For the last few days, I have experienced a series of DDoS attacks on various targets around the globe. The general target is the EFNet irc network, and servers have been attacked all through Europe, USA, Canada, Israel, and such.
Wow, EFNet is being attacked? That's never happened before. Someone should alert the media.
Due to the various attacks, more than half of the servers on the network were black holed (null routed). The others which hold 1/3 of the client count, are attacked, or going to be attacked soon.
Perhaps because there are only 5 servers which actually accept clients?
If this keeps on going, this irc network will cease to exist.
Oh the humanity.
In this time of need, it would be a great help if the large carriers would be helpful in tracing the traffic.
Hrm you may have an idea there. Since so many attacks are related to EFNet, and there are so many possible reasons for it to be impacting the rest of the internet, I propose we introduce a new ICMP type, ICMP EFNet. This message type could be used to convey all kinds of important information about why things are broken, for example: ICMP EFNet code 1 - Smurfing ICMP EFNet code 2 - SYN Flooding ICMP EFNet code 3 - Channel takeover ICMP EFNet code 4 - Warring botnets ICMP EFNet code 5 - Dianora and many other useful messages. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Wow Richard, I can't believe how incredibly helpful you are. You deserve an award or something. I mean really! Talk about going above and beyond the call of duty, wow! How do I nominate you for sainthood for all the major religions? ----- Original Message ----- From: "Richard A. Steenbergen" <ras@e-gerbil.net> To: "Ariel Biener" <ariel@fireball.tau.ac.il> Cc: <nanog@merit.edu> Sent: Wednesday, July 11, 2001 4:40 PM Subject: Re: DDoS attacks
For the last few days, I have experienced a series of DDoS attacks on various targets around the globe. The general target is the EFNet irc network, and servers have been attacked all through Europe, USA, Canada, Israel, and such.
Wow, EFNet is being attacked? That's never happened before. Someone should alert the media.
Due to the various attacks, more than half of the servers on the network were black holed (null routed). The others which hold 1/3 of the client count, are attacked, or going to be attacked soon.
Perhaps because there are only 5 servers which actually accept clients?
If this keeps on going, this irc network will cease to exist.
Oh the humanity.
In this time of need, it would be a great help if the large carriers would be helpful in tracing the traffic.
Hrm you may have an idea there. Since so many attacks are related to EFNet, and there are so many possible reasons for it to be impacting the rest of the internet, I propose we introduce a new ICMP type, ICMP EFNet. This message type could be used to convey all kinds of important information about why things are broken, for example:
ICMP EFNet code 1 - Smurfing ICMP EFNet code 2 - SYN Flooding ICMP EFNet code 3 - Channel takeover ICMP EFNet code 4 - Warring botnets ICMP EFNet code 5 - Dianora
and many other useful messages.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Wed, Jul 11, 2001 at 07:40:45PM -0400, Richard A. Steenbergen exclaimed:
Hrm you may have an idea there. Since so many attacks are related to EFNet, and there are so many possible reasons for it to be impacting the rest of the internet, I propose we introduce a new ICMP type, ICMP EFNet. This message type could be used to convey all kinds of important information about why things are broken, for example:
ICMP EFNet code 1 - Smurfing ICMP EFNet code 2 - SYN Flooding ICMP EFNet code 3 - Channel takeover ICMP EFNet code 4 - Warring botnets ICMP EFNet code 5 - Dianora
and many other useful messages.
regardless of one's opinion on the usefulness/validity/point of IRC, I think some respect is due EFnet simply considering the antiquity of the network, and the sheer volume of communication, good bad and indifferent, that has flowed over it since its inception. I'm sure I'll be flamed for my (mis)use of 'antiquity', but I think IRC has been, and continues to be, a valuable communication tool. Like any useful tool, it tends to be used for both beneficial and nefarious purposes. And let's not forget that any network attack, regardless of the target or purpose, is a Bad Thing and responsible netizens should do their part to help eliminate such abuses. I'm done preaching now; I'm sure those who agree with me didn't need a rehash, and those that don't are unlikely to change their minds. Just wanted to provide a counterpoint to the "since $service has no business function and doesn't increase profits, there's no point in supporting it" crowd. (not that RAS is necessarily in that crowd; he just happened to be the first to respond.) Sometimes things are worth doing, even if doing them causes you some grief. I'm sure cynicism will eventually overwhelm me and I will realize that there's no point in sticking one's neck/network out to provide a useful service to the community. okay, I'm ready for the flames now.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
This is pathetic. Someone asks for help and you demean them with jokes. Logic? Network Operators provide the ammo, Operating systems the guy, and script kiddies the finger. Ebay, Etrade, Yahoo, etc all got SMOKED by some unknown attacker and I've yet to see a good fix that stops this kind of attacking. Why, because right now there isn't one. What do the powerless do? They resort to poking fun, illogical behavior. I think you might do better discussing, testing, planning how to prevent this type of thing on your own network. However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s. There is no solution to this problem. This guy asking for help provided a perfect case where you could have learned something, asked questions and generally ACT AS YOU WOULD LIKE TO BE TREATED. Both of you are in my shitheads for life book and the only way to get out is to apologize to the poster, CC: nanog and ask a good question about the attacks so that we might all learn something. Sooner or later another big attack like the last one is going to hit us. Don't kid yourself. During the last one all those companies got lucky that the attacker decided to turn it off. On 11-Jul-2001, Richard A. Steenbergen wrote:
For the last few days, I have experienced a series of DDoS attacks on various targets around the globe. The general target is the EFNet irc network, and servers have been attacked all through Europe, USA, Canada, Israel, and such.
Wow, EFNet is being attacked? That's never happened before. Someone should alert the media.
Due to the various attacks, more than half of the servers on the network were black holed (null routed). The others which hold 1/3 of the client count, are attacked, or going to be attacked soon.
Perhaps because there are only 5 servers which actually accept clients?
If this keeps on going, this irc network will cease to exist.
Oh the humanity.
In this time of need, it would be a great help if the large carriers would be helpful in tracing the traffic.
Hrm you may have an idea there. Since so many attacks are related to EFNet, and there are so many possible reasons for it to be impacting the rest of the internet, I propose we introduce a new ICMP type, ICMP EFNet. This message type could be used to convey all kinds of important information about why things are broken, for example:
ICMP EFNet code 1 - Smurfing ICMP EFNet code 2 - SYN Flooding ICMP EFNet code 3 - Channel takeover ICMP EFNet code 4 - Warring botnets ICMP EFNet code 5 - Dianora
and many other useful messages.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Wed, 11 Jul 2001, Jon O . wrote:
This is pathetic. Someone asks for help and you demean them with jokes.
Who was joking? I wasn't. I suppose that we should all start posting "HELP ME!" posts to NANOG instead of sending an email to/calling the NOC of networks with which we are having issues with DIRECTLY. All the original poster did was add to the impact of the attack in question. The attackers can now say, "Look! We kicked SO MUCH BUTT THAT THEY HAD TO GO WHINE ON NANOG! WE RULE!"
your own network. However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.
Think what you like. I'm sure it isn't the first you've been wrong and most likely won't be the last.
There is no solution to this problem.
OK. No solution? If that is the case, why are you wasting your time posting about it?
...ACT AS YOU WOULD LIKE TO BE TREATED.
If I had posted the message the original poster did, I would have FULLY expected to be blasted/flamed/laughed at. What is your point?
Both of you are in my shitheads for life book and the only way to get out is to apologize to the poster, CC: nanog and ask a good question about the attacks so that we might all learn something.
The last time I checked, direct attacks and the use of foul language were both in violation of the NANOG AUP (Item #4). I believe it is YOU who owes an apology. [Note: Get him Sue!] --- John Fraizer EnterZone, Inc
At 11:54 PM -0400 7/11/01, John Fraizer wrote:
On Wed, 11 Jul 2001, Jon O . wrote:
This is pathetic. Someone asks for help and you demean them with jokes.
Who was joking? I wasn't. I suppose that we should all start posting "HELP ME!" posts to NANOG instead of sending an email to/calling the NOC of networks with which we are having issues with DIRECTLY.
snip Have you ever tried emailing or calling the NOC of a Korean NSP for assistance? We recently ahem, "entertained" a huge (100Kpps +) DDOS from Korean IPs. Even UUnet couldnt block it. We lost that $30k/m customer. Anyone have the email address for the KrNOG list :-) jm unsnip
All the original poster did was add to the impact of the attack in question. The attackers can now say, "Look! We kicked SO MUCH BUTT THAT THEY HAD TO GO WHINE ON NANOG! WE RULE!"
your own network. However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.
Think what you like. I'm sure it isn't the first you've been wrong and most likely won't be the last.
There is no solution to this problem.
OK. No solution? If that is the case, why are you wasting your time posting about it?
...ACT AS YOU WOULD LIKE TO BE TREATED.
If I had posted the message the original poster did, I would have FULLY expected to be blasted/flamed/laughed at. What is your point?
Both of you are in my shitheads for life book and the only way to get out is to apologize to the poster, CC: nanog and ask a good question about the attacks so that we might all learn something.
The last time I checked, direct attacks and the use of foul language were both in violation of the NANOG AUP (Item #4). I believe it is YOU who owes an apology. [Note: Get him Sue!]
--- John Fraizer EnterZone, Inc
Jon, Perhaps when you have an attack, as you do quite often, you should call our support number?? There is no reason we can't filter/block this traffic for you... If you have a ticket for the incident in question I'd be happy to look into this. --Chris (chris@uu.net) ####################################################### ## UUNET Technologies, Inc. ## ## Manager ## ## Customer Router Security Engineering Team ## ## (W)703-289-8479 (C)703-338-7319 ## ####################################################### On Thu, 12 Jul 2001, Jon Mansey wrote:
At 11:54 PM -0400 7/11/01, John Fraizer wrote:
On Wed, 11 Jul 2001, Jon O . wrote:
This is pathetic. Someone asks for help and you demean them with jokes.
Who was joking? I wasn't. I suppose that we should all start posting "HELP ME!" posts to NANOG instead of sending an email to/calling the NOC of networks with which we are having issues with DIRECTLY.
snip
Have you ever tried emailing or calling the NOC of a Korean NSP for assistance?
We recently ahem, "entertained" a huge (100Kpps +) DDOS from Korean IPs. Even UUnet couldnt block it. We lost that $30k/m customer.
Anyone have the email address for the KrNOG list :-)
jm
unsnip
All the original poster did was add to the impact of the attack in question. The attackers can now say, "Look! We kicked SO MUCH BUTT THAT THEY HAD TO GO WHINE ON NANOG! WE RULE!"
your own network. However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.
Think what you like. I'm sure it isn't the first you've been wrong and most likely won't be the last.
There is no solution to this problem.
OK. No solution? If that is the case, why are you wasting your time posting about it?
...ACT AS YOU WOULD LIKE TO BE TREATED.
If I had posted the message the original poster did, I would have FULLY expected to be blasted/flamed/laughed at. What is your point?
Both of you are in my shitheads for life book and the only way to get out is to apologize to the poster, CC: nanog and ask a good question about the attacks so that we might all learn something.
The last time I checked, direct attacks and the use of foul language were both in violation of the NANOG AUP (Item #4). I believe it is YOU who owes an apology. [Note: Get him Sue!]
--- John Fraizer EnterZone, Inc
On Wed, 11 Jul 2001, Jon O . wrote:
However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.
I'd like to apologise to the list for mentioning EFNet and inviting this group of people with excessively large mouth to brain ratios to post and further legitimize the noise. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Just to make sure I understand this: From: http://www.e-gerbil.net/ras/personal/index.html I can be contacted by email, on IRC (EFNet) as "humble", or any of those other services which won't be named, usually as "humble226". http://www.e-gerbil.net/ras/personal/index.html Very odd that you use the service yet bash it so much... On 12-Jul-2001, Richard A. Steenbergen wrote:
On Wed, 11 Jul 2001, Jon O . wrote:
However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.
I'd like to apologise to the list for mentioning EFNet and inviting this group of people with excessively large mouth to brain ratios to post and further legitimize the noise.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Wed, 11 Jul 2001, Jon O . wrote:
Just to make sure I understand this:
From: http://www.e-gerbil.net/ras/personal/index.html
I can be contacted by email, on IRC (EFNet) as "humble", or any of those other services which won't be named, usually as "humble226".
http://www.e-gerbil.net/ras/personal/index.html
Very odd that you use the service yet bash it so much...
I am perfectly capable of using a service yet thinking that most of the other people who use it are complete idiots. You have proven my point. Please do NOT continue this thread on the list. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
On Wed, 11 Jul 2001, Jon O . wrote:
Just to make sure I understand this:
From: http://www.e-gerbil.net/ras/personal/index.html
I can be contacted by email, on IRC (EFNet) as "humble", or any of those other services which won't be named, usually as "humble226".
http://www.e-gerbil.net/ras/personal/index.html
Very odd that you use the service yet bash it so much...
On 12-Jul-2001, Richard A. Steenbergen wrote:
On Wed, 11 Jul 2001, Jon O . wrote:
However, I'm concluding from the type of behavior displayed that most of you manage nothing larger than a couple T-1s.
I'd like to apologise to the list for mentioning EFNet and inviting this group of people with excessively large mouth to brain ratios to post and further legitimize the noise.
-- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
Enough people. It is quite obvious that IRC is a religious topic to a LOT of people. My original response and Richards original email were intended as sarcasm. It is not at all uncommon for IRC networks to be under attack. Since some people take IRC *MUCH* more seriously than one can imagine (keep the death threats coming) I guess we can't be sarcastic when someone mentions IRC. The email that is quoted above from Richard is obviously an apology for getting involved in the discussion. I can't imaging why you would attack him for such. I apologise for getting into the discussion. Attack me for doing so if you must. Do it off list. --- John Fraizer EnterZone, Inc
On Wed, 11 Jul 2001, Richard A. Steenbergen wrote:
ICMP EFNet code 5 - Dianora
Hey, leave Di alone. -- Chris Crowther chrisc@shad0w.org.uk http://www.shad0w.org.uk/
On Wed, 11 Jul 2001, Richard A. Steenbergen wrote:
Wow, EFNet is being attacked? That's never happened before. Someone should alert the media.
Perhaps because there are only 5 servers which actually accept clients?
If this keeps on going, this irc network will cease to exist.
Oh the humanity.
I can only hope others are as glib when it's your network or hosts under attack. After all, we should all sit in judgement as to the validity of other peoples packets. That's what makes the Internet work, right? Sincerest regards, -- Joseph W. Shaw II Network Security Specialist/CCNA Unemployed. Will hack for food. God Bless. Apparently I'm overqualified but undereducated to be employed.
participants (9)
-
Chris Crowther -
Christopher L. Morrow -
Joe Shaw -
John Fraizer -
Jon Mansey -
Jon O . -
Larry Diffey -
Richard A. Steenbergen -
Scott Francis