS port, which Samba seems to need. It rejects all packets sent to all of the ports I'm not using--especially port that NMAP finds interesting.

I uses strong passwords and don't operate as root unless I really need to. I use a dial-up connection and don't leave it open when I'm not using it.

What else should I be doing? I'm not a skilled SysAdmin, and my PC is unlikely to be the target of a determined attack, but I'd like keep the script kiddies at bay.

It's gonna get worse.... (2)

J4 (449) | more than 14 years ago | (#1267656)

before it gets better.
A large part of the problem WRT basing economic growth
on a vulnerable system is a combination of greed and naivete
on the part of those who are not fascinated
by the technological details
(read PHB's and J.Random Luser).

I have to wonder what will happen if UCITA becomes the law of the land.
Does anybody else see the irony of government
on the one hand, spending money with an eye towards making things more robust,
yet on the other hand removing the onus of liability
from those who produce the engines on which
the info economy is based?

Great interview though...
browsing comments at 2 it almost seemed like 1998 again....

Re:Main stream media & these attacks (2)

Indomitus (578) | more than 14 years ago | (#1267657)

I saw this report too. It took me longer to explain to my dad why they were wrong than they spent on their "report." I'm used to local newscasters not having even a hint of a clue but the inaccuracy of that ABCNews report was shocking.

surely I'm not the only one . . . (2)

C. E. Sum (1065) | more than 14 years ago | (#1267658)

. . . who read the blurb on the front page, saw the "33717 bytes in body" and read it as "31337 bytes in body"?

Main strem media & these attacks (2)

cdipierr (4045) | more than 14 years ago | (#1267659)

Last night I was watching ABC News. They were showing some websites affected by the DoS attacks. Then the showed what the "hacker sees" as he does it (their words). They cut to a machine compiling something! Vaguely looked like Linux kernel, but it was only a brief screenshot...

Then they went on to say that even if people think they're smart, they're leaving their ID behind and showed what they called a "unique ID #" on every bit of network information. They displayed something like this:
128.1.5.666 (yes they actually had 666 for the last 3 digits of the IP address). They also failed to point out IP spoofing, etc.

Is it REALLY asking too much for journalists to know something about what they report on?

Re:Personal firewalls, perhaps something for cobal (2)

trog (6564) | more than 14 years ago | (#1267660)

As a sysadmin that works exclusively with security issues, I can tell you that the "personal firewall" is a worse solution than having no firewall at all. Security is a process; it is never ending, and requires a great deal of time and effort. Joe DSL is going to install that firewall, and think it will protect him forever. It creates a false sence of security.

Security cannot be left to people who don't constantly work to improve it. Joe DSL has neither the ability nor the desire to do this. Sadly, neither do most self-styled sysadmins.

Re:Me Average Joe (2)

trog (6564) | more than 14 years ago | (#1267661)

Problem is....YOU CAN'T educate the average Joe for security. It is far too involved and can't be solved with some magic pill or simple patch. Networked systems are horribly complex, with interactions on many different levels. It is better to leave the security in the hands of the few who have a passion for it.

Here's my solution: Have all ISP's providing DSL and cable service host the firewall for all their customers. Have them hire vigilant security minded sysadmins (there are few of them, but they are out there), who's only job is to keep the firewalled area secure. This way, Joe DSL doesn't have to worry about it all.

Re:Question (2)

Zygo (8449) | more than 14 years ago | (#1267662)

"echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts" should be sufficient.

Anyway, if using ipchains, I prefer:

"ipchains -A input -i ! -d -j DENY"

where 'ifname' is each interface and 'ifaddr' is the corresponding address. That basically ignores all broadcast or multicast traffic; only point-to-point IP to _your_ host is accepted. Of course if you have a router or you actually need to receive broadcast traffic for some reason, you have to RTFM...

Ten bit bytes (2)

Sloppy (14984) | more than 14 years ago | (#1267663)

Well, you see, modern modems strip off the start and stop bits before sending data to the V.42bis compressor. That way, it's even faster, right? Well, the compromised systems were all running some type of Unix variant, and everyone knows Unix is old. Even older than 9600 baud modems. So those Unix longhair hackers, when they make a PPP connection to The Internet, have to use start and stop bits, making their bytes 10 bits long. Now, even though they pay a penalty in speed (it's 1.25 times slower), they get the side benefit of getting to use IP addresses like 257.1023.1.666. It's sort of a 31337 status symbol.

I think we should all explain that to the journalists.


---

Getting /.ed (2)

TimButterfield (16686) | more than 14 years ago | (#1267664)

While it may not be intentioned this way, getting /.ed can result in the same effect as a DoS attack, the lack of service from the site in question. If the site is not aware of a mention on /., they could easily miscontrue the resulting lack of service as having resulted from a DoS attack. A link from any media source has this potential. Slashdot has just had it happen often enough to have given it a name.

Re:Learning "Good" system administration? (2)

mindstrm (20013) | more than 14 years ago | (#1267665)

Look up usenix/sage

Re:Perhaps a NINJA should be consulted. (2)

austad (22163) | more than 14 years ago | (#1267666)

My girlfriend is a ninja, and she will offer consulting services. And now that she's all set up with her DSL line and Linux, she's an expert on the subject.

I'll approach her tonight about it if I can find her. She likes to blend into the wall and jump out behind me and try to lop my head off with her katana. You'll probably want to consult over email with her because it's pretty dangerous being in the same room with her. She goes by "Nuprin" (little, yellow, different...).

Re:Joe DSL will be told by isp "All servers banned (2)

Vladinator (29743) | more than 14 years ago | (#1267667)

That's total crap! I had a cable modem before I moved, and setup a nice little FTP server for myself. *I* used it. When ever I was offsite somewhere, and needed something I could just ftp it from home. Why shouldn't I be able to do that?

Hey Rob, Thanks for that tarball!

Re:Teach Me How To Be Secure (2)

_Lint_ (30522) | more than 14 years ago | (#1267669)

Since or`ther posters have addressed the "where to find more information" question, i'll pass on it.

But one thing about your post concerns me. You say that you don't trust Mediaone to protect you from script kiddies. I would take that a step further: It is not their job to protect you from script-kiddies, it's yours. MediaOne's job is to provide you with a fat pipe. What you do with it is up to you (within their acceptable-use policy).

Unfortunately, most users expect their ISP to protect them, which is a nearly impossible task, (unless you WANT them to sniff all traffic going to your machine).

Re:Proper Systems Administration (2)

GoNINzo (32266) | more than 14 years ago | (#1267670)

Excellent point... and you got me there.

At the time, it looked like it was some annoying irc related product, and as you might know, sys admins are overworked. Hence I had to fix this, report the problem to the upstream, and make a report to my boss, along with the rest of my work.

Hence, reporting a script kiddie didn't seem like a big deal to me. because it was definately a manufactured root kit, with no knowledge required, otherwise they would have gotten the ftp ls as well.

If I had a dollar for every script kiddie....

--
Gonzo Granzeau

Personal firewalls, perhaps something for cobalt? (2)

Cpyder (57655) | more than 14 years ago | (#1267671)

Isn't this a "hole in the market" for Cobalt?
Low-price nifty looking boxes with 2 plugs: 1 for your DSL stuff, 1 for your pc.

(and of course you can make it yourself using that old 386 lying around)
_
/ /pyder.....
\_\ sig under construction

Re:Teach Me How To Be Secure (2)

kkelly (69745) | more than 14 years ago | (#1267672)

A good starting point where I learned a great deal is the Trinity OS [csuchico.edu] document. Also try Unix Guru Universe [ugu.com] for all things *nix. The information is out there but don't expect to become an expert overnight. As a *nix user of 15 years I still feel like a newbie in a lot of situations. IMHO thats what makes it fun;-)

Re:Average Joe and PHB (2)

technos (73414) | more than 14 years ago | (#1267674)

Hey now! I just played Rogue on a SGI Power Challenge 10000.. Theres absolutly nothing wrong with tying up a supercomputer for games, especially if you get to kill something!

On a side note, it's the only box I have access to that has Rogue installed.. And I didn't even do it!

Re:Personal Firewalls (2)

scumdamn (82357) | more than 14 years ago | (#1267679)

Actually, I built my firewall/router/mail server using spare parts and a burnt Red Hat CD. It's not really that hard. I should actually write a howto about it.

Re:Me Average Joe (2)

jalbro (82805) | more than 14 years ago | (#1267680)

Something I would like to see is ISP's block ALL incoming TCP/IP packets (incoming with the SYN bit set) unless the customer requests otherwise. It would seem to me that only servers need incoming TCP/IP connections. Am I missing something here?

Re:Linksys (2)

nezroy (84641) | more than 14 years ago | (#1267681)

1. You can telnet or ssh or your preferred remote access method into a Linux/FreeBSD/your OS here box to perform about 99% of your maintenance... don't need a new monitor or keyboard...

2. Can't argue there.

3. Hardware solutions may be quicker and more reliable, but tend to get updated slower and less often when a security issue is discovered. Witness the many routers and switches which have known security loopholes that still have not yet had firmware upgrades issued.

The biggest issue, though, is that if you're using a hardware solution because it's quick, easy, and most importantly because you don't have to learn anything to use it, then you aren't really doing much to secure yourself. Without active knowledge backing up your security measures, people WILL find ways around them.

Re:University Crackdown (2)

nezroy (84641) | more than 14 years ago | (#1267682)

Since schools started banning trench-coats and black clothing, do you think the government will start trying to ban computers and net access? Heal the foot by cutting off the leg; sounds like something politicians would pursue...

Personal Firewalls (2)

atopian (106699) | more than 14 years ago | (#1267684)

One already exists for personal use... The problem with the hardware firewalls are they cost thousands of dollars. I saw a personal firewall in the news awhile back for LINUX at http://www.progressive-systems.com/

Re:Learning "Good" system administration? (2)

JustShootMe (122551) | more than 14 years ago | (#1267685)

Experience, experience, experience. It's the best way.

Mail me if you have any specific questions, and I'll try to answer them for you.


If you can't figure out how to mail me, don't.

Learning "Good" system administration? (2)

Scriven (123006) | more than 14 years ago | (#1267686)

In reading the very well written questions and answers, one question came to my mind.

It was mentioned that there aren't enough Good system adminitrators. I am a very small time SA, and I probably fall under the "not good" category right now. My question to the /. community is, where can I go to learn to be a good SA? What books are recommended, what HOW-To's? (I've got Trinity bookmarked, it seems very extensive, but is it "good"?) How does one start to become a good SA?

Thanks!
--Adam


This is my .sig. It isn't very big.

This is what Clinton will be talking about (2)

spaceorb (125782) | more than 14 years ago | (#1267687)

Creating [jya.com] a more "secure" internet. The "Flexible Deployment Assistance Guide" basically points out that telecommunications companies should hand over "certain" information to the FBI apon request. Looks like they have an impressive list of supporters. Great.

Re:Linksys (2)

coolgeek (140561) | more than 14 years ago | (#1267688)

I was astonished by the low price of this unit. Seems to me, with no margins, it isn't likely that an enormous amount of $$$ went into the development of the product. Besides, it's a closed security system, (aka security via obscurity). How is anyone to know just how secure it is? What about patches? And if it has a flash chip for the firmware, what then?

These low end products, in addition to giving an unsuspecting home user a warm fuzzy, are also designed for the consultant or installer that wants to be able to say "I tried to protect your network" to their client, without taking the learning curve on firewalls. My experience is while I have offered the WebRamp or Linksys products as a lower cost alternative to a "real" firewall, my clients have taken the attitude that they would rather not fsck around when it comes to their firewall.

Get the cheap 486 at home, put a good ipchains script on it, disable everything that listens, and keep it well patched. On most of your DENY's, put a -l (I don't log, but I do DENY packets rx'd for port 137/138 - it's mostly my neighboring broadband customers that have IP bound to their M$ client/server) and have a look at your logs every so often. You may be surprised by the results.

Re:Its the Certifications (2)

coolgeek (140561) | more than 14 years ago | (#1267689)

Quicky certifications are a symptom of the deeper "problem". The real issue is that there just ain't enough skilled folk to go around. I'm not sure it's a "problem", well, at least if you're a skilled folk, it's not a problem. It just means higher pay. Enjoy it while it lasts. The high school I do a bit of work for has been firing up the old C/C++ courses once again. In 5-10 years, academia will overproduce techies again, and we'll see programmer jobs for $35K/year again.

Re:Teach Me How To Be Secure (2)

BlackRomantic (153372) | more than 14 years ago | (#1267690)

>First, get a working firewall in place.

You are doing the last step first. Setting up a firewall isn't vital in many cases.

First step is to close unnecessary open ports. For instance, The SuSE distrib installs telnet, ftp and Apache demons as default. Joe DSL doesn't need this. Consider what you really need on your system and keep this. The less stuff you got running on your box the less stuff you have to maintain. You don't need sendmail/procmail if you use a mail client that directly gets mails from a POP3 and sends to the upstream mail server. One port shut (tho this only makes sense if there is only one user on the system and it doesn't hurt too much to be online when mailing). Joe DSL doesn't need a webserver running. SuSE installs apache so you can search the online-doc they provide. That's overkill. Get rid of it. BTW I had to grin when I read about the increase of apache installations. I think SuSE et al had their share in this. Joe Avarage doesn't need an FTP server. Away with this one. Joe most likely doesn't need telnetd. Get rid of it. And if you do need it, there are secure alternatives(ssh). Finger demons, talk demons and assorted knick-knack isn't needed. Kick it. Feel free to check your system with Saint. It can be a real eye opener. The reason for this house cleaning is the more services you got running, the more potential security loops are inserted into your system. And maintenance complexity is rising exponentially. Less is more in this case.

Second step has to be the installation of some means to monitor unauthorized changes in your system. There are several ways to install alarms like these. It's most of the time the only way to find out somebody breached your system integrity. And logs are there for reading. Or at least to grep through them.

Third step is to set up the firewall.

Fourth step is to keep up-to-date with security fixes for the stuff you got up&running on your system.

It is important that you know what is actually happening in your 'puter. If you even are unsure wether you have telnet running or not then the main security problem is sitting in front of your keyboard.

Question (3)

Anonymous Coward | more than 14 years ago | (#1267691)

Related to this topic...Windows' TCP stack will not respond to a directed broadcast ping (this is optional, according to the relevant RFCs). Other operating systems will, however, respond to these pings, which, under certain circumstances, could pose a problem (envision attacks from within the network).

My question is: has anyone found a way to emulate Windows' behavior under Linux? I would think you could do this with ipchains, but have not been successful thus far.

ipchains -A input -s 0.0.0.0/0.0.0.0 0:0 -d <broadcast address>/255.255.255.255 -i eth0 -p 1 -j DENY -l

does not work, although I thought it would.

Re:University Crackdown (3)

Ken Williams (28157) | more than 14 years ago | (#1267692)

maybe you should just consider complying with the university policies (III,3.02,h and III,3.02,k [cameron.edu] ) that implicitly forbid running personal web servers on school networks. i actually do empathize with you, but i have played both sides of the game you're in, and it is always a losing battle for the student. the more you fight for what you perceive to be your 'Net rights, the closer you'll come to permanently losing all of your university computer resource privileges.

key word == privileges

Proper Systems Administration (3)

GoNINzo (32266) | more than 14 years ago | (#1267693)

A very important key was put forth in this interview that should be pushed to the rest of the world.

Nothing can replace proper Systems Administration.

As a real world example of this, I busted a TFN client that appeared on two Suns we had 2 days after they appeared (These were non-used systems, I just noticed the network traffic). The traffic was high, I didn't believe the results that the rootkit were telling me, and found the kit and client (Thank you ftp's static ls!). And this was before TFN was out on BugTraQ and other security mailing lists! I didn't know what it was, so I just cleaned up the systems, and threw a P-90 Linux firewall in between. Also notified the uplink that they were the ones talking to the client. (Strange udp packets incoming are not to be trusted!) Now that's proper Systems Administration!

Oh, and to sell people on my company, Collective Technologies [colltech.com] , all we do is Systems Administration (and networks and DBA's now too). The best of the best sys admins out there... `8r)

--
Gonzo Granzeau

Average Joe and PHB (3)

348 (124012) | more than 14 years ago | (#1267694)

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

When you break through all the hype that the press has put on this and boil it all down, it is just common sense. It's a shame that it takes events like this to have "the average Joe" and the PHB finally understand that a little caution and a little foresight go an awful long way. The three or however many of them they were, who pulled off the larger of the DdoS attacks really did the industry a favor in raising awareness, although I don't think this was the motive.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

I think the administration is still lacking in some major areas and it will take years to catch up with all the red tape. On a side note I heard on the radio that Clinton has requested $9M for cyber security, White House officials and the Internet community say they will band together to make computer security a high-profile issue. Hee hee, what do they really expect to do with only $9M?

Me Average Joe (3)

Sway (153291) | more than 14 years ago | (#1267696)

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

I'm an Average Joe. Actually, that's a lie. I know significantly more about computers than 50% of those who saw a commercial or a kiosk at a mall and signed up for a cable modem. In any case, I'm still an Average Joe when it comes to securing my computer. I would have to say that ISPs, especially broadband, need to start taking some responsibility for educating their customers. If a third party uses my computer's resources to attack someone who returns the favor with a lawsuit, you better believe that I'm not going down without involving my ISP. It would be in their best interest to hook me up with a little "Did you know..." pamphlet at the very least. All it took for me to get online was some guy to plug a modem into my wall and drop some IPs into my settings. Shouldn't these things come with a warning sticker like cigarettes or something?

Am I blaming someone else for my own igorance? You tell me. I'm not too worried about a DDoS on my home PC. I'm upset about the tabloid journalism surrounding these events. But, beneath it all, the media is indirectly raising an important issue about making assumptions on your network security.

Thanks for the interview, too. Good stuff.

Peace. Sway
icq 5202646
Peace. Sway

Sorted. (4)

Anonymous Coward | more than 14 years ago | (#1267697)

The Transport Control Pixies and the Internet Pixies system the Internet currently uses can be abused, as the recent DoS attacks illustrate, especially with the fat pipes to which many people now have access. These pipes allow many malicious Pixies to be sent to a target, completely overwhelming the targets ability to process them.

The large numbers of Pixies that can traverse these fat pipes is the main problem as I see it. A good short-term solution would be the replacement of the fat pipes with bundles of thin pipes. At the targets end, each thin pipe would have a small tap - when a DoS attack is detected, simply open the taps in turn to allow the unwanted Pixies to drain out into a bucket. Alternatively, a manned barrier could be set up at the end of each thin pipe, and any swarthy looking, suspiciously odious, black hatted, or otherwise dubious Pixies can be turned away. This doesn't aid tracing the source, but will allow the froce of the attack to be diminished such that the target can remain relatively unscathed.

Tracing an attack to the immediate source can easily be accomplished by having a little valve in the thin pipe that when turned will shut off the Pixie flow. Subsequent Pixes entering the pipe will cause it to bulge gradually as the backlog builds up. By repeating this procedure back from each machine the source will eventually be found. To save having to walk all that way, the valves could have long pieces of string attached to them so they can be turned on and off remotely.

Finding the perpetrator of the DoS is more problematic. These days, the normal breadcrumb back trail can be easily garbled by the less than savoury elemnt on the internet. The new Internet Pixie v6 implements the Taut String from End to End system to tie the source to destination - any severing of the string to re-route it can be instantly detected by loss of tension. However, this does us no good currently.

It only takes a single Pixie to start a DoS attack, and finding it may not always be possible. An amateur will often leave the initial Pixie unharmed, if a suspicious one is found, sieze it immediately (ensure to keep its hands away from any magic pouches/flowers/musical intruments that it may have on its person). A poorly cast Mind Erasure spell can easily be undone by any one of a number of Re Mind perl scripts. A properly cast Mind Erasure can be tricky to undo and will require a special Module be used - if you're not at ease with compiling programs, pop the Pixie in a Jiffy Bag and post it to hemos@slashdot.org (you may need to flatten the packet a little to get it into the floppy disk orifice) - hemos will de-spell it and send the results back by return).

A professional won't allow such evidence to remain - a common method is the Pixie On A Bungee technique. The perpetrator fires said Pixie into the attack machine with a long rubber band attached. With skill, the Pixie shoots in, pushes the Start lever and gets yanked back out at very high speed. A telltale clue of this is often fingernail scratches - sometines a misjudgement as to bungee length can leave fingers embedded in the lever handle. Unfortunately, unless the Pixie drops his ID card, the chances of tracking back further are very small, and really best left to the authorities.

Wingnut

What to do... What to do... (4)

mosch (204) | more than 14 years ago | (#1267698)

First of all, you should understand System Administration to some degree, this will help you understand basics like daemons, permissions, basic networking, and figuring out what you need and what's just cruft on your system. A text which I gladly recommend is Essential System Administration [fatbrain.com] . This will *not* secure your system but it will help. A lot. Step two, learn about security specifically. You can read Practical Unix and Internet Security [fatbrain.com] which gives a good overview and a fair amount of detail on securing a system, and being assured that they remain that way.

Once you finish doing this, you'll be on your way to being a *competant* admin (even if it is just your own machine). From then on, while you'll be far from a security expert, when some kiddie checks your doorknob, you can be assured that your door is locked, and they'll move on.

I know the books I mentioned cost $35 or so, which if you're young might be a non-trivial amount of money. If it is, I suggest saving up and buying them anyway. If you understand the stuff in them, then you'll know what you need to look up on the net for further info.

Good luck, and feel free to e-mail me with any further questions.


----------------------------

Stay up to date (4)

roystgnr (4015) | more than 14 years ago | (#1267699)

And remove unnecessary services, of course, but simply keeping your system up to date is the most important way to avoid having it compromised. You didn't say which Unix you were using, but all the major Linux vendors have security mailing lists and I can't imagine the BSDs and proprietary Unices lacking the same.

Having a genuine hacker reverse-engineer a bug in a network service and turn it into a root exploit against your system is very rare; I've never seen it done. Having a script kiddie use that reverse engineering to automatically probe and attempt to crack entire blocks of IPs, on the other hand, that happens every day. The trick is to get the bugfix installed before the kiddies start trying to exploit it.

Start out by removing all network services you don't need and using TCP wrappers to limit access to the ones you do need. A firewall wouldn't hurt, but is probably overkill. Then get onto one of those security mailing lists and make sure that no alert goes by without you either disabling the compromisable program or installing a secured update.

That's about all you need to worry about. Most systems that get broken into are cracked simply because their owner never heard about an imapd exploit 6 months before, shouldn't have been running imapd in the first place, and so wasn't ready when the script kiddies started port scanning for it.

DDoS FAQ available (4)

seifried (12921) | more than 14 years ago | (#1267700)

A DDoS FAQ is available here. [securityportal.com]

Kurt Seifried - Senior Analyst http://www.securityportal.com/ http://www.cryptoarchive.net/ http://www.seifried.org/

University Crackdown (4)

bripeace (112526) | more than 14 years ago | (#1267701)

Speaking of security. I have had significant problems with my university lately. Cameron University in Lawton, Ok (www.cameron.edu). Ever since these DDos attacks have been all over the news, The admins here have gone completely crazy. First I lost my hostsname (kirk.cameron.edu) because there was 'consentful/unconsentful' traffic coming to my computer and i was running a web server. So I hookedup with kirk.dyndns.org. Then they turned off all incoming/outgoing traffic to my ip address. I notified them after changing IP's, and they're reason being is so I would contact them. I had been running a 'server' without the net admins consent and they wanted to notify me. I requested a meetting with the network admin citing that I was not in violation of any AUPs namely cameron.edu's AUP and onenet.net (our provider) AUP. I have since been given the run around and have since had all incoming traffic cut off, ie you can't telnet in or hit my webserver. All of this in the name of security. I have also not been able to secure a meeting with the net admin. I know see them going completely crazy over 'security' now although I know i run my server much better than there own (ie. daemon9.cameron.edu) which ahd the php3 status page sitting up all day yesterday. This hysteria reminds me of what happened after Columnbine schools have since rushed to provide better 'security' and in alot of instances have gone over board like that school who required students to wear id badges with their SSN encoded on the front. I know see this happening here at my school with 'computer' security. Sigh! -Brian Peace

I'm just shaking my head (5)

slarti (15513) | more than 14 years ago | (#1267702)

I'm just shaking my head as I read all the reports about these attacks.

I especially like the part about the Banks not telling the FBI that the attacks were coming.

I worked with the FBI and Army Investigators at the end of August when some co/lo hosts on our network were used as launch pads for a trin00 attack. At the beginning we couldn't understand why they would have chosen our network (we're that high profile). Turns out that they saw that one of our Co/Lo boxes had been hacked 24 hours before (it was posted on www.attrition.org). From there they scanned the network looking for other boxes (which they found). Assuming this was their SOP I started checking with other UNIX sites which had been posted on Attrition not long after/before ours and found 4 other sites which had the exact same thing happen.

A few notes from that experience.

1. Person(s) responsible were stupid and made numerous mistakes which allowed me to track them all the way back to one of their base accounts. There I found all the source code and numerous binaries involved in my attack and in the others I mentioned above.

2. Although the DDoS attacks can have a devastating effect on the target I'm more concerned with the effect it had on the source network. Our outbound bandwith never went above 60 mb, (we have 150mb), but our core router was slammed to 100% by having to process millions of tiny UDP packets (which is why it never went above 60mb). This effectivly shutdown our backbone for normal customer traffic (which is how we got the FBI to take notice).

Again this happened in late August, about three weeks after it happened at AboveNet on the west coast. Seems to me like this was their (alpha-beta) testing period.

My concern with these tools is if they can be used to attack backbones instead of sites. i.e. Use many distributed systems to flood backbones with hundreds of millions of tiny UDP packets, keeping their processors so busy they can't pass normal traffic.

Or is it just me?

Re:Teach Me How To Be Secure (5)

ZZamboni (30487) | more than 14 years ago | (#1267703)

Any pointers or links would be highly appreciated, by myself and others.

Apart from the other recommendations made (Essential Sys Admin and Practical Unix Security are must-haves), I would suggest:

  • Install TCP Wrappers [purdue.edu] and configure it appropriately. Block anything that you don't need, log everything else.
  • Read the corresponding tech tips [cert.org] from CERT [cert.org] , depending on what you need (e.g. if you want to set up an FTP server, read the "Anonymous FTP Configuration guidelines")
  • Read the WWW security FAQ [w3.org] if you are planning on running a web server.
  • Use Tripwire [tripwire.com] . They have a commercial version, but you can always use the free version (1.3). I think they also give the newer version for Linux for free.
  • Read other documents at http://www.cert.org/nav/securityim provement.html [cert.org] and http://xforce.iss.net/library/faqs/ [iss.net] .
  • Be always alert for anything strange that happens on your system. There is no substitute for an alert and informed sysadmin.
--Diego

Re:Teach Me How To Be Secure (5)

technos (73414) | more than 14 years ago | (#1267704)

First, get a working firewall in place. It doesn't matter that you don't comprehend it, because you're wide open as-is. Visit ipchains.nerdherd.org [slashdot.org] and download the automatic firewalling scripts.

Second, print a copy of the Ipchains HOWTO. Yeah, you just killed .1% of a tree, but it you can always use it as toilet paper after the Great War. Read it and the ipchains man page until you feel you have mastery of the 'chain' concept and of DENY, ACCEPT, and REJECT. This should take you less time than printing the HOWTO on an Epson 1200.

Sit down and determine what ports you need wide open, what ports you need one-way and what ports you need closed. /etc/services helps here. Write it down, perhaps on the back of the ipchains HOWTO.

Now you actually write the firewall script. You've got your ports picked and you know the basics of the ipchains command, so it shouldn't be hard. Test it. Have a friend nmap you, etc. Test your applications. Do they still make it out fine? Print it and staple it to the HOWTO.

Why have I told you to make hard copies? That box is probably going to be running without intervention far longer than you will remember every decision you just made. When it does need attention, or you need to do the same sort of thing again, pull down the HOWTO and you have everything you need.

Teach Me How To Be Secure (5)

Syn.Terra (96398) | more than 14 years ago | (#1267705)

I'm a SysAdmin newbie. I know only rudimentary UNIX. I am ignorant. I also have a constant cable modem connection.

(There, I said all the facts, so now none of you can for me.)

I want to learn how to be more secure. I don't trust MediaOne to protect me from all the Big Bad Script-Kiddies. I want to do this myself, but I have no idea how to start. And I feel this is a fundamental problem with many people who have constant connections.

The question was asked in the interview but I don't think the answer was satisfactory (instead of "here is a solution" it was more like "here is what everyone should do"). Does anyone have some easy references for people like me who want to keep their constantly connected system "more secure"?

Any pointers or links would be highly appreciated, by myself and others.


------------

Re:Teach Me How To Be Secure (5)

madbomb (123832) | more than 14 years ago | (#1267707)

This goes back to my original comment [slashdot.org] posted above on people taking initiative on how to secure themselves from the outside world. I have a certain amount of admiration for people who want to learn things such as this.

Anyways, the Sercity-How-To [tucows.com] would be an excellent place to begin. Along with check some of the other how-tos. Shadow Password [tucows.com] and Secure Programs [tucows.com] would also be decent documents. Beyond that, make sure to keep a constant eye on Bugtraq (mailing list) as well as CERT advisories for newly found bugs.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?