Re: NANOG meeting subject of attack? Hmmmm....
Or cooperate with each other, find the son of a bitch who started it, and prosecute him in each and every state the packets passed through that has computer intrusion laws, so that even if he's found not guilty or given token sentences, he gets that way one trial at a time in 50 states. Lather, rinse, repeat. Should be good for 15 to 25 years of trials. :-) At 08:02 PM 2/8/2000 -0700, you wrote:
not only that, it seems that the DOS is so bad that even UUNet is having to shut down peering points around the West Coast with most of their peers. I guess the only way to 'protect' against something this big would be to follow Pauls RFC and/or have big, fat pipes sitting idle.
they should be made to co-operate with the backbone provider and not have much choice in the matter. Dan Hollis wrote:
On Wed, 9 Feb 2000, Shawn McMahon wrote:
Or cooperate with each other,
Come on, we are talking about competing tier1 networks here. They will cooperate when hell freezes over. :) :(
-Dan
-- Thank you; |--------------------------------------------| | Thinking is a learned process so is UNIX | |--------------------------------------------| Henry R. Linneweh
Make it a law, and they will. But I don't think laws are the answer to cooperation. The Tier1's should take the time to work together on their own before they are forced to in a way they may not like. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am." On Wed, 9 Feb 2000, Henry R. Linneweh wrote:
they should be made to co-operate with the backbone provider and not have much choice in the matter.
On the subject of cooperation, has anyone set out to catalog where these attacks are coming from, at least in terms of compromised networks, and share said information? I know similar catalogs sprang up in response to smurfs ... is it time to start listing offending networks? Even better, does anyone know if the attacks are using something like TFN2K and using dummy addresses to obfuscate real attacking hosts? I see a lot of talk of attacked sites putting up router filters to stop attacks. Can anyone who knows let the rest of us in on what was filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP, SYN floods, or what? If this is a DDoS, the attack could probably be fingerprinted ... this would be very useful information if we are going to see more tomorrow. Do we know if the source addys are spoofed, and if an attacker could turn off spoofing, revealing the source of the traffic but getting around some filtering? I am making the assumption that the last three days' attacks were caused by the same person or persons. But the intent is the same regardless ... we can all go back and forth on NANOG about what might be happening, and wait for the feds to chase down the attacker(s), or people who have been attacked or might be attacked can compare notes and try to get an idea of where the attacks are coming from and exactly what they are. Any relevant info would be appreciated. Nobody knows who is next. -travis On Wed, 9 Feb 2000, Joe Shaw wrote:
Make it a law, and they will. But I don't think laws are the answer to cooperation. The Tier1's should take the time to work together on their own before they are forced to in a way they may not like.
-- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
On Wed, 9 Feb 2000, Henry R. Linneweh wrote:
they should be made to co-operate with the backbone provider and not have much choice in the matter.
On Wed, 9 Feb 2000, Travis Pugh wrote:
On the subject of cooperation, has anyone set out to catalog where these attacks are coming from, at least in terms of compromised networks, and share said information?
I think far more interesting would be to keep track of DoS attacks, and how various NOCs (mis)handled the problem. Attack wise, we see the largest percentage of bounce attacks from compromised .jp/.cn sites, followed by direct assaults from roadrunner and @home (but thats just the nature of the beast. give teenage punks cheap 10mbps and what do you expect) -Dan
On Wed, 9 Feb 2000, Travis Pugh wrote:
On the subject of cooperation, has anyone set out to catalog where these attacks are coming from, at least in terms of compromised networks, and share said information?
As far as I know (thank you C-SPAN), the FBI has logs of the hosts used to originate the traffic, and are now going through them to find the "innocent third parties." At this time, since it's part of a current criminal investigation, this information will not be made available to "the public," though they are saying this is going to be a joint venture between the FBI and the Internet Community
I know similar catalogs sprang up in response to smurfs ... is it time to start listing offending networks? Even better, does anyone know if the attacks are using something like TFN2K and using dummy addresses to obfuscate real attacking hosts?
Not sure, since it seems the discovered DDoS programs don't seem to have the capability to forge the traffic, though it's not too terribly difficult to modify existing exploits to do so.
I see a lot of talk of attacked sites putting up router filters to stop attacks. Can anyone who knows let the rest of us in on what was filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP, SYN floods, or what? If this is a DDoS, the attack could probably be fingerprinted ... this would be very useful information if we are going to see more tomorrow. Do we know if the source addys are spoofed, and if an attacker could turn off spoofing, revealing the source of the traffic but getting around some filtering?
I have a feeling you're going to see many more in the next couple of days, and certainly some periferal meltdown as an after effect. While no official details regarding the attacks have been announced that I've read, there are a few advisories on some of the known DDoS attacks. Dave Dittrich has posted some excellent material on the DDoS's that have been found and you can view them at his homepage located at http://www.washington.edu/People/dad/. He also has links to scanners (written by NFR President Marcus Ranum, Dittrich, and others) that can help look for the known DDoS daemons on servers.
I am making the assumption that the last three days' attacks were caused by the same person or persons. But the intent is the same regardless ... we can all go back and forth on NANOG about what might be happening, and wait for the feds to chase down the attacker(s), or people who have been attacked or might be attacked can compare notes and try to get an idea of where the attacks are coming from and exactly what they are.
Well, to quote a Wired article, "A Yahoo source close to the problem told Wired News that they hadn't contacted the Feds during their trouble yesterday because it would do no good."
Any relevant info would be appreciated. Nobody knows who is next.
Indeed... -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
I repeat.. Laws in one country do NOT apply to another country. It is arrogant to think that internet governance is a product of one region's policies.
Make it a law, and they will. But I don't think laws are the answer to cooperation. The Tier1's should take the time to work together on their own before they are forced to in a way they may not like.
-- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
On Wed, 9 Feb 2000, Henry R. Linneweh wrote:
they should be made to co-operate with the backbone provider and not have much choice in the matter.
---------------------------------------------------------------------- Wayne Bouchard [Immagine Your ] web@typo.org [Company Name Here] Network Engineer ----------------------------------------------------------------------
Or cooperate with each other, find the son of a bitch who started it, and prosecute him in each and every state the packets passed through that has computer intrusion laws, so that even if he's found not guilty or given token sentences, he gets that way one trial at a time in 50 states.
Lather, rinse, repeat. Should be good for 15 to 25 years of trials. :-)
You forget.. the network is not US only. Any views of this nature are short sighted. International connectivity is still poor but its getting much better. Now consider that given the distributed attacks, you can have sources and relays located in the country you want to conduct your attack even though you are half way across the globe in a country that considers such actions worthy of no more than a shrug. Laws in one country DO NOT apply to other countries. Now consider someone setting up such sites, starting the attack from a hacked account (which can't be traced back to him since he dialed in from a pay phone somewhere) and then just leaving it. This attack could go on to some degree for *WEEKS* without being completely squashed. ---------------------------------------------------------------------- Wayne Bouchard [Immagine Your ] web@typo.org [Company Name Here] Network Engineer ----------------------------------------------------------------------
FWIW, we've seen several failed exploits from APNIC addresses in the last two months. I generally ping flood them for a couple of minutes to encourage them to go away. The ping flood responses usually show modem level connectivity although one appeared to have T1 bandwidth. The FBI has never shown the slightest interest when we've told them of compromised systems in the US or told them where rootkits are being stored on public FTP servers in the US. What are they going to do when the crackers are working via systems in Korea or Japan? ---------------------------------------------------------- Mike Bird Tel: 209-742-5000 FAX: 209-966-3117 President POP: 209-742-5156 PGR: 209-742-9979 Iron Mtn Systems http://member.yosemite.net/
participants (7)
-
Dan Hollis
-
Henry R. Linneweh
-
Joe Shaw
-
Mike Bird
-
Shawn McMahon
-
Travis Pugh
-
Wayne Bouchard