On Wed, 9 Feb 2000, Travis Pugh wrote:
On the subject of cooperation, has anyone set out to catalog where these attacks are coming from, at least in terms of compromised networks, and share said information?
As far as I know (thank you C-SPAN), the FBI has logs of the hosts used to originate the traffic, and are now going through them to find the "innocent third parties." At this time, since it's part of a current criminal investigation, this information will not be made available to "the public," though they are saying this is going to be a joint venture between the FBI and the Internet Community
I know similar catalogs sprang up in response to smurfs ... is it time to start listing offending networks? Even better, does anyone know if the attacks are using something like TFN2K and using dummy addresses to obfuscate real attacking hosts?
Not sure, since it seems the discovered DDoS programs don't seem to have the capability to forge the traffic, though it's not too terribly difficult to modify existing exploits to do so.
I see a lot of talk of attacked sites putting up router filters to stop attacks. Can anyone who knows let the rest of us in on what was filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP, SYN floods, or what? If this is a DDoS, the attack could probably be fingerprinted ... this would be very useful information if we are going to see more tomorrow. Do we know if the source addys are spoofed, and if an attacker could turn off spoofing, revealing the source of the traffic but getting around some filtering?
I have a feeling you're going to see many more in the next couple of days, and certainly some periferal meltdown as an after effect. While no official details regarding the attacks have been announced that I've read, there are a few advisories on some of the known DDoS attacks. Dave Dittrich has posted some excellent material on the DDoS's that have been found and you can view them at his homepage located at http://www.washington.edu/People/dad/. He also has links to scanners (written by NFR President Marcus Ranum, Dittrich, and others) that can help look for the known DDoS daemons on servers.
I am making the assumption that the last three days' attacks were caused by the same person or persons. But the intent is the same regardless ... we can all go back and forth on NANOG about what might be happening, and wait for the feds to chase down the attacker(s), or people who have been attacked or might be attacked can compare notes and try to get an idea of where the attacks are coming from and exactly what they are.
Well, to quote a Wired article, "A Yahoo source close to the problem told Wired News that they hadn't contacted the Feds during their trouble yesterday because it would do no good."
Any relevant info would be appreciated. Nobody knows who is next.
Indeed... -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."