Re: Solution: Re: Huge smurf attack
On Jan 13, 1:23pm, Phil Howard wrote:
Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form of "fixing" the symptom. These things are being done because fixing the cause isn't practical.
But what is the cause? Is it that kids with scripts will attack and try to bring down an IRC server or the network that hosts it? Or is it that they have the scripts in the first place? Or is it that they are using networks that allow them to do this in the first place?
I think blamin' the 'scriptkidz' in this instance isn't accurate. I think this incident had a political component that is overlooked here, and one that requires discussion. And that this smurfing was, quite possibly, an answer to that political component. I'm speaking about the "Nuremburg Files" which is downstream of Mindspring. For those of you who don't know, this page is a listing of abortion providers, clinic workers and their respective spouses. Those abortion providers and clinic workers who have been killed are struck-through on this page, those who have been wounded, or who have stopped providing abortions for whatever reason, are grayed out and those remaining are, for lack of a better term, targeted, through the collection of personal information (licsense plate numbers, home addresses, phone numbers, etc...) I bring this up, not to discuss content, but because a lawsuit has been brought, and which began Friday, against this page charging that it is a hit-list that crosses the line of free speech into incitement to violence. The suit has received some national attention (was prominently featured on the CNN webpage) and appears to be, at present, ground zero for the pro-life/pro-choice debates... Given all that, is it hard to beleive that some-one, moderately skilled in networking but extreme in political views, attempted to shut down this page by shutting down Mindspring? This is the real world, people. This isn't the goodgeeks vs. the skriptkiddiez in their own private internet bubble. It is entirely plausible (even likely, given the timing of the case opening Friday, the subsequent publicity and the "huge smurf attack" Saturday...) that this was a political act, and guess what... we're squeezed in the middle. It ain't about which side of the debate any on NANOG will fall on, but the fact that the debate may be falling on us.
The cause of burglaries and thefts is bad people.
But the cause of political terrorism is extreme people. I think that, if this smurf attack was in response to the web page "The Nuremburg Files", it is an act of terrorism in response to an act of terrorism: that is to say the page is extreme, so why do we not expect responses to it to be extreme? And, in the middle, network engineers putting out the fires... networks being the battlegrounds that these people have chosen.
I admire Mindspring's position of making Internet access unrestricted. But what is the real motivation? Is it the goal of "perfect IP" or is the business case of decreasing tech support costs? They are, afterall, in the business of providing consumer dialup access, and as we all know that line of business is very costly in areas of tech support. Network attacks are also a real cost. I would suggest that treating some of the symptoms, at least for now, will cut some costs until the day that we can achieve the utopian goal of the perfect solution to the cause.
But if you want "unrestricted internet access" you'll get pages like "The Nuremburg Files" and you'll get people who object to that... I don't know what the solution is... but I do think we'll all be better off opening our eyes to the situation, rather than simply blaming the 'skriptkiddiez'. Peace, Petr -- "Everything should be made as simple as possible, but not simpler" A. Einstein Petr Swedock, Associate Engineer | Network Operations ,o __|-. GTE INTERNETWORKING, POWERED BY BBN ,_~o/ \/ \ ph: 781.262.6300/781.262.6541 |/ | fax: 781.262.6234 / > | ' ` | email: pswedock@bbnplanet.com/pswedock@gtei.net | ______________________________________________________________|
Peter/ I am not sure about last smurf incident, but don't overestimate _dark minds_ caused this incident. I am 99.9% shure all (ALL) this incidents complained about in NANOG was the same _kidscripts_. This do not mean you should not prevent the possibility of _cyberterrorism_, and let's this _kid's plays_ help to pay attention to the security holes we have over the Internet. On Thu, 14 Jan 1999, Peter Swedock wrote:
Date: Thu, 14 Jan 1999 15:13:34 +0000 From: Peter Swedock <pswedock@bbnplanet.com> To: Phil Howard <phil@whistler.intur.net>, Brandon Ross <bross@mindspring.net> Cc: nanog@merit.edu Subject: Re: Solution: Re: Huge smurf attack
On Jan 13, 1:23pm, Phil Howard wrote:
Filtering .0 and .255, or filtering echos or ICMPs, are all indeed a form of "fixing" the symptom. These things are being done because fixing the cause isn't practical.
But what is the cause? Is it that kids with scripts will attack and try to bring down an IRC server or the network that hosts it? Or is it that they have the scripts in the first place? Or is it that they are using networks that allow them to do this in the first place?
I think blamin' the 'scriptkidz' in this instance isn't accurate. I think this incident had a political component that is overlooked here, and one that requires discussion. And that this smurfing was, quite possibly, an answer to that political component.
I'm speaking about the "Nuremburg Files" which is downstream of Mindspring. For those of you who don't know, this page is a listing of abortion providers, clinic workers and their respective spouses. Those abortion providers and clinic workers who have been killed are struck-through on this page, those who have been wounded, or who have stopped providing abortions for whatever reason, are grayed out and those remaining are, for lack of a better term, targeted, through the collection of personal information (licsense plate numbers, home addresses, phone numbers, etc...)
I bring this up, not to discuss content, but because a lawsuit has been brought, and which began Friday, against this page charging that it is a hit-list that crosses the line of free speech into incitement to violence. The suit has received some national attention (was prominently featured on the CNN webpage) and appears to be, at present, ground zero for the pro-life/pro-choice debates...
Given all that, is it hard to beleive that some-one, moderately skilled in networking but extreme in political views, attempted to shut down this page by shutting down Mindspring?
This is the real world, people. This isn't the goodgeeks vs. the skriptkiddiez in their own private internet bubble. It is entirely plausible (even likely, given the timing of the case opening Friday, the subsequent publicity and the "huge smurf attack" Saturday...) that this was a political act, and guess what... we're squeezed in the middle. It ain't about which side of the debate any on NANOG will fall on, but the fact that the debate may be falling on us.
The cause of burglaries and thefts is bad people.
But the cause of political terrorism is extreme people. I think that, if this smurf attack was in response to the web page "The Nuremburg Files", it is an act of terrorism in response to an act of terrorism: that is to say the page is extreme, so why do we not expect responses to it to be extreme? And, in the middle, network engineers putting out the fires... networks being the battlegrounds that these people have chosen.
I admire Mindspring's position of making Internet access unrestricted. But what is the real motivation? Is it the goal of "perfect IP" or is the business case of decreasing tech support costs? They are, afterall, in the business of providing consumer dialup access, and as we all know that line of business is very costly in areas of tech support. Network attacks are also a real cost. I would suggest that treating some of the symptoms, at least for now, will cut some costs until the day that we can achieve the utopian goal of the perfect solution to the cause.
But if you want "unrestricted internet access" you'll get pages like "The Nuremburg Files" and you'll get people who object to that...
I don't know what the solution is... but I do think we'll all be better off opening our eyes to the situation, rather than simply blaming the 'skriptkiddiez'.
Peace,
Petr
-- "Everything should be made as simple as possible, but not simpler" A. Einstein
Petr Swedock, Associate Engineer | Network Operations ,o __|-. GTE INTERNETWORKING, POWERED BY BBN ,_~o/ \/ \ ph: 781.262.6300/781.262.6541 |/ | fax: 781.262.6234 / > | ' ` | email: pswedock@bbnplanet.com/pswedock@gtei.net | ______________________________________________________________|
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
My only question is do any of you who've been under attack report these incidents to the FBI and the other appropriate agencies? I understand that a lot of these places are Universities and Govt. agencies where finding someone to fix the problem is like running through water, but I can only wonder if having the FBI get involved in these things would help. Two agents from the Houston office recently gave a presentation talking about their new and expanding computer crimes divisions popping up around the country. They kept harping on protecting the infrastructure of the nations public networks, and I think helping track down smurf amplifiers would fall under this. -- Joseph Shaw - jshaw@insync.net NetAdmin/Security - Insync Internet Services Free UNIX advocate - "I hack, therefore I am." On Thu, 14 Jan 1999, Alex P. Rudnev wrote:
I am not sure about last smurf incident, but don't overestimate _dark minds_ caused this incident. I am 99.9% shure all (ALL) this incidents complained about in NANOG was the same _kidscripts_.
This do not mean you should not prevent the possibility of _cyberterrorism_, and let's this _kid's plays_ help to pay attention to the security holes we have over the Internet.
Unnamed Administration sources reported that Joe Shaw said:
My only question is do any of you who've been under attack report these incidents to the FBI and the other appropriate agencies? I understand that a lot of these places are Universities and Govt. agencies where finding someone to fix the problem is like running through water, but I can only wonder if having the FBI get involved in these things would help.
Two agents from the Houston office recently gave a presentation talking about their new and expanding computer crimes divisions popping up around the country. They kept harping on protecting the infrastructure of the nations public networks, and I think helping track down smurf amplifiers would fall under this.
-- Joseph Shaw - jshaw@insync.net NetAdmin/Security - Insync Internet Services Free UNIX advocate - "I hack, therefore I am."
On Thu, 14 Jan 1999, Alex P. Rudnev wrote:
I am not sure about last smurf incident, but don't overestimate _dark minds_ caused this incident. I am 99.9% shure all (ALL) this incidents complained about in NANOG was the same _kidscripts_.
This do not mean you should not prevent the possibility of _cyberterrorism_, and let's this _kid's plays_ help to pay attention to the security holes we have over the Internet.
-- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Unnamed Administration sources reported that Joe Shaw said: [sorry about that last one...]
My only question is do any of you who've been under attack report these incidents to the FBI and the other appropriate agencies?
{...}
Two agents from the Houston office recently gave a presentation talking about their new and expanding computer crimes divisions popping up around the country. They kept harping on protecting the infrastructure of the nations public networks, and I think helping track down smurf amplifiers would fall under this.
Besides the "Richard Jewell" issue, a problem many people have experienced with the Feebs is: jurisdiction or not, they are not interested unless you can prove actual losses of $100K or more. Of course, if your story fits the TV news "If it bleeds, it leads" category, then you WILL get listened to... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Thu, 14 Jan 1999, Joe Shaw wrote:
Two agents from the Houston office recently gave a presentation talking about their new and expanding computer crimes divisions popping up around the country. They kept harping on protecting the infrastructure of the nations public networks, and I think helping track down smurf amplifiers would fall under this.
Invite them to NANOG, tell them to put their money where their mouth is. -Dan
On Thu, 14 Jan 1999, Joe Shaw wrote:
My only question is do any of you who've been under attack report these incidents to the FBI and the other appropriate agencies?
We report these incidents to the FBI when there is at least a slim chance that the perpetrator might be caught. We get a lot of very short lived attacks (30 minutes or less) that just don't seem to be worth our time to report to the FBI, since there's usually no data that would give them a bit of a clue about who might have done it. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
On Thu, 14 Jan 1999, Brandon Ross wrote:
My only question is do any of you who've been under attack report these incidents to the FBI and the other appropriate agencies? We report these incidents to the FBI when there is at least a slim chance
On Thu, 14 Jan 1999, Joe Shaw wrote: that the perpetrator might be caught. We get a lot of very short lived attacks (30 minutes or less) that just don't seem to be worth our time to report to the FBI, since there's usually no data that would give them a bit of a clue about who might have done it.
There needs to be a better communication infrastructure set up between backbones and providers, so we can trace the perpetrators to the source and shut them off. Having to spend 20 minutes on hold with a *multibillion dollar telco* while they try to find a security admin, is simply unacceptable. Or how about multibillion dollar telcos who cant keep the email and phone numbers on their noc pages/internic/arin current. (eg bouncing email and disconnected phone numbers). Or how about networks with the facilities to deal with perpetrators but are simply unwilling to do so. Eg spending several hours being smurfed, and the backbones outright refuse to trace or filter. All of this is simply unacceptable. -Dan
On Thu, 14 Jan 1999, Dan Hollis wrote:
Having to spend 20 minutes on hold with a *multibillion dollar telco* while they try to find a security admin, is simply unacceptable.
If you're only waiting 20 minutes, you're having much better luck than me. In our experience, it takes several hours to get in touch with someone clueful enough and with the authority to trace a spoofed attack. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
Brandon Ross wrote:
On Thu, 14 Jan 1999, Dan Hollis wrote:
Having to spend 20 minutes on hold with a *multibillion dollar telco* while they try to find a security admin, is simply unacceptable.
If you're only waiting 20 minutes, you're having much better luck than me. In our experience, it takes several hours to get in touch with someone clueful enough and with the authority to trace a spoofed attack.
I think he means 20 minutes just to find _any_ security admin when you call the network security number. Finding a _clueful_ one starts the next clock running. Sometimes it damn near needs a calendar. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* phil at intur.net * --
But I'm not talking about catching the person who's initiating the attacks, which is next to impossible if the amplifiers aren't willing or able to help. I'm concerned about the FBI possibly playing a part in shutting down the amplifiers. As the FBI agent who I talked with a week ago said "We want to hear about any incident that happens because we do trend tracking." Lord knows if enough people reported large smurf attacks they'd at least do something. -- Joseph Shaw - jshaw@insync.net NetAdmin/Security - Insync Internet Services Free UNIX advocate - "I hack, therefore I am." On Thu, 14 Jan 1999, Brandon Ross wrote:
On Thu, 14 Jan 1999, Joe Shaw wrote:
My only question is do any of you who've been under attack report these incidents to the FBI and the other appropriate agencies?
We report these incidents to the FBI when there is at least a slim chance that the perpetrator might be caught. We get a lot of very short lived attacks (30 minutes or less) that just don't seem to be worth our time to report to the FBI, since there's usually no data that would give them a bit of a clue about who might have done it.
Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442
Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
On Thu, 14 Jan 1999, Joe Shaw wrote:
But I'm not talking about catching the person who's initiating the attacks, which is next to impossible if the amplifiers aren't willing or able to help. I'm concerned about the FBI possibly playing a part in shutting down the amplifiers. As the FBI agent who I talked with a week ago said "We want to hear about any incident that happens because we do trend tracking." Lord knows if enough people reported large smurf attacks they'd at least do something.
As I'm frequently reminded by my friends at DOJ's computer crimes section, there's not a lot that most FBI field offices can or will do without major damage shown. Unless you count "trend tracking," I guess. -- Ray Everett-Church | Haley Bader & Potts, PLC <www.haleybp.com> Attorney at Law | 4350 N. Fairfax Dr. #900, Arlington, VA 22203 ==================== | voice: +1 703 841 0606 fax: +1 703 841 2345 Opinion(REC) != Opinion(client(REC)) ** This mail isn't legal advice.
Brandon Ross wrote:
We report these incidents to the FBI when there is at least a slim chance that the perpetrator might be caught. We get a lot of very short lived attacks (30 minutes or less) that just don't seem to be worth our time to report to the FBI, since there's usually no data that would give them a bit of a clue about who might have done it.
My recommendation is to take all the incidents that you are currently classifying as unlikely to be resolved, and prepare a report on each one with as much data as you can gather about them, and supply that report to the FBI anyway. This will help them understand just what is going on, and may even help them acquire additional budgets and funding to expand their resources to be more effective at investigating more of these incidents. This will allow them to keep better statistics on just what problems are being seen in the Internet, whether they be kids with scripts or terrorists. The line between these groups will be getting fuzzier, so we cannot disregard it at all. It might also be interesting if we can as a group collect and merge the data on these incidents. I know there are some agencies that already do this, and if someone has some detail on that, maybe that will be a good start. I know that I would be interested in comparing not only the list of addresses that smurf incidents are coming from, but also comparing the load balance of these addresses (e.g. do addresses that show up twice as much in one incident also do so in another?). If we can identify the addresses that regularly show up, perhaps that may motivate the FBI to insist on a "wiretap" at the location of the smurf amplifiers frequently seen. Then from there they may be able to begin backtracking attacks and find the real source(s). -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* phil at intur.net * --
Peter Swedock wrote: [much discussion snipped for brevity]
But if you want "unrestricted internet access" you'll get pages like "The Nuremburg Files" and you'll get people who object to that...
I don't know what the solution is... but I do think we'll all be better off opening our eyes to the situation, rather than simply blaming the 'skriptkiddiez'.
"Unrestricted Internet Access" will indeed mean different things to different people. For some, it'll mean access to the web without transparent proxies. For others, it means access to properly secured SMTP servers anywhere without someone either filtering or transparently redirecting their packets. I tend to think of it as "don't limit my ability to do 'normal' things." Since I do network consulting, I may well log onto Mindspring or AT&T Worldnet or some other ISP to run traceroutes or pings back against a network I'm working on, to be sure it looks OK from outside. I may be testing to see that routing policy or filters at a corporate site are functioning correctly. So, I ask ISPs what their policies are. Granted I'm not a typical customer. The real lesson to be learned here, though, as others have stated, is the 'net is getting an exposure to terrorism. Now, we can run around and say "illegal, illegal" and try to get law enforcement to do something, but law enforcement may well say "why don't you improve your security?" If waging a campaign to get smurf amplifiers eradicated helps, then DO IT. At the same time, add the ability to detect attempted smurfings, and report them. Take it as a gift that the you were woken up to the problems by "kids" (if that's what it was), rather than by hardcore terrorists. It may well be time for the backbone providers and larger ISPs to develop anti-terrorism plans. The Internet has passed the point of being a useful tool in society and is becoming a critical element in everyday life. Perhaps this should be a new topic at NANOG. Dan -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
Peter Swedock wrote:
Given all that, is it hard to beleive that some-one, moderately skilled in networking but extreme in political views, attempted to shut down this page by shutting down Mindspring?
By attacking specifically the IRC server? They would probably get better DoS results by attacking the web server (or the link it's on if it's down stream from Mindspring). Someone who thinks attacking irc.mindspring.com will bring down Mindspring deserves to be labeled a "script kiddie" even if they were really aiming at www.christiangallery.com.
This is the real world, people. This isn't the goodgeeks vs. the skriptkiddiez in their own private internet bubble. It is entirely plausible (even likely, given the timing of the case opening Friday, the subsequent publicity and the "huge smurf attack" Saturday...) that this was a political act, and guess what... we're squeezed in the middle. It ain't about which side of the debate any on NANOG will fall on, but the fact that the debate may be falling on us.
Well I won't rule out you being right on this, but I believe the probability is low because of the fact the attack was to the IRC server. Quite possibly one of the script kiddies that usually spends their time attacking IRC servers specifically aimed at this one based on that political motivation.
The cause of burglaries and thefts is bad people.
But the cause of political terrorism is extreme people. I think that, if this smurf attack was in response to the web page "The Nuremburg Files", it is an act of terrorism in response to an act of terrorism: that is to say the page is extreme, so why do we not expect responses to it to be extreme? And, in the middle, network engineers putting out the fires... networks being the battlegrounds that these people have chosen.
Whether or not the page is terrorism is the subject of the debates and hearings that are not on this mailing. The DoS attack could well be classified as such an act either way.
I admire Mindspring's position of making Internet access unrestricted. But what is the real motivation? Is it the goal of "perfect IP" or is the business case of decreasing tech support costs? They are, afterall, in the business of providing consumer dialup access, and as we all know that line of business is very costly in areas of tech support. Network attacks are also a real cost. I would suggest that treating some of the symptoms, at least for now, will cut some costs until the day that we can achieve the utopian goal of the perfect solution to the cause.
But if you want "unrestricted internet access" you'll get pages like "The Nuremburg Files" and you'll get people who object to that...
We do not offer unrestricted access. But our restrictions are different. For example, we do not allow source addresses other than our netblocks, and we do not allow dialups to access TCP port 25 outside of our network. We also have a no IRC bots policy on our shell accounts and colocations. As for web page content, we do not make such judgements. If a court orders us to take down a web page we will. If a web page becomes the target of an attack that disables other services to other customers, then we will take down that web site. But we can do that entirely without examining what the content is.
I don't know what the solution is... but I do think we'll all be better off opening our eyes to the situation, rather than simply blaming the 'skriptkiddiez'.
Well, your point is that there are, or at the very least can potentially be, more than just skriptkiddiez. Political terrorism and others can be real sources of problems. The skriptkiddiez may well be a dress rehersal. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* phil at intur.net * --
On Thu, Jan 14, 1999 at 03:13:34PM +0000, Peter Swedock wrote:
I think blamin' the 'scriptkidz' in this instance isn't accurate. I think this incident had a political component that is overlooked here, and one that requires discussion. And that this smurfing was, quite possibly, an answer to that political component.
I'm speaking about the "Nuremburg Files" which is downstream of Mindspring. For
[...]
Given all that, is it hard to beleive that some-one, moderately skilled in networking but extreme in political views, attempted to shut down this page by shutting down Mindspring?
It's an interesting thought. But someone who is 'moderately skilled' in networking would have been able to do a simple nslookup to find that www.christiangallery.com and irc.mindspring.com are in fact two completely different machines (on different subnets even). There's a slight chance that this was an attack launched to try to shut down the Nuremburg site, but I'd bet money that it's Just Another IRC Server Attack. I've discussed this with other geeks before. One day (probably soon) we'll see a person/persons with extreme views on some issue launch an attack on servers that support organizations that they're opposed to. It'll be extremely interesting to see how it all happens and what the reaction to such an attack is. There are plenty of nuts out there, and they're getting on the Internet in droves. God help us when they start learning about denial of service attacks. Robbie
participants (10)
-
Alex P. Rudnev
-
Brandon Ross
-
Dan Hollis
-
Daniel Senie
-
David Lesher
-
Joe Shaw
-
Peter Swedock
-
Phil Howard
-
Ray Everett-Church
-
Robbie Honerkamp