Forgot your password?
typodupeerror
The Internet

Undernet In Serious Trouble: Any Suggestions? (Updated) 501

Posted by michael
from the where's-the-KGB-when-you-need-them dept.
An Undernet admin writes: "For the past 4 days, many of Undernet's servers have been hit with constant DDoS, massive stuff on the order of 100M/sec that doesn't look like it will clear up anytime soon. The major services with which Undernet is associated, including Uworld and the channel service bots X and W, have been removed because the ISP that hosts them cannot afford to have them online, and even with them offline, the ISP has continued to be hit with the DDoS. Several servers will be forced to delink permanently if this continues. And all of it's happening because a script kiddie in Romania has nothing better to do with his time, and with his head start, many other groups have decided to lend a hand and take out other servers while his main pummelling is going on. We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?" There's a notice on their Web site. Update: 01/08 09:49 PM by michael : The news story we linked to was ancient.
This discussion has been archived. No new comments can be posted.

Undernet IRC Network in Serious Trouble - Any Suggestions?

Comments Filter:
  • by Anonymous Coward
    single men (who aren't getting any sex) seem to be responsible for 99% of bad things that happen.
  • by Anonymous Coward
    Stupid, stupid, stupid. It's a shame that DDOS hax0r t00l5 are available as binaries. If the lus3rs had to configure;make;make install they'd probably never figure it out. =)))
  • Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this?

    The problem are all those unsecure-by-default linux installs. If all the linux distro companies would effectively TRY to make a secure linux distro then maybe there wouldn't be as much unsecure boxes out there.
    I find it particularly damning that Debian, a non-commercial distro, is the most secure compared to all those other overfunded and undersecured distros.
    It has been proved time and time again that people do NOT need all those services that are on by default in Redhat and Mandrake and all the others, yet every new version still comes with the most easily rooted apps all running in an open-to-everyone config.
    Never mind the fact that it's possible to build a distro that has all these services, but none of them running as root. No, that would mean actually innovating for a change.
    Jeez, man, I love Debian, but I hate linux.

  • These days, when any moron can hook up a DSL or cable modem box and any moron can have his shitty unsecured Linux box hosted at a lousy datacenter with a fat pipe to the Internet, is it any wonder Distributed Denial of Service attacks are as common as they are?

    Think about this: DDoS attacks can do much more monetary damage than car accidents can, yet we have no system of regulating just who can and cannot get onto the Internet. Would you let twelve-year-old get behind the wheel of a McLaren F1? Why, then, do we let them (and people of their maturity level) onto our global networks unsupervised? There needs to be some system of accountability and a standardized measure of competence in order to be allowed onto the Internet.

    Maybe I'm elitist, but that's how I feel about it all.

    - A.P.

    --
    * CmdrTaco is an idiot.

  • >Castration probably won't be effective. We've >already proven without a doubt that the losers >involved here have no balls.

    And probably will never reproduce anyway. Just as well. What is it that drives people to wreck shared resources that other people are enjoying for no good reason? Can they find this gonnif and get rid of him please.

    The cure of the ills of Democracy is more Democracy.

  • The problem here is because a high-bandwidth machine can cause _soo_ much havoc on a network.

    It is stuff like this that might cause your computer to be blocked. You may do what you want with your computer, but if your computer causes trouble on the network, don't be surprised if your service providers yank your connection. It is your right to do what you want with your computer, but the ISP has a right to not supply an open feed to problem computers.
  • If he disabled telnet, he did you a favor. Telnet is a sucking chest wound of a security hole. Install OpenSSH [openssh.com].
  • Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative. But if you leave your door swinging wide open, and a bunch of organized crime guys move in under your nose, and use it as a crack cocaine distribution center, it's now YOUR problem.
  • Check out MindTerm [mindbright.se]. It's a free (GPL) pure Java implementation of an ssh client. Works wonderfully as an applet under the common browsers. So the best way to be sure you can always access your account is to install this on your webserver, then all you need is a web browser with a Java runtime. This even allows you access from things like knee-capped kiosks, where all you get is a browser.
  • The complete inabilty for the legal system to get their act together is to blame.

    In the real world, tromping on someone's flowerbed is vandalism. But unless there's a serious amount of money stolen, most police agencies won't touch it.

    These kids are immune to most real consequence. OK, so he's in Romainia, fine. If the US FBI finds him, they can't touch him unless the Romainian feds want to get him, too; and depending on how someone feels about the US taht day, they may just slap him on the wrist. Remember ILOVEYOU? They may not even have a law for this kind of thing.

    Lets face it, until more of these waste-of-flesh dickweeds start getting gang-raped in jails, the problem won't go away.

    (sorry I'm so mad. I just get sick of this crap)
  • The problem here is because a high-bandwidth machine can cause _soo_ much havoc on a network.
    It's just like leaving a car running, unattended, unlocked with the key in the ignition. Any jerk can jump inside it and start driving it around recklessly.

    You do that, and you can bet your ass you'll be "ticketed" for leaving your car running unattended.

    --

  • How about choking ICMP requests? Let them go at normal pace, but if they eat more than 5% of the bandwidth, choke 'em (but log'em).

    Of course, CICSO will charge an arm and a leg for that "feature"...

    --

  • Just like EFNet undernet is dying. Here's an idea, why not hide the bot's ips from clients and hide server links from clients?
    Also, why doesn't someone DDOS this kid's isp. That should make it hard for him to broadcast smurfs or control Trin00 /TFN zombies.
    How come we haven't seen stuff like this happen on the OpenNap networks yet?
  • I am sure the directional finder always lead to the local trailer park.

    -josh
  • From the wire:

    XINHUA

    January 8, 2001, Monday

    HEADLINE: Romania to Adopt E-business Law, XINHUA

    BUCHAREST, January 8 (Xinhua) -- The Romanian government will adopt a law package for the development of e-business, newspaper reports said Monday. The package includes the law on e-commerce, digital signature and fraud in this field, Communication and Information Technology Minister Dan Nica was quoted as saying by the daily Ziarul Financiar.



    Nica said that the ministry's specialists had already consulted with specialized parliamentary commissions on the bill, which was sent to all those interested, mainly to the IT community in Romania, for their opinions. According to Nica, the law package is almost ready, and the Ministry of Justice will complete it over the next days with the stipulations of penalties for fraud on the Internet. He said that Romania would soon have a regime of fraud treatment similar to those in Western Europe and the United States.

    The law on e-commerce will stipulate the rules of such activities and the consumer and seller protection measures. After this minimum legal framework is created, Romanian authorities are to initiate bills of e- document and e-archive, e-notary and e- public administration, as well as a separate set of changes of bank, insurance and capital market laws to represent the legal basis for e-financing and e-banking activities.
  • You keep repeating that these are immature children, and implying that once they hit puberty this will stop. This sounds rather contradictory to the usual stereotype to me; the classic "these are people who can't have sex" would suggest that they're in fact kids who *are* in puberty right now. In fact, I would dare claim that this terrorism isn't about property; at least where I live, that sort of behaviour disappears at age of 12 or so, and I've never seen a 12-year-old who could use a computer (strange, isn't it?).

    Rather, I'd say it's about sex and the lack of it, just like they said. Without too much experience in issue, I'd say that it's not exactly uncommon that 'normal' kids do pretty dumb stuff too, just because they think it'll improve their chances of getting laid, or to impress their friends. Usually they just don't have enough power to do much; here they do.

    I'm ashamed to admit it, but the IRC politics, wars and the attack sounded just cool when I read it. Yes, cool. In times past, weren't the kids in puberty those who fought? It's the war instinct, if there is such.

    Umm. I'm not going to read that again, it sounds pretty strange.

  • Sure, just like you have a right to own a gun, leave it sitting on the border of your property, then shruging your shoulders when someone commits a crime with it.

    Of course, on the other hand, you aren't responsible if your car is broken into and it is involved in an accident/crime, it's NOT your problem.

    So, really, it's just a matter of precedence. It's up to a judge in a case that's never been to court yet whether your misued resources are your problem. I hope the concept of negligence works its way in, because a neglegent sysadmin can be responsible, indirectly, for measurable damage/loss.
  • I wish I could tell you that there is an easy answer to this problem. Let me preface this post by saying that I've had experience with a problem almost precisely like this, where a friend's local ISP that he ran from his house was the subject of dDOS attacks on a regular basis, and those attacks were (when someone boasted or whatnot) related directly to the users running local IRC servers on his machine. So this problem is not limited to Undernet, neither its nature nor the lack of full-time resources to deal with it. And the end result of our situation was not encouraging, after losing 3 T1 line providers due to 'disruption' of their networks (not that they helped at all), my friend had to remove IRC server access and lose a large number of customers.

    When dealing with these problems, we had a very methodical and (we thought) reasonable way to at least diminish future attacks. Keep in mind that this applies to smurf style attacks and not ones in which floods are launched directly from hacked machines. There is little that can be done for those aside from notifying root@host and hoping they lock it down. For smurf attacks and similar, which can be identified by having multiple 'attacking' machines within the same IP subnet, indicate a misconfigured router that is allowing IP broadcast ping packets into the subnet and replies to get out. I have never seen a reason why this should be allowed, and yet for years routers shipped with this as the default. Our methods involved the following:

    1. Issue a single broadcast ping packet to NNN.NNN.NNN.0 (or was it .255?) and count the responses. If multiple machines responded, then the problem was in place.

    2. Figure out to the best of our knowledge who 'owned' the routing for the IP range, typically through a traceroute or reverse lookups.

    3. Contact, via standard abuse@ addresses, the network administrator of the subnets being used in the attacks, informing them of the problem and the solution.

    These efforts lead to several hundred subnets being secured against use in dDOS attacks, which is a drop in the bucket but a decent accomplishment for a few guys with other jobs to do. It also lead to our being labelled by network admins as troublemakers and (often) criminals. A large percentage of net admins contacted didn't even know what we were talking about, and when we tried to refer them to well-known consultants that we had no affiliation with aside from knowing their name, we were called spammers or worse.

    So until broadcast ping from outside of subnets is commonly blocked (and I believe most new routers ship this way) and the paranoid attitude that is ironically allowing these attacks to continue is reexamined, there is little hope to see it dry up. Skr1pt k1dd1e culture isn't about to go away, because wise-acre kids will always think they know best. Until then, best of luck in finding ways around this.
  • All the problems I've ever had with IRC have been with operators. Every single one of them.

    I've argued, even flamed (and been flamed) before, but that's the same thing that happens anywhere else. But then an operator sees this (or is told about it) and the stupid twit takes it upon themselves to save everyone from themselves, by banning them from a channel or from a server.

    If someone without operator status doesn't like what you say, they either ignore you (/ignore or similar) or tell you, then the world goes on. If someone with operator status doesn't like you, you get kicked, gagged, banned, etc.

    IMHO the IRC networks shouldn't have channel ops, just a /ignore that really works (blocks everything, at the server). That way nobody could own a channel, or conversely, take it away. If someone said something you didn't like, you could /ignore them. If you didn't, it'd be obvious that you cared more about taking away their ability to say something that you did about just not hearing it.

    And, for the uses where a private controllable (and secret) channel is desired, unnamed (and thus undesirable to control) channels that are created when you invite someone to a private chat should let the creator add and remove people at will. So if I need to talk to someone about something I create a temporary numbered channel such as #18327349 (randomly assigned, how thrilling) where I can kick someone from and nobody can join without an invite.

    This way nobody could control the obvious places of gathering, #linux, #c, #quake, etc. These would always be free and open. But if anyone really wanted to talk about something private they could go off to a special temporary channel with their friends and have all the necessary control.

    But, it'll never fly. I proposed this to a few IRC addicts once and the reason they gave for not wanting this is that they couldn't give and remove power by giving certain people ops and adding them to the bot. It was all a power trip to them.

    That was when I stopped using IRC except for technical matters (asking and answering questions on programming channels, etc.)
  • Only "bozos" running home nets use Linux box as routers. Ever heard of companies like Cisco? Ones that make dedicated routing hardware?
  • yours is no better.

    you do have the right to leave your car unlocked and the keys stuck.
    even if you do lock it, someone could break the window and steal it.

    do you want to be responsible for every person that the guy runs over?

    greetings, eMBee.
    --

  • but there is i big difference between commiting a crime and being just stupid, careless, dumb.
    tongue (post #380) [slashdot.org] got it right.

    greetings, eMBee.
    --

  • The incident you're remembering is the one that was described in the article that was originally listed, and later reposted in comments. It's 4 freakin years old.

    This is an entirely different situation.
  • e-px didn't say there wasn't anything going on now, just that the article being referenced to describe the situation now is from 4 years ago.
  • I'd say its a perfect analogy (aside from the problem of scale--few script kiddies can claim to have cause someone's death, as a car can).

    By locking your car, you are taking REASONABLE precautions that an unauthorized user will not take it and do damage with it. Certainly, this doesn't prevent someone from breaking into it and hotwiring it, but REASONABLE precautions don't necessarily ensure no misuse, but they make it difficult.

    However, if you leave your Stingray unlocked, with the keys in the ignition and the engine running in a bad neighborhood and your insurance company finds out, its a safe bet they won't pay the cost of replacement. Likewise, if someone gets killed as a result (and again, assuming everyone knows how you left it) its not a stretch to assume you will bear some liability in its misuse, though i doubt it would be criminal, probably civil.

    The case of an unsecured box is the same. While a home box may be looked at as something along the lines of a pinto parked in your garage, circumstances under which i might leave my car unlocked, an ISP more closely correlates to a Stingray or even a Mac truck in a highly visible, public spot. To leave such a box unsecured is unconscionable. Additionally, if the ISP is publicly traded, the administrators are leaving the company open for a due-diligence lawsuit from its investors.

    the moral? don't be an asshole. if you have bandwidth to spare, at least disable extra ports and check your logs every once in a while. and if you run an isp, for gods sake secure it. your users will thank you for it.
  • Considering this keeps happening (including how another Romanian script kiddy did this to Undernet in 1997 [wired.com]... this isn't just an isolated event. What can we ALL do? Or should we even care anymore, and just let IRC fall once and for all?

    I'd chat with you more on this, but I can't seem to find any stable EFNet server...
  • It's things like this that make things like the Honeynet Project [honeynet.org] look more and more attractive to me every day. I think that it would behoove more than a few of us to install honeypots on our networks and then prosecute anyone we catch. If there were enough honeypots around, we might start catching a higher percentage of the PFY's and getting Johnny Law knocking on their doors. While we may not be able to get the bastards in Romania, there are quite a few countries that don't look kindly upon this type of thing...

  • However, I think the case can be made for beating them within an inch of their lives, to the point where they are unrecognizable. My logic is as follows: The primary reason that script kiddies pull shit like this is so that they can get recognition. If they have been worked over to the point where they are unrecognizable, what's the point? You'd see incidents like this drop like a rock.

    So by all means, go a little vigilante and work them over with a tire iron. But don't kill them. Make an example of them, and the others will fall into line.
  • Now in order to make the task more difficult simply give out only one hostname that all users will use in order to connect.

    Most IRC networks do this already, an alias of irc.[networkname].net (or .org, or .com). However, the names (and addresses) for the individual servers are still available, and for good reason. Users want to connect to a server which is local (networkwise) to them. Sometimes a server may become disconnected from the network, and any users on that server will want to change to a server still connected to the network.

    As long as IP is used, it will be impossible to prevent users from knowing the address of the servers anyway, so there is no benefit in even trying to hide them.

  • I'm surprised to see slashdotters not rushing to defend these DoS attackers by saying something like, "They are helping by exposing security flaws and vulnerablilities so that they can be fixed."

    I mean, that's the typical position one can expect from Slashdot when dealing with someone who has defaced a webpage or otherwise tampered with a system. Those people are considered noble.

    Yet, I've gone through a hundred posts and not one doesn't call for the death of these alleged DoS attackers. Yes, what they are doing isn't as creative as drawing a Hitler mustache on Janet Reno on the Department of Justice's webpage, but is it that much worse? Apperently yes, because the victim is the innocent Undernet, and not the evil government. Bah.

    I suggest to the Slashdot editors that they try to leave out their biases as much as possible in the headlines/stories because the biases are often flawed, hypocritical, inconsistent with previous biases, or just plain stupid.
  • by Zurk (37028)
    "in each case the teenager telnetted to the server and obtained root access". what the FUCK ? he obtained ROOT access to the ISPs servers and they couldnt stop him ? people - this is fighting the wrong battle. any joe random cracker should NOT be able to obtain ROOT access to ANY server at ANY ISP. period. if those servers had been locked down tight and the sys admins at the ISPs werent so freaking incompetent this would never happen.
  • Sometimes some people have little respect for the amount of time and effort people put into their hobbies. I do find that disgusting, and I wish all of you the best of luck in maintaining order in spite of this problem.

    By the way, you're cute ;)
  • I don't know much about DDOS so if I'm talking out my arse, just ignore me.

    Is it possible to trace route the connections the attacks are comming through? If so, would it be possible to find the closest router points to each of the sources and have the controlling IPS become aware of the abuse and filter it out?

    I'm sure this must be a very basic way to look at things but if it could be accomplished it might buy enough time to let everyone calm down and think about how to block it rather then having to think franticly which almost always allows for oversight.

  • Incredibly Massive Orchestrated Retaliation.

    Its time those of us at risk of losing or home server and our way of life, to take up arms against these heathens. I say it is to be war between us! We shall do as our fathers did and our fathers before that! We shall point our mice and click the buttons, type the commands, and speak the words that send Millions upon Millions of brave packets to sacrifice their lives to protect our way of life, our dignity, and our porn downloads, and teach those evil bastards a lesson they will never forget!!!!!!!!

    ;)

  • ...but somebody will repost it in its entirety anyhow, just to be safe.


  • Just because it's a "virtual" carpetbombing of a "virtual" community, people tend not to look outside all of the software-based possibilities. Like, say, the police where the kid lives.

    The cute "dept" tagline asks where's the KGB when you need 'em. Well, if there are ISPs going out of business because of this kid's actions, then law enforcement agencies will take interest.

    Right, so, now that we've voted to bell the cat, who wants to contact the Romanian embassy? :-)

  • About a month and a half ago, EFnet had similar problems. The server splits were getting so bad that many of the age-old EFnet servers were disconnected. However, one thing which helped EFnet was the breaking off of many of the servers to form the new net OpenNet. I think this helped two-fold.

    First, it helped the users doing the DOS attacks realize that they were making a huge dent, and that if they continued, they really would lose their playground.

    Secondly, it helped the network as a whole because many of the conflicting groups and users doing the DOS attacks changed networks.

    Opennet has somewhat dwindled now, it was a bit of a fad, and most of the users have returned to Efnet. But I think its effects are still lasting. EFnet is without a doubt more stable.

    Perhaps Undernet needs a similar approach. Just my 2 cents =)
  • Sure. People who run servers should, absolutely, always and no questions asked, be held completely responsible if their box is used to break into another box.

    Don't you realize that it is impossible, impossible to completely secure any box that has a network connection to the outside? Or, for that matter, a box to which anyone is allowed physical access? It's simply not possible. Not only that, but new vulnerabilities come out all the time! That's why we sysadmins read bugtraq, CERT and CIAC.

    I strongly disagree with your assertion that people running a server should be held responsible for breakins just as though they themselves had performed the breakin. It is not always--actually, rarely--the fault of the person who runs the box that was used to leapfrog. Sysadmins do their best to secure boxes to the best of their knowledge and ability, but we are busy people, and we have many other things to worry about in addition to network security.

    I would say that an ISP or a person running a server should take all steps possible to secure a server against attack, and be prepared to demonstrate that she did so if there is an investigation. Only in cases of negligence or deliberate malice should someone be held responsible for actions occuring on or through the server they run.

  • I remember several years back when another "cracker" from Romania was causing problems for Undernet. Attacking servers, attacking services. Problem was that Romania has no laws regarding computer crimes, at least none worth mentioning.

    However, the person in question made the mistake of attacking the norman.ok.us server, which is/was hosted by the National Severe Storms Lab. Attacking a government server is a big no-no. It was enough for one of the opers to contact a friend with CERT and get Romania's internet traffic blackholed. Sent to the bitbucket as it hit the major backbones. It was a quiet day, and suddenly there weren't any more problems from that person again.

    So why not go through CERT again? If Romania's not going to respond to problems from its citizens, then they should be treated just like an ISP who won't do anything about spammers. They get the death penalty, except this time it's the Internet Death Penalty, rather than the Usenet version.

    -Todd

    ---
    • what [is] the legal recourse?
    Practically nothing. And this assumes you can conclusively prove they are the one(s) responsible. Very few people/organizations ever take legal action -- it costs far more to track the son-of-bitch down and haul their ass into court than they could ever recover.

    Generally, they are too young to be crimally prosecuted anyway. PLUS, once you cross a country border (or several), it becomes even harder to bring legal action.
  • More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).


    I like that analogy.. let's extend it:

    Wind0ze = Ford Exploders, built Ford tough - to explode!

    BSD = Volvo, boxy IS sexy!

    anyone think of any more? :)
  • uh, I use usenet on a daily basis, and have for 6 years now. it's not dead. there are just as many tight, solid communities out there now as there ever were, if not more.

    i just don't get the whole "usenet is dead" argument.
  • Well, I'm on Undernet right *now*, and I can tell you that it looks fairly legit to me. The network is something of a total mess. I haven't talked to any Opers about what is going on yet (they're probably busy), but from what my friends online tell me, and what I'm seeing, the information at Undernet.org is basically right.
  • If someone walks into this open house, takes the gun you have in there and then kills someone with it, you are responsible for letting them obtain the gun. (Strange US gun state laws notwithstanding)

    Likewise when someone abuses a site you've left unchecked, the site owner is responsible. You can bet your ass that if this was being directed at a business instead of at Undernet, that they would be suing the pants off everyone whose systems got rooted, for negligence, aiding and abetting, you name it.

    You have the right to do whatever you want with your system, but if something bad happens with them, they are ultimately your responsibility.

    Fross
  • Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers...


    Sure, and while you are at it, if anyone's home is ever broken into and a firearm stolen, charge the homeowner with murder. While you are at it, the next time your local corner store is robbed, charge them with a drug related offense, as we are all pretty certain that the money will go to buy drugs, anyways....


    I'm tired of the 'if you would just secure your boxen' stuff. So, my servers aren't locked down - doesn't give every Tom, Dick, and 5kr1p7 kiddie the right to mess with my crap.


    Hey, it's just my 2 pfennings. We are all entitled to our opinions - you, yours, and me, mine.


    -jerdenn

  • Please tell me how removing a murderer from society (he can never kill again) does "infact [sic] make the problem worse in a way".

    I think it's a social/psychological argument - long term, if a society as a whole gets used to killing everyone who's a criminal, then the individuals in that society will be comfortable with killing as a solution to problems. Same principle behind showing many hours of mindless media violence to desensitize your population to real-life examples of that violence.

    Short term, of course, killing the truly incorrigible is a "cost-effective" solution.

  • I think the _militant_ pro-lifers would be quite happy if abortion was a capital offense. Then they could kill evil doctors in the name of God & receive accolades from society while they're at it.

    The only reason they're operating outside of the law, is that the majority of society doesn't agree with their extreme views.

    Of course, they've justified their behavior by defining the situation as being in a "war", where it is acceptable to sacrifice human life to achieve some "more important", long-term goal.

    What makes ME even more disgusted, are the pro-lifers who aren't willing to pull the trigger themselves, but who quietly condone (& support) the behavior of the militants because of the widespread chilling effect it has on the availability of aborton (all those agent-of-Satan doctors fearing for their lives).
  • Nah, I just worked for MCI Internet Provisioning for a while. Our level of service was pretty piss poor but apparently we were one of the more together providers out there. Of course, Sprint's always sucked donkey balls anyway and I used to say that before I worked for their competition, so it must be true.

    It really doesn't matter how important the service is. What you have here is terrorists from a third world country doing major damage to our infrastructure. So today it was the undernet. What if tomorrow it's a newspaper or a dot-com business that may perhaps already be struggling. The script kiddies will become bolder as they discover that they can get a company to roll over with relatively little effort. No doubt we'll start seeing some blackmail cases; pay us $100,000 or your link will never come back up. That sort of shit. Or maybe someone out there who doesn't like AOL will just decide to take them down for good. The attacks we're seeing now are just the tip of the iceberg.

  • True. What that does is shows Romanian Authorities that the problem is somewhat more severe than they originally thought. I guarantee you that if you shut a country out of the net, you'll find a lot of resources in that country will suddenly be turned toward finding the culprits. In theory anyway. It's worked great on Iraq and Cuba, hasn't it?
  • Nothing popular yet, but at least one very talented software engineer I know of wants to create a DNS-based client-to-client chat service that would allow for a total distributed chat architecture, so that you could never DoS a server, only a single client. There would be no such thing as "ops", and no need. Clientserver chat protocols had their day, and were good in their day. Time to change models.
  • Your exactly right, the entire undernet has a baditude, most people on undernet are just capital assholes, especially in technical forumns ...

    For instance, in #solaris some retard (who was an OP!) was telling the newbies to unlink /dev/zero ... they were keeping tally of how many people they'd gotten to ruin their boxes...

    For some reason, the "culture" of the undernet has mutated into an angry, arrogant, mob ...

  • Having being a undernet frequent visitor over the past few years, and knowing most of the wrong people, makes me doubt Romania.

    What can they do? A firewall would help, some, but not solve the problem (FreeBSD ipfw cost $30 486 w/8-16mb ram and 500 mb harddrive,).

    But a firewall will not fix the problem, no not much will, except make everyone happy of which will never happen. But you cannot let them, the kiddies, walkover Undernet so it is forced to close, you must stand up so they cannot do it to another server and another.

    If it is a DDoS, then obviously the kiddie got in the machines that he is using by a vunerability, and is controling them, but I doubt he fixed the bug, kill the machine? (shutdown now) Contact the dumbass admin that didnt patch his server, tell him you were forced, by 50000-60000 undernet users. But it does not really matter in the end though, he will always find more insecure boxes, and he can continue the attack, any "Romanians want to go raid his house and make his ass stop please? I really wouldnt mind, and I doubt most people would care other than him and his parents.

    Oh well just my few tidbits of information.
  • There are alternatives to IRC and most of them are smallish and content specific. Personally I prefer an environment with less people for exactly the reasons you mentioned. OpenVerse Visual Chat is such an environment. It's desgin limits the mass destruction which can occure on Undernet. Check it out at http://openverse.org/


    They are a threat to free speech and must be silenced! - Andrea Chen
  • It's poor form to reply to one's own post, but I must make a correction. There are 20-odd ops and regulars who are active in channel and on a need-to-know basis on what goes on in channel; but the headcount in channel is usually from 80 to 100. The other channel referred to in the post, the older one, usually has a little bit more than that.

    That is all.

    "The GIMP Girl"
  • Whatever happened to that scheme to have major routers follow every 20,000th packet with a routing info packet? That was being talked up a while back as a way to trace SYN floods.

    Once you've got the forged source address problem under control, the rest of the problem can be worked. Try turning on fair queuing at the first upstream router at a bandwidth choke point.

    If you can actually find the attacker, having them visited by a lawyer and private detective working together can be very effective.

  • Gypsies are the Roma. They are not Romanians. (Read More... [google.com])
    Like Tetris? Like drugs? Ever try combining them? [pineight.com]
  • Even if you turn all of Romania's ISPs off, it does not stop your smart kiddie from using another country as a proxy, just make an international phone call. This gives me an IDEA. What if this is not even done by anyone in Romania? What if it is one of MS's and RIAA's elaborate schemes to stop IRC communications (everybody knows IRC is a software and digital media pirates' heaven.) Romania could be used by a BIG player as a tool for destroying IRC
  • I'm tired of the 'if you would just secure your boxen' stuff. So, my servers aren't locked down - doesn't give every Tom, Dick, and 5kr1p7 kiddie the right to mess with my crap.

    That is, interestingly enough, not in line with traditional Anglo-Saxon common law concepts, such as maintaining an attractive nusiance. If, for instance, you have a swimming pool, you are legally responsible for taking active steps to keep neighborhood children out. If you don't and one jumps in and drowns, you can be held civilly and (IIRC) criminally liable. If you don't lock your tool shed and the neighborhood drug dealer takes it over as his place of business, you can be held liable. I am merely suggesting holding people with open network connections to a similar standard: if you have a box that's likely to attract DoS kiddies, you must take serious steps to keep them out or be held partially liable for whatever damage they do with your box.

  • And seeing an article on Slashdot about something you're doing is probably a good way to egg him (or her) on.

    This may not always be the case. One of the serious disadvantages to virtual "communities" (like Slashdot, or IRC, or UO, or whatever) is that it's very easy to forget that there are humans on the other end of the line. It's a whole hell of a lot easier to destroy something when the only consequences are to a group that doesn't seem real.

    There really are people who like to hurt things -- people who set cats on fire. These people are broken. But just about everyone likes to destroy things -- people who built big lego cities when they were a kid, just so they could play godzilla, or play Quake deathmatches, or just see how many levels deep they can 'eval' their scheme interpreter before the machine grinds to a halt. These people are, for the most part, not broken.

    The problem is that crashing Undernet is a little like watching the NASCAR crashes in the sports hilight films -- it's pretty easy to imagine that there are no real people being hurt. But, by publicizing this, there's a slim chance that this punk will realize he's actually hurting real people.

    Of course, it would be nice if they provided his name and address, so someone could go explain it to him in person.
  • Maybe someone should patent one-click hacking, and then sue everyone who used the apps.
  • To every bozo running an ISP out there, use this script on your router to prevent anyone on your net from forging an address:

    #!/bin/sh

    #This will prevent anyone forging an adress on your net.
    #Lots of stuff stolen from pmfirewall.

    IPCHAINS=/sbin/ipchains
    INNERIF=eth1
    INNERIP=`ifconfig $INNERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
    INNERMASK=`ifconfig $INNERIF | grep Mas | cut -d : -f 4`
    INNERNET=$INNERIP/$INNERMASK

    #Deny and log all packets with forged addresses from the internal network.
    $IPCHAINS -A input -j DENY -s ! $INNERNET -d 0/0 -i $INNERIF -l
  • I disagree. Sorry.

    Leaving a gun unattended is not inherently dangerous. It is not inherently dangerous, realy. It still requires an act of willing (or smallish child) human being to commit and evil or malicious act. ANd thats not my fault, but that persons.

  • you can't complain if someone wanders into it

    Yes, you can. Tresspassing is illegal with or without those silly "POSTED" signs.

    I see it this way: No matter what, you never should be held accountable for an act that did not physically do. That means - if someone takes your gun that you left on your front porch and shoots someone you shouldnt be held responsible. In the case of the fire-bug bale of hay - if someone else comes buy and throws a match on it - thats the act of culpability in my book - he gets 100% of the blame. Now, if ten mintues later it spontenously combusts then you have 100% of the responsibility.

    Thats just the I see - its called responsibility- and individuals need to have it for the acts they comitt - and only those acts. I can see your argument - I just dont agree.

  • Yes, "sir", you gave them opportunity. But its there fault.

    This is a serious problem, in this country. People who try to pawn blame off on people who did not comitt a crime.

    Leaving a box unsecure is *not* a crime. Yes, you should secure them. Yes, you have that obligation to your clients. But no, if someone hijacks one (illegal) and then breaks futher laws (also illegal) with it, then it is 100% there fault, without doubt. If it was your box, you should not be held accountable for someone else's illegal actions. Ever.

  • I disagree. I am not a party to the act.

    Having an insecure box is not a crime. If someone else breaks into my box, they have comittied the crime, not me. Therefore, they should be held responsible, and not me. It doest matter if I have an OC-5 connected to it, with a big sign saying "i'm vulernable" attached to it. The person breaking the law is the responsbile party. End of story.


  • I have no hope of ever having sex (with a human) but I have hardly ever used IRC. I find these kind of sterotypes offensive to the "no chance of getting shagged league".
  • MIT is one of the major hubs of the net. (actually, a number of certain high tech universities are major hubs, but that is another topic)

    In some places in there, they have bandwidth that makes OC48 look like a dialup modem.

    Ping Flood anyone?

    but seriously, maybe one of those type of places would be happy to host X and W on a really really fast machine. or a main frame, all as an experiment in internet security countermeasures.

    then add in some sort of code to escalate the response is an attack continues, so that the more a kiddie attacks, the more the kiddies get hammered until they go *poof*!

  • It's Michael. Notice how the link to the Undernet site is gone now. I'm glad to see that Slashdot's authors are professional enough to admit they've made a poor judgement call and take the necessary steps to correct it.
  • > > Castration probably won't be effective. We've
    > > already proven without a doubt that the losers
    > > involved here have no balls.
    > And probably will never reproduce anyway.

    Maybe they will clown, hu I mean clone, themselves?

  • always lead to the local trailer park

    Not always, but often enough. It mostly did go to poor neighborhoods and never to the elite part of town. How ever it did go to some nice country homes right on the riverbank once. About 1/4 were from cars. They were most likely to initiate flame wars thinking they were unfindable. Fortunately, they usualy parked someplace making rapid triangulation very easy. With music blaring, they seldom noticed my arrival, plate copy and departure. (I don't hang about to get shot at or identified) The DF stuff was descrete and looked like twin mirror mount trucker antennas. It wasn't the obvious loop or beam antenna. Later they get the friendly letter on the front door and under the wiper blade. Another advantage then over DOS now was the guy you were looking for was within 20 miles.

  • Back in the 70's the same thing happened, but it was called CB radio. Linear amplifiers and music were the common D. O. S. attacks after a flame war got started. My effective defence was a radio direction finder. Leaving a note on the offenders door worked wonders as it proved the attack was not as anonymous as they originaly thought. The difference then was they couldn't use my radio in a D.D.O.S. attack where now computing services are stolen and used in the attack. I got out of CB radio and never got into chat rooms. I got better things to do.
  • The IRC protocol and conventions need a major overhaul, IMO. On the one hand, they are not robust to many kinds of abusive behavior. On the other hand, they expose the IP addresses and login names of users, creating privacy and security concerns as well without helping protect IRC itself significantly.

    Unless IRC gets fixed or replaced by a new open protocol, you are probably going to see more and more chatting move to proprietary protocols and servers.

  • Huh? :)

    I was referring to the criminal act of driving a car which is not road-worthy (comparing it to the not-criminal act of putting a not net-worthy server on the 'net). It is dangerous to drive an unsafe car, because other people could die when your brakes fail. By a similar token, it is dangerous to put an insecure box on a major Internet backbone (highway?) because of the damage it could cause when it is easily rooted.

    --
    All men are great
    before declaring war

  • Granted... :)

    But that also depends on your perspective. To a corporate chairman or major investor, a few people dead on the highways due to unsafe vehicles would seem insignificant next to the death of their web site.

    --
    All men are great
    before declaring war

  • Sounds like a good reason to me to not allow corporations determine our laws.

    Like we needed another.

    Seriously frightening when aggravated sexual assault (think - that's raping and maiming or attacking with a weapon another human being) carries about the same maximum sentence as a serious copyright infringement.

    --
    All men are great
    before declaring war

  • Don't you feel stupid?

    You just wasted a lot of time writing that in response to an old troll.

    Not really. Not knowing his history, I still figured on the possibility it was a troll. But I think it is always good to bring a rational thought into such a discourse. After all, if the only responses are "begone troll" and "begone pedophile," and this happens time and again, doesn't this create a potentially inaccurate representation of /. posters? He is, after all, trolling our open-mindedness. Do we want to lose that to deny him his little yuk?

  • Roger, While I agree with you that in our current society, sex with children would be very harmful, if we were more enlightened it would be completely different. May I ask: What is your definition of a pedophile?

    A pedophile is one whose primary sexual attraction is to children. This does not mean s/he cannot have sex with adults, only that the most satisfying image possible is that of sex with a child. Both hetero- and homo- sexual variations are possible.

    I think you should be able to entertain whatever fantasies you want, but I think I speak for the consensus when I say sex between adults and minors should not be allowed. I don't think the power relationship can be resolved in any productive way. While it might be possible to establish a relationship that even the minor party finds enjoyable and feels is non-coercive, the weight of years and experience will always be there in ways that just don't exist when two adults are thrashing out their differences.

    And it is really hard to imagine a world in which this would be different, no matter what the differences in mores or technology. We are born knowing nothing and need a prolonged developmental period to establish our concept of self. Sexual experimentation between children may be a natural part of that process, but I don't think that sex between children and adults is.

    I have seen indications that some so-called pedophiles area actually "getting off" on the power imbalance itself, rather than the child-adult thing. That may be an individual quirk, but it's worth paying attention to. Most of us arne't into sex with kids, but everyone understands power. In our culture, it's the universal fetish.

  • *sigh* live and learn.
  • Applicable to the DDoS problem.

    I'm in the security business. When trying to find chinks in the armor, I've done serious damage to checkpoint, pix, raptor, ipchains and other firewalls.

    We've recently started rolling out Netscreen boxes for perimeter defense. They proxy the 3way tcp handshake and reliably deflect synflood, udpflood and pingflood attacks, among others. We can then use the flashier boxes with more bells and whistles to do more detailed inspection of what makes it through. We're deploying a good number of these becuase their ASIC architecture is so danged good at the wire level checks.

    Of course, this doesn't help if you have 100MB of SYNs coming in across your T1, but they'll never make it through to the server to hog up it's resources.

    If more of the backbone providers used a tiered approach to protecting their pipes, the DDoS kids would have a lot less success. Steve [integrate-u.com]
  • Great! I'm from Romania and I'm delighted to see the great minds come to work on Slashdot. This is (probably) just one person. He has a permanent Internet connection available, which means here either he is rather rich (these things aren't cheap here, you know) or is a student living in campus. Things like "Bomb Romania" or "Let's bring their Internet connection down for two years or so" don't really help. And they shouldn't be at +1. And, FYI, the gipsy population here does not exceed 5%. Most of them don't use computers and I doubt that those who do would do such a thing. This is because someone here mentioned "armed gypsies".
  • by Restil (31903) on Monday January 08, 2001 @04:58PM (#522165) Homepage
    Castration probably won't be effective. We've already proven without a doubt that the losers involved here have no balls.

    -Restil
  • by segmond (34052) on Monday January 08, 2001 @08:42PM (#522166)
    the really kicker is that he "telnetted" in. NO REMOTE ROOT login should ever exist, telnet, ftp, ssh, etc. how sad...

  • by jorbettis (113413) on Monday January 08, 2001 @05:58PM (#522167) Homepage
    or worse yet, angry ircops who are scriptkiddies themselves.

    Heh, I know the feeling. I have frequented the SlashNET network for a few years now and have developed some fairly nice friendships. Recently, the ops of radon.slashnet.org and perdition.slashnet.org decided that it would be great fun to use their IRC Operator status to harass me.

    They kickban me from the main channel at random, make the servers reset my connection, set services to automatically kick me, they've even gagged me twice. The second time they would have left it on, but I was able to ssh to another box and log in from it to make it known that I had been gagged. They then removed the gag and tried to pretend that they hadn't done it.

    Needless to say, IRC, which is supposed to be a recreational activity, is now a pain. I do not get on to be abused by a couple of assholes who happen to have enough access to somebody else's bandwidth that they can become 1337 s3rv3r 0pz.

    If they're trying to get rid of me, they're doing a pretty good job. I'd already be gone if I was any less interested in the other people on that network.

    I wonder how many of these attacks on IRC networks are caused by an Op abusing his powers and burning a few bridges with the wrong people.

  • by rgmoore (133276) <glandauer@charter.net> on Monday January 08, 2001 @04:43PM (#522168) Homepage
    We're about to run out of new ideas, since we can only code in so much security so fast, and law enforcement isn't terribly effective. What does the Slashdot community say?
    Well, how about trying to secure some of the boxes that are being used for the attacks first? According to the second linked article:
    Another Under Net operator stated that the attack began Saturday when the unidentified youth telnetted from Romania to FishNet, a Ventura, California-based Internet service provider. Once he obtained highest-level "root" access at FishNet, the youth launched at least smurf attacks - one against his former Internet service provider, the Romania-based Logicnet, and another against a UUNet service in New York...

    Benefield said the youth entered FishNet services via news and mail server daemons, leaving his electronic footprints in the server logs.

    The youth, who is believed to be between 16 and 19 years of age, then went on a juggernaut across the global network, stopping first at ISPs in Oslo, London and other parts of the UK, as well as hitting Chicago ISP Napnet. At each stop, the youth would log onto the server, obtain root access, then delete files, canceling accounts. In some cases, it wiped out the entire businesses such as the ISP in Oslo.

    The first thing to do is to stop letting the guy root computers with great connectivity and bandwidth. Secure the damn boxes and he won't be able to do this kind of thing. Get on the case of the companies that are letting him root them, and force them to take responsiblity for the damage he does with their computers. There's really nothing you can do as long as this vandal can get his hands on serious DoS capable hardware.

  • by LightningTH (151451) on Monday January 08, 2001 @04:42PM (#522169)
    EFNet has been under a constant DDos for awhile now. It has been to the point sometimes that chat is impossible and almost all servers delink. Upon looking at EFNet.org [efnet.org] it is obvious how many servers have permamently left.
    Also, did the DDos ever stop on the LinPeople IRC network? I know it was being hammered by someone that wanted things his way.

    The real issue is that there are scripts and applications out there than make it 1-click possible to hack computers. This is to the point of 1-click to hack the whole internet. People need to learn about security and how to tighten their computers down and keep up with security holes so they are not prone to being hacked. There are a ton of linux users out there, but a very small percentage that know how to correctly use it and secure it so their computer is not part of the DDoS's.
  • by _ganja_ (179968) on Monday January 08, 2001 @08:29PM (#522170) Homepage
    Nice idea but I'll give you the first problem: With DDOS the source address of the packets are forged so you have no valid source address.

    Second problem: These attacks are distributed hence packets come from many different places, more than one source.

    Third problem: There are many different types of DOS attack, so you can't just filter on packet types.

    The best analogy I can think of for DDOS attacks is this: Imagine someone had a worldwide gang of people that wrote post cards to you, they each sent you 300 post cards a day and there was a hundread people in the gang. You'd get 30,000 postcards a day that you never asked for, this would fill up your mailbox and you wouldn't be able to get your important mail. All you could tell from the post codes was that these cards came from 100 different places around the world. Furthermore the post office now want to charge you for all your extra mail and the only way to stop it is to tell the post office to throw out all your mail including important letter (or else move house).

    What some of the major of ISPs are doing is running netflow accounting so they have detailed traffic logs but these tend to be huge. With these logs it is just about possible to indentify the source of the packets *IF* all end-to-end ISPs run this and are willing to co-operate. Just like traceing a telephone call in old movies this takes time and if the machine stops DOSing the target it can make this a lot harder. Once you have found a slave machine in theory you can check the netflow logs for the initial connection from the controlling machine that started the DDOS. This sounds like a pain and it is, it is my understanding that no-one has ever been caught doing a DDOS by this method.

    Sniffing packets at ingress points for known DDOS master to slave commands would be a possible solution BUT every possible ingress point would have to impliment this (not realistic - massive understatment) and all the DDOS authors would have to do would be to change the used commands. This would just combat script kiddies using old software really.

    Two words: Difficult problem.


  • Really, I do.

    The Undernet was a place that I was able to use like the proverbial Roman agora, shaping a lot of my political arguments and testing them against people who otherwise would not have dealt with me.

    I was 15 years old and an over-bright geek girl when I discovered #debate on Undernet, which I had joined due to my recent accession to the Debate Team at highschool. I, a new anarchist, met some of the great folks who were making up the famous and oft-mirrored The Anarchist FAQ [blackened.net] . Some of the issues I discussed -- and was forced to research at a level far higher than would have been required at school -- included prisons and imprisonment, the decentralization of utilities, and other supposedly "boring" questions of public policy that I learned, early on, were fascinating to me. Like other geeks I specialized early and Undernet was my venue to this specialization.

    I argued with long time anarchist theorists as well as libertarians, Democrats, Republicans, and government employees and politicians with decades of experience in politics and policy. Nobody gave a shit- or knew, without a lot of work- that I was young, Jewish, Yankee, and female. It taught me that mentality was key and that I could do anything.

    I then joined up in #politics, which is slanted much further to the right and is often very silly and vapid- but still often contains some of the best and most informed argument on the Net from time to time. People have discussed foreign policy, economics, ecology, cryopreservation, and lots of other issues in there.

    I have gotten jobs and close friends through Undernet. I will be a lifelong inhabitant of #politics as long as it exists and isn't overwhelmed by script kiddies or other idiots.

    My congratulations to IRC's staff for keeping it up so long and my hopes that Slashdotters can help them, loan them the brains, time and other resources necessary to fend off this idiotic attack.

  • by suwain_2 (260792) on Monday January 08, 2001 @05:51PM (#522172) Journal
    (Is that a real word?)

    Posting a Slashdot story, and making a huge deal out of this is a horrible way to try to resolve this problem.

    Had no one ever mentioned anything, this "script kiddy" would have wondered what was going on and stopped the whole thing. But now he's probably seeing that "Underworld" has acknowledged the attack (it's written in a sad, melanchony tone; and it also gives the impression that they are clueless and helpless -- I know this isn't the case, they just seem to have worded it poorly.) And seeing an article on Slashdot about something you're doing is probably a good way to egg him (or her) on.

    Just let it die of inattention -- it's remarkbably amazing how well this works.

  • Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative.

    Just because I am free spirited, unworryied, or just plain lazy/dumb/maleducated doesnt mean I share responsibility when someone else breaks the law. If you break the law, then YOU have the full responsibility - not me, not some ISP, not some guy with a cable modem or DSL line.

    This is a major problem, people shirking some personal responsibility to someone else - its not effective (read: passing the buck) and its plain and simple not right. The person who breaks the law is responsible for the law breaking - not the guy four hops down or up the ladder.

  • by bl968 (190792) on Monday January 08, 2001 @10:53PM (#522174) Journal
    The primary issues facing Undernet, Dalnet and EFNet is that they give the script kiddies all the information they need to launch savage DDOS attacks. The IRC networks give out to any interested party the IP addresses of the servers, the IP addresses of the hubs, and finally they give out the IP addresses of the end users. When you provide the keys in a manner such as this, expect someone to try them in the lock.

    The first step to resolving this is IP mirroring. Unless you are an irc operator, you see your own IP address on each server and each user on the network. This removes the first bit the user needs for a massive disruption of the network. Ircops need to be able to see the hostmask in order to protect the servers from the misdeeds of users.

    The next step in protecting your irc network is to have no publicly listed server connecting to any other publicly listed server. All hubs should be ircop only. This makes it so that the hubs the all-important links to the edge of your network are hidden from public and from the hackers view.

    Now in order to make the task more difficult simply give out only one hostname that all users will use in order to connect. Each server would be required to take users if the resources are available for them. Local users to a server would of course have priority. The single hostname may not totally protect your network however it will ensure the hackers have to work a bit harder to get the information on the server they are using to connect. No offense to any serious hackers out there is intended however script kiddies are by and by lazy creatures.

    These measures will not protect the average user who accepts CTCP chats or DCC's however those who do not should have total immunity from the script kiddies.

    In order to provide channel operators with a modicum of control in their channels have a bot that can see host masks and accepts ban commands via private messages giving the users nick. The bot would only allow the ban if the user issuing the command is a channel operator in the channel they are requesting the ban for.

    You could also get smart and use channel services. Channel services while it might rile some of the ircops who see channel ownership as a bad thing. However a private ownership of a channel once created and registered tends to make sure that there is no point in attempting to split servers from the network in order to try to take control of a channel. If you do not like ownership of channels simply, decide on a very short-term idle channel deletion. If a channel is popular enough to have people online 24x7 then they have the right to decide who controls their community.

    Many IRC networks and services packages implement these security-improving provisions already. You can look at Stratics IRC Network [stratics.com] which while small has a very effective implementation [stratics.com]. Stratics IRC is a gaming related network [stratics.com] offering these features. [stratics.com]
  • by nightfire-unique (253895) on Monday January 08, 2001 @04:58PM (#522175)
    some of them over 20 these days (get a life, folks)

    Um. Have you considered the irony of posting something like this to slashdot?

    --
    All men are great
    before declaring war

  • by alhaz (11039) on Monday January 08, 2001 @04:45PM (#522176) Homepage
    Face it. IRC is the universal home of Those Who Have No Hope Of Ever Having Sex.

    Efnet, undernet, chatnet, all the big nets. the PFY's known as scriptkiddies (some of them not even youthful pimple faced youths anymore) go to IRC because it's somewhere that magically makes their penis extend two or three whole inches, just because they can find some person or some group of persons, cause them a great deal of displeasure, and say "Look what i did!" to their buddies.

    What these twits would realize, if they had grey matter operating above the brainstem, is that by doing this, they're making everyone who has donated equipment and bandwidth to IRC networks question whether or not that was a good idea.

    IRC networks are going to go away because of scriptkiddies, unless these kiddies, some of them over 20 these days (get a life, folks), knock it off.

    Would YOU run a public irc server if it ment you were going to get DoSed into the stone age twice a week? I sure as hell wouldn't. Maybe that's why chatnet only has 4 servers in the US these days.

    All that being said, undernet has always been a haven for oversexed, underage wankers anyway.

    Go ahead, moderate this post as a flame. I'm just upset because my home channel, which has existed in one form or another since the previous bush administration, has been moving around from network to network lately trying to find one that doesn't get shut down constantly by angry users, or worse yet, angry ircops who are scriptkiddies themselves.

  • I personally find this article interesting for the simple fact that I'm a Systems Engineer at one of the Undernet sites that was forced to delink last week because of the DDoS on our Undernet server[1]. I've read most of the comments, and must say that most of them are lacking in the kind of content that the ordinator of the article has requested. In fact, most of them border on immature (which must be why most of them are moderated to a 1 or a 2). With that said, many comments had useful incites, though they are defiantly not news to anyone close to any IRC network.

    First of all let me state that I have as little to do with the actual operation of the Undernet server or the network as a whole as possible. That role if fulfilled by another group who works very hard with a real task and literaily deals with IRC problems in their personal time, so it's hard for me to comment on the politics of their situation. I can however, comment on the politics, and a few technical details (For certain reasons, I'm more than a little vage in what we observed during the attack) of the situation I was involved with at the time. What follows is somewhat of a chronology of the event.

    Hr 1 - 3. The attack started pretty slowly. So slowly that it really didn't set of any alarms, though some customers on remote parts of the network did notice high latency, and a bit of packet loss. This was enough to start looking around, but not really enough to suspect an attack.

    3:00 - 3:15: Connectivity is lost to nearly any network that requires crossing a border router. The traffic stats from the border routers show that nearly every bit of connectivity is full company wide. It was clear that at this point that this was probably an attack, though it was unknown what was being attacked, or where it was coming from.

    3:15 - 4:00: Using historical data the sources of the attack were identified. Using this data, we initiated contact with each provider we have connectivity from to request filters be placed in their network to block the attacks. At the same time the company's tech support call center is overwellmed with calls from customers experiencing various problems. Further, all the major application servers (mail, news, etc) are also nearly unusable since they no longer have connectivity to the remote machines they were talking to. As a topper, one of the noisier (literaily) network monitoring programs our NOCC uses has gone into "make random noises mode." This is due, in large part, to the nearly 600 alarms it thinks exist because of connectivity problems to the rest of the network.

    4:45: I remove the FDDI cables from the FDDI card in the IRC server.

    4:00 - 4:30: The attack is starting to dissipate. It's theorized that it's because the machine that was being attacked was no longer on the Net. Also about this time, the distributed filtering should start taking place.

    6:00: After spending a couple of hours cleaning up the mess that such an attack leaves on all the other machines I receive the standard email from the security people requesting time estimates for my labor on this afternoon's Comedy Hernia Hit.

    This chronology is reflective of nearly every other DDoS attack I've experienced in the last 12 months. It's clearly frustrating, and a complete waste of my time (especially since it was my last working day before a very rare vacation), and it should be pretty clear why I don't want IRC servers on a network I have to maintain.

    Let me be clear, at no point was the server itself ever effected (other than, I assume it lost connectivity to it's hub during the attack), but nearly other major application was affected in some way, and it definitely caused a lot of paying customers to not get the service they pay for.

    Someone suggested that we need to prevent people from "rooting" machines in order to prevent these attacks. The poster is correct, this is what we need to do. Anyone have any ideas how to prevent this? I know all the machines on my network are secure, but I can't control machines I don't maintain. And that's just the problem. This isn't about the host sites securing their network, most of them do and the ones who don't learn quickly that they have to. Adding (more) security features to the application (ircd) also isn't the answer, as the machine itself was never affected. Hunting down the initiator of the attack only prevents that person from attacking anything for a while, like the death penality I see no indication that it's a real deturiant to the crime. Quite honestly, I too am at a loss as to what, if anything, will ultimately solve the problem short of completely abandoning the technological foundations that the Internet was built on.


    As for law enforcement, they are generally quite interested in such attacks[2], but they have clear guidlines in what they can and can not get involved in (you have to show a capial loss grater than a specificed amount). In this case I know these guildlines were met, but generally these investigations go nowhere because the trail often leads to cracked machines that have no usefull telemetry of the attack, or the intrusion. I have often thought that companies who fail the maintain basic security on their network should be held liable to damages to other networks in these situations, but even that is quite troublesom.
    Of course, there is one method that solves this problem, at least for me. It was to remove the service from our network. As a Sysadmin who has customer's who pay to use other services I have no trouble with this. As someone who tries to be a useful member of the "Internet Community" I have serous issues with this method. In this case, no good deed goes unpunished.



    [1] In fact, I personally pulled the FDDI cables out of the machine during the attack once we determined the machine that was the
    [2] Though, sometimes you have to work to make contacts with people smart enough to care.
  • by Thalia (42305) on Monday January 08, 2001 @04:59PM (#522178)
    I expect this is the Trinity attack that is described in considerably detail here [iss.net] by X-Force [iss.net]. You can find the actual article and anlysis of the Stacheldraht tool here [washington.edu] written at the University of Washington. The author of that article claims that he wrote a program [washington.edu] that detects Stacheldraht on a system. Of course, getting the ISPs that are sending these DDOS messages to actually use some security might be a bit difficult. By the way, this is old news, since the CERT advisory [cert.org] is dated June 99.

    Thalia
  • by greysoul (62792) on Monday January 08, 2001 @05:41PM (#522179) Homepage
    I feel my comment is best left to my writeup on Everything2: People like that are the reason I left Efnet (idea) [everything2.com]
    But, if you don't feel like reading it, I'll sum it up here. and add a bit, now that I think about it.

    -------
    I used to be a script kiddie, then I hit puberty.
    You either understand that last statement or you dont. Kids are kids, and having worked with emotionally hadicapped (not retarded) in a highschool setting, I know what they do with computers. I'm the one who had to fix them. (macs, no less)....

    There's 3 reasons I've found that kids like to break things

    1. They don't own it, so they cannot comprehend that it has value to someone. This is perfectlly normal for kids between the ages of 2-6, it varies in it's severity, but it usually goes away before kids are injected into the social realm of dealing with other people in school, so it's not a big problem.

    2. Kids between the ages of 6-18 more commonly express their destructive skills on something because they do not understand it, and feel that by breaking it they have power over someone who does know how to use it. Ownership isn't a factor in this, I've seen kids break their own things because they cant make it work (you see this very commonly with "broken" toys in younger children.

    Again, most kids will stop, or mellow down by the time they've hit puberty.

    The third case is most common in mentally or emotionally challenged children:

    3. "If I can't have fun with it, no one can." This is more common among older kids and extends beyond material items. This is the only case where I've found that ownership REALLY matters, but not in all cases. most people, however, grow out of this phase as well.

    So what is someone who hasn't outgrown this state well past the time they should have? The police and doctors call them Sadists and Sociopaths. In this case however i would feel reluctant to use either of those terms. I think in this case it's more a case of a pre-pubescent pissing match between himself and another channel.

    Back in my own script kiddie days on IRC I witness MAJOR network wars included the disabling of about 50% of the @home network in san diego, cutting down telephone poles, cutting off power to NOC's, angry kids beating the SHIT out of the kid who nuked him at school, calling in bomb threats to places, ANYTHING and EVERYTHING they can do to disable an ISP even if only for a second.

    just long enough

    All that shit I saw, was _ALL_ related in one way or another to "channel takeovers" some of them over things as petty as who's allowed to flirt with the only girl in a channel, platform debates, music debates... rarely over anything more mature than a 6th or 7th grade level.

    Which brings up this point: most of the people who do this are still kids (under 18) so unless they nuke a military server or something, all their gonna get in most cases is a warning, maybe a fine.


    So, what's to be done? I say it's time that the more mature half of the internet joins together to fight this in a way that younger kids have no controll over. I've had AMAZING success tracking down script kiddies and calling their parents. People who are clueless, or who have something to lose by being related to a kiddie, are VERY helpful.

    Here's some ideasI've used and had VERY good success with.

    1. Fight back online - Pro: it's fast and can be effective. Con: lowers you to their level.

    2. Call their parents/employer/school*** - Pro: Can be VERY effecting in the long term. I've had people fired, grounded, suspended, and reprimanded with one phone call. Con: Can take a while, or you get someone who just doesn't care.

    3. Call the ISP from which the attacks orginate.* - Pro: Admin's will always know what you're talking about, and they're usually helpful as DDOS through their systems reflects badly upon them, costing them dollars. Con: most dialup/residential ISP's dont really care or log things, so it's hit or miss.

    4. Shut it all down, and walk away for awhile. - Pro: Best idea if you can afford this option. Most kiddies get bored after a few days, or when school starts. Con: depending on who you are, shutting down your system and doing something else may not be possible.

    So, there you go... those are my loosely compiled thoughts and ramblings on the subject of Script Kiddies.... ciao
    -Doug

  • by _outcat_ (111636) on Monday January 08, 2001 @06:54PM (#522180) Homepage Journal
    I've seen some amusement on this thread, amusement at the very fact that Undernet has been DoS'd.

    Well, don't be. It's not funny. There are people losing money because of this; there are people who are becoming absolutely brainless and deciding "Gosh, it'd be fun, let's go the way of the skript-kiddie and and help the DoS'ing be even worse!"

    Then there are dedicated channel ops and owners who are building bots, starting channels, writing mailing-list software to help their members and fellow ops deal with the crap that's going on. I'm a 200-level op on one of the linux channels on Undernet (check my user info for more information) and while there are those here who feel IRC is a waste of time, I believe it's one of the best ways to communicate with people all around the world about a common interest. If you don't like IRC you don't have to use it. I can see how some people think it's a waste; but it's something I enjoy. And so do 20-odd other ops and regulars in this channel.

    I met these people because they helped me install Linux over two years ago; there are ops and regulars who are good friends of mine from Australia, New Zealand, Canada, the US, UK, Malaysia, Germany, Greece to name a few. We put faces to the names via webcams; we know who's going out with who, we comfort our friends when they're going through crap, and we came together and cooperated with a mailing list and new bots and new policies once W went on the blink.

    Someone tried to compromise our channel yesterday (a takeover, for the unschooled) but order was restored. With W (X for other channels; we happened to have W when he was still around) the oplist, auto-kicks, and bans are very easy to store; without W, the guy managed to get ops by pretending to be one of us. Could have done some damage, but thanks to some IRCops (Thank you seti and saralee!) order was restored, new bots put in place, and new channel policies. I know there are other /.'ers out there who know what a close-knit channel is like and how much it sucks when stuff like this happens.

    Right now there's rumors that W and X will never come back. If they don't Undernet is dead...and where is a channel to go? Some IRC networks have strange ident issues; some are dying out; and some have a structure such that it's hard to even keep hold of a channel because of skript kiddies. Right now Undernet splits a lot--too many users and not-so-perfect routing. It's also hard to connect to a server. There's a lot of lag.

    And now I get to a point I think bears hearing: Forking doesn't mean animosity. (Are you reading this, RMS? :P) There's another Linux-related channel on Undernet which a few people split off of for one reason or another, and those people started our channel. There was some degree of disdain amongst our channel because of some of the policies of the first channel. (I like the place, though. :) But the two channels are cooperating on some of the DoS issues. We're all about Linux and getting a good place for our users to chat.

    To the skript kiddies out there who are continuing to pummel Undernet because you think it's cool: Stop acting lower than dirt and get a life. You can find something better to do than cost people time and money.

    "The GIMP Girl"
  • by cluge (114877) on Monday January 08, 2001 @05:44PM (#522181) Homepage
    Most resposible ISP's do that, although it is AMAZING the number of people that absolutely refuse to do it! Cisco filters are easy enough to implement, Look here for examples for those interested [mtiweb.com] Tracing down a problem sounds good but remember Big ISP's like UUnet, sprint etc don't like needing to turn on some sort of logging to try and trace packets, it increases load on their routers/servers (if even for a few minutes). If the source of packets is going through a hugely congested site (MAE east) the likely hood of finding somone willing to do a trace is about .005% to -100%

    quick story
    I remember getting TONS of spam from a machine a major university. It appeared to be a machine running in the astronomy dept. I sent a nice friendly e-mail about it, as our users were getting 20 to 30 spams a minute through it and wanted to stop being told where to get Viagra (Bob dole already told us thank you). The official response from the sys admin was a none to polite, "Fuck you and mind your own god damn business".

    My response was to cc that with a letter asking a bunch of questions to 2 local newspapers and 1 TV station and the president of the alumni association. The open relay got closed *magically*

    What the point to my incessant yammering you ask? Sometimes ISP's (especially smurf sites in Japan *ahem*) need to be bullied into doing some of the most obvious, easy things. Some ISPs claim that filters cause problems, increase router load etc, etc, etc. The problem usually is that no one has brought it to their attention, or rather no one has screamed at them loudly enough.

  • by _ganja_ (179968) on Monday January 08, 2001 @09:09PM (#522182) Homepage
    I wasn't there but based on the details above which are extensive there is something that I would have done very quickly that would have saved you grief at least in some of your network. Even if you did what I'm about to mention, its worth posting as its also good advice for anyone else getting DDOS'd (or aleast its a starting point).

    DUMP THE ROUTE As soon as possible stop advertising the affected block to your peers, this is the fastest way to prevent the traffic entering your AS and saves bandwidth on your internal lines. It under your control and its faster than informing all your peers and waiting till *they* get filters in place, its not their problem and even if they filter the traffic it still takes their external bandwidth.

    This depends on your BGP config and a few things will happen, firstly if you're a large ISP you're going to lose other customers as you're not advertising their IP addresses and depending on peering agreements the minimum could be as large as a /20 or /19 but its better than lossing the whole network and all your customers! If upstream peers from you are not aggregating your routes this will in effect remove the route from the whole net (might take a little while to converge the whole net) and the traffic from the attacking DDOS machines won't get very far (their own subnet). If your routes are aggregated upstream and you've withdrawn the route the traffic stops with the upstream ISP anyway.

    This should give you breathing time without the loss of your whole network and (at least you'll have bandwidth to telnet to your routers) identify which machines were getting attacked. Talk to the upstreams and get them to dump the host(s) specific route to null.

    I meet far to many network admins that think they know everything there is too know about networking that just state "what can I do but put filters on the border", which is fairly useless for preserving external bandwidth which of course is what your customers are paying for.

    BTW, while I'm here, anyone want to give me a job?

    Will configure routers for food.

  • by nightfire-unique (253895) on Monday January 08, 2001 @06:28PM (#522183)
    Nope. I dont agree. If I want to run an insecure, crappy box, thats my right. Just like if I have a house, and want to leave the door swinging in the wind wide open, its my peroggative.

    Hrm. Bad analogy.

    More like if you decided to drive an unsafe car on the road. And no, you don't have that right (at least not in North America).

    --
    All men are great
    before declaring war

God made machine language; all the rest is the work of man.

Working...