Re: distributed attack, high or not
In message <20020131025142.A12260@monet.titania.net>, "Joseph T. Klein" writes:
I define it as random because the traffic rise could be seen coming in from multiple providers and looked to be the same percent from all sources (separate routers with separate interfaces to separate ASNs in separate geographic locations). The traffic was inbound and not backsplash from randomized source addresses.
It looks to me like a infection with someone turning a control knob. Is this common or a precusor of a bad thing?
It's a classic DDoS attack, aimed at you. Someone has lots of zombie machines out there; at some point, they sent a command packet to all of them, saying "bombard such-and-such an IP address for 3600 seconds". Common? It happens frequently to someone. Precursor? Entirely possible, though there's no way to know for sure. But it can be very bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html for what happened to a British ISP. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
We're entering protest season. The World Economic Forum opens today in New York City. Some protesters have launched what they call a cyber-protest using several different tools. So far it appears directed at a few selected, although well-known, corporations. http://www.geocities.com/net_strike_net/english_active.html On Wed, 30 Jan 2002, Steven M. Bellovin wrote:
It's a classic DDoS attack, aimed at you. Someone has lots of zombie machines out there; at some point, they sent a command packet to all of them, saying "bombard such-and-such an IP address for 3600 seconds".
Common? It happens frequently to someone. Precursor? Entirely possible, though there's no way to know for sure. But it can be very bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html for what happened to a British ISP.
So, this is thinly veiled hacking, in the name of protest. Very nice. I hope the folks doing this realize that this is no different than throwing a brick through a window, or otherwise damaging people's property, and that they are essentially vandals. - Dan
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Sean Donelan Sent: Thursday, January 31, 2002 2:46 AM To: Steven M. Bellovin Cc: Joseph T. Klein; nanog@merit.edu Subject: WEF cyber-protest (was Re: distributed attack, high or not)
We're entering protest season. The World Economic Forum opens today in New York City. Some protesters have launched what they call a cyber-protest using several different tools. So far it appears directed at a few selected, although well-known, corporations.
http://www.geocities.com/net_strike_net/english_active.html
On Wed, 30 Jan 2002, Steven M. Bellovin wrote:
It's a classic DDoS attack, aimed at you. Someone has lots of zombie machines out there; at some point, they sent a command packet to all of them, saying "bombard such-and-such an IP address for 3600 seconds".
Common? It happens frequently to someone. Precursor? Entirely possible, though there's no way to know for sure. But it can be very bad -- see http://news.zdnet.co.uk/story/0,,t269-s2103098,00.html for what happened to a British ISP.
On Thu, 31 Jan 2002, Daniel Golding wrote: :So, this is thinly veiled hacking, in the name of protest. Very nice. I :hope the folks doing this realize that this is no different than throwing a :brick through a window, or otherwise damaging people's property, and that :they are essentially vandals. It's not quite that simple. The more organized version of this sort of thing was organized by a single group who provided a tool (floodnet) which just requests the targets website over and over. Same principle as an old fashioned sit-in or other 'flood the jails' tactics which are based on exhausting civic resources. The targets rely on, and thus are part of, the larger Internet infrastrucure, which must bear the weight of the confrontation. A regular DDoS (icmp, UDP, other) would probably come from one or two crackers acting alone, or maybe a small team who operate independently of any political action group. They would unleash the DDoS because the political climate offered an opportune time to play with their zombie network, by taking advantage of the confusion. Treat it like you would any other DDoS, bearing in mind that it is more likely to be the same people DDoS'ing as it would any other time. "Traditional" DDoS'ing isn't consistant with the real goals of any activist group I've heard of, including the ones who are blamed for confrontations with police. It's grim that there is such a thing as 'traditional' ddos though.
On Thu, 31 Jan 2002, Daniel Golding wrote:
So, this is thinly veiled hacking, in the name of protest. Very nice. I hope the folks doing this realize that this is no different than throwing a brick through a window, or otherwise damaging people's property, and that they are essentially vandals.
Real lawyers will be discussing "Internet Activism Basics: What Works, What Doesn't and What Will Get You Arrested" at the April Computers, Freedom and Privacy conference in San Francisco, CA. www.cfp2002.com I know router# lawyers ^ % Invalid input detected at '^' marker. -- Now a card-carrying CCNA, would you trust me with enable?
participants (4)
-
batz
-
Daniel Golding
-
Sean Donelan
-
Steven M. Bellovin