Hi people, For the last few days, I have experienced a series of DDoS attacks on various targets around the globe. The general target is the EFNet irc network, and servers have been attacked all through Europe, USA, Canada, Israel, and such. Due to the various attacks, more than half of the servers on the network were black holed (null routed). The others which hold 1/3 of the client count, are attacked, or going to be attacked soon. If this keeps on going, this irc network will cease to exist. These attacks are all coordinated, and some people are trying to locate the source. Alot of traffic is coming via AboveNet from Korea. Alot of "zombies" are used to attack targets, PCs infected with trojans, that can be remote controlled. In this time of need, it would be a great help if the large carriers would be helpful in tracing the traffic. I am, trying to gather more data, and since alot of ISPs were attacked (C&W, Concentric, Global crossing, exodus, different academic institues in the US, Internet Gold in Israel via UUnet, the swedish telia backbone and academic institues in sweden, russian rosstelekom, gigabell.de in germany and the list goes on), I think this is a time when these people have to be stopped. At this time, it would be very helpful if AboveNet people could contact me in private. thanks, --Ariel -- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
On Wed, 11 Jul 2001, Ariel Biener wrote:
Hi people,
Hi IRC-nobody who should have contacted Abovenet directly.
For the last few days, I have experienced a series of DDoS attacks on
On IRC servers? Have you contacted Ripleys? This has NEVER happened before! I can't BELIEVE that an IRC server has attracted the attention of a script kiddie!
Due to the various attacks, more than half of the servers on the network were black holed (null routed). The others which hold 1/3 of the
If the entire network were null routed, I'm betting that your attacks would go away.
client count, are attacked, or going to be attacked soon.
Especially since you're giving free battle damage assessments out on NANOG.
If this keeps on going, this irc network will cease to exist. These
Finally someone has found a POSITIVE use of DDoS scripts!
attacks are all coordinated, and some people are trying to locate the source. Alot of traffic is coming via AboveNet from Korea. Alot of
And in the true spirit of IRC, none of the brainchildren in charge had the wherewithall to actually contact Abovenet directly, huh?
"zombies" are used to attack targets, PCs infected with trojans, that can be remote controlled.
Zombies: People whose lifes revolve around IRC.
russian rosstelekom, gigabell.de in germany and the list goes on), I think this is a time when these people have to be stopped.
I agree. DOWN WITH ALL IRC NETWORKS!
At this time, it would be very helpful if AboveNet people could contact me in private.
Have you perhaps considered picking up the telephone and calling them? I hear it's a much faster route than whining on NANOG. --- John Fraizer EnterZone, Inc
And I thought there was no more sarcasm on nanog. Silly me. I'll get up off the floor in a few minutes. -- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
before! I can't BELIEVE that an IRC server has attracted the attention of a script kiddie!
I cannot believe the attitudes I am seeing on NANOG over this event. Your comments do not help this situation whatsoever; if you do not like IRC, feel free to rant in your own private forums rather than on a list for network operators. No matter what you may think about IRC, or EFNet in particular, it should be accorded at least your professional courtesy. IRC (EFNet) has been around a very long time. You probably would not define it as a "critical" Internet service, but it has served many people in several different types of situations - everything from natural disaster to personal distress. It is as real a service provided on the Internet as the Web or anonymous FTP sites. DDoS attacks affect us all - and his call for assistance reflects the danger to the providers of IRC servers as much as anything else. Quite frankly, DDoS attacks in any form should be squashed with as much energy as the network engineering community can muster. The reality of DDoS is that if the "evil empire" (i'm speaking metaphorically here) of script kiddies can just take down any service they want, then when those script kiddies find reason to target you for any particular reason and you raise a cry for help, nobody will listen. If you do not define EFNet as critical, that is one thing. But the attacks on one IRC network could grow to encompass any other IRC network, or any other service on the Internet. I'm reiterating the obvious here, since you do not seem to possess enough clue to get it yourself. The times, they are a'changin'. Soon YOU will be the provider of content as well as a provider of connectivity, and you will be subject to the same situation EFNet is going through now. You cannot simply ignore DDoS attacks based on the fact they are targeting EFNet. Attacks on EFNet (and any other Internet service of similar ilk) are attacks, by extension, on the providers of Internet service at large and of the very business model we attempt to make money on (some of us are succeeding) - people want services that you do not offer, so they use you to get there, but they will still call you if they do not work. I'm getting windy here, but I think you get the idea. T
On Wed, 11 Jul 2001, Timothy Brown wrote:
before! I can't BELIEVE that an IRC server has attracted the attention of a script kiddie!
I cannot believe the attitudes I am seeing on NANOG over this event.
Really? Strange. I can. And just so nobody is mistaken, 100% of my sarcasm resulted in some IRC person whining to the NANOG list VS contacting the NOCs of networks in question directly.
Your comments do not help this situation whatsoever; if you do not like IRC, feel free to rant in your own private forums rather than on a list for network operators.
My comments helped me substantially. I feel MUCH better! If they want to whine about their IRC network being DDoS'd, they should do it on their IRC network and NOT on the North American Network Operators Group mailing list. OOPS! I almost forgot. They're being DDoS'd. They probably can't even log onto their IRC servers. Too bad. Maybe they'll use this as an excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR HOMES.) We can only hope.
No matter what you may think about IRC, or EFNet in particular, it should be accorded at least your professional courtesy. IRC (EFNet) has been
Excuse me? I'm not condoning ANY attack. If they MUST attack something, I'd rather it be IRC then anything else I can think of.
around a very long time. You probably would not define it as a "critical" Internet service, but it has served many people in several different types of situations - everything from natural disaster to personal distress.
I'm going to be sick. Granted, it's "nifty" that someone used an otherwise (IMHO) useless waste of bandwidth to summon help. Just think of how much more efficient it would have been for them to hang up the friggin' modem and dial 911. (And don't bother trying to argue that E911 service isn't a world-wide service. If they can master IRC, services, bots, blah, they can manage to summon help via conventional means as well!)
It is as real a service provided on the Internet as the Web or anonymous FTP sites.
OK. If you say so. (Bwahahahahah!)
DDoS attacks affect us all - and his call for assistance reflects the danger to the providers of IRC servers as much as anything else.
Hrm. The last time I checked, running through S. Central LA screaming racist slogans would summon the attention of people who wanted to attack you. When you do it, and get attacked, I don't know very many people who would feel even the slightest bit sorry for you. Running an IRCd is not any better. It's BEGGING to be attacked. I don't feel the slightest bit sorry for you. Again, I don't condone the attacks in either case. I do understand the cause and effect relationship though.
If you do not define EFNet as critical, that is one thing. But the attacks on one IRC network could grow to encompass any other IRC network, or any other service on the Internet.
I don't define *ANY* IRC network as critical.
I'm reiterating the obvious here, since you do not seem to possess enough clue to get it yourself. The times, they are a'changin'.
You're funny.
You cannot simply ignore DDoS attacks based on the fact they are targeting EFNet. Attacks on EFNet (and any other Internet service of similar ilk) are attacks, by extension, on the providers of Internet service at large and of the very business model we attempt to make money on (some of us are succeeding) - people want services that you do not offer, so they use you to get there, but they will still call you if they do not work.
I have NEVER gotten a SINGLE complaint from a SINGLE lUSER who couldn't get to an IRC network. I don't anticipate it happening any time soon.
I'm getting windy here, but I think you get the idea.
I got the idea that you were windy in your first parahraph.
T
"I pitty the fool!" --- John Fraizer EnterZone, Inc
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of John Fraizer Sent: July 11, 2001 11:23 PM To: Timothy Brown Cc: nanog@merit.edu Subject: Re: DDoS attacks
Really? Strange. I can. And just so nobody is mistaken, 100% of my sarcasm resulted in some IRC person whining to the NANOG list VS contacting the NOCs of networks in question directly.
He's not the first one to have posted NANOG asking "Can someone from $NETWORK contact me please?"... Oftentimes if you're being ignored through normal channels, it's probably a good enough method, since someone from every single network seems to lurk around here.
Your comments do not help this situation whatsoever; if you do not like IRC, feel free to rant in your own private forums rather than on a list for network operators.
My comments helped me substantially. I feel MUCH better! If they want to whine about their IRC network being DDoS'd, they should do it on their IRC network and NOT on the North American Network Operators Group mailing list. OOPS! I almost forgot. They're being DDoS'd. They probably can't even log onto their IRC servers. Too bad. Maybe they'll use this as an excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR HOMES.) We can only hope.
Hmmm. Tell me, why can't we s/IRC network/AS13944/ and also s/They/John/ and apply it to your network? The issue here is simple: these people are trying to provide a service, one that's fairly popular and also very easily abused (hmmm, reminds me of large binaries on Usenet, but that's besides the point). They're getting DDoSed. Tell me, with your attitude, do you expect people to help you if someone on your network gets DDoSed? I mean, what makes your customers more important to the rest of the universe than those people's IRC server? (And I should mention that IRC server is someone's customer too, somewhere)
No matter what you may think about IRC, or EFNet in particular, it should be accorded at least your professional courtesy. IRC (EFNet) has been
Excuse me? I'm not condoning ANY attack. If they MUST attack something, I'd rather it be IRC then anything else I can think of.
You seem to be condoning the attack, actually. You're saying above: "Great. Too bad those people are being DDoSed, maybe they can go outside and get a life." That doesn't strike me like an anti-DDoS stance. Remember, their IRC servers and your customers' servers both speak IP...
It is as real a service provided on the Internet as the Web or anonymous FTP sites.
OK. If you say so. (Bwahahahahah!)
Well, I say so too. Of _course_, for each of us, it seems that what matters is only what we provide and our own networks, it seems (I guess humans' natural instictive selfishness applies to network operators). Let's see here: if 66.37.218.192/27 was to vanish, would you care much? would I care much about 66.35.64.0/19 disappearing? Sadly, probably not, but we both should care about each other's networks at least somewhat, because whatever makes 66.37.218.192/27 go byebye may make 66.35.64.0/19 melt the next day.
Running an IRCd is not any better. It's BEGGING to be attacked. I don't feel the slightest bit sorry for you.
And what do you propose to do about running ircd being begging to be attacked? For all we know, in a week from now, it could be running httpd or a DNS server that could be the target. We've already seen it once when a whole bunch of major web sites were the target for a week or so, and I'm fairly sure it could be MUCH worse.
If you do not define EFNet as critical, that is one thing. But the attacks on one IRC network could grow to encompass any other IRC network, or any other service on the Internet.
I don't define *ANY* IRC network as critical.
I don't define AS13944 as critical, either... As I said above, everyone's definition of critical seems to revolve around their own network and perhaps extends to a few hops beyond their borders.
I'm reiterating the obvious here, since you do not seem to possess enough clue to get it yourself. The times, they are a'changin'.
You're funny.
So are you. :) I'm glad all of us here have a good sense of humour.
I have NEVER gotten a SINGLE complaint from a SINGLE lUSER who couldn't get to an IRC network. I don't anticipate it happening any time soon.
You're lucky, then... Every large ISP that I've seen (usually with an incompetent abuse department) that gets blocked from $MAJOR_IRC_NETWORK generally has a number of angry complaining users very soon. Vivien -- Vivien M. vivienm@dyndns.org Assistant System Administrator Dynamic DNS Network Services http://www.dyndns.org/
On Wed, 11 Jul 2001, Vivien M. wrote:
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of John Fraizer My comments helped me substantially. I feel MUCH better! If they want to whine about their IRC network being DDoS'd, they should do it on their IRC network and NOT on the North American Network Operators Group mailing list. OOPS! I almost forgot. They're being DDoS'd. They probably can't even log onto their IRC servers. Too bad. Maybe they'll use this as an excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR HOMES.) We can only hope. Tell me, with your attitude, do you expect people to help you if someone on your network gets DDoSed? I mean, what makes your customers more important to the rest of the universe than those people's IRC server? (And I should mention that IRC server is someone's customer too, somewhere)
Unfortunately john's apathy and arrogance is typical of most providers i've dealt with when trying to get them to stop originating ddos attacks. At this point I don't think john has any bridges left to burn. -Dan
On Wed, Jul 11, 2001 at 11:22:40PM -0400, John Fraizer scribbled: | On Wed, 11 Jul 2001, Timothy Brown wrote: | > > before! I can't BELIEVE that an IRC server has attracted the attention of | > > a script kiddie! | > I cannot believe the attitudes I am seeing on NANOG over this event. | | Really? Strange. I can. And just so nobody is mistaken, 100% of my | sarcasm resulted in some IRC person whining to the NANOG list VS | contacting the NOCs of networks in question directly. And you are not whining about something? (I am whining too.) -- Michael C. Wu keichii@{iteration.net|freebsd.org}
On Wed, 11 Jul 2001, John Fraizer wrote:
On Wed, 11 Jul 2001, Timothy Brown wrote:
[ snip ]
It is as real a service provided on the Internet as the Web or anonymous FTP sites.
OK. If you say so. (Bwahahahahah!)
John- I might want to mention that there are many people on this list who are affected by DDoS attacks on a daily/weekly basis- and who do not have any IRC servers on their networks. DDoS is serious and is certainly not going to just magically go away with IRC.
DDoS attacks affect us all - and his call for assistance reflects the danger to the providers of IRC servers as much as anything else.
Hrm. The last time I checked, running through S. Central LA screaming racist slogans would summon the attention of people who wanted to attack you. When you do it, and get attacked, I don't know very many people who would feel even the slightest bit sorry for you.
Running an IRCd is not any better. It's BEGGING to be attacked. I don't feel the slightest bit sorry for you.
You really should. IRC servers are not the only targets in DDoS attacks, and more attacks will continue to be launched to *all* areas of the internet community in the near future.
Again, I don't condone the attacks in either case. I do understand the cause and effect relationship though.
Your logic could also conclude - if you dont want your website to get attacked by a DDoS, then you have no business having a presence on the internet to begin with.
If you do not define EFNet as critical, that is one thing. But the attacks on one IRC network could grow to encompass any other IRC network, or any other service on the Internet.
I don't define *ANY* IRC network as critical.
That is not the point.
I'm reiterating the obvious here, since you do not seem to possess enough clue to get it yourself. The times, they are a'changin'.
You're funny.
You cannot simply ignore DDoS attacks based on the fact they are targeting EFNet. Attacks on EFNet (and any other Internet service of similar ilk) are attacks, by extension, on the providers of Internet service at large and of the very business model we attempt to make money on (some of us are succeeding) - people want services that you do not offer, so they use you to get there, but they will still call you if they do not work.
I have NEVER gotten a SINGLE complaint from a SINGLE lUSER who couldn't get to an IRC network. I don't anticipate it happening any time soon.
Everyone has a different customer-base. My users go crazy when they can not connect to IRC servers.. And if there is anything I can do to help eliminate DDoS attacks from spreading like wildfire, I am all willing. Just because you may not have much experience with being victimized and/or being a colo provider when DDoS's randomly take out segments of your network, does not mean you should discredit others' posts reguarding this serious network operator's issue. Doing so just makes having lists like this useless to those who would like them to become somewhat productive.
John Fraizer
--- Brad Baker Director: Network Operations American ISP brad@americanisp.net +1 303 984 5700 x12 http://www.americanisp.net/
Stoned koala bears drooled eucalyptus spit in awe as John Fraizer exclaimed:
My comments helped me substantially. I feel MUCH better! If they want to whine about their IRC network being DDoS'd, they should do it on their IRC network and NOT on the North American Network Operators Group mailing list. OOPS! I almost forgot. They're being DDoS'd. They probably can't even log onto their IRC servers. Too bad. Maybe they'll use this as an excuse to perhaps expose themselfs to fresh air (as in OUTSIDE THEIR HOMES.) We can only hope.
Why don't you follow your own advice instead of being such a sarcastic ass on here 24x7? Jeff -- "...and the burnt fool's bandaged finger goes wobbling back to the fire." -Joe Zeff in the SDM.
On Wed, 11 Jul 2001, John Fraizer wrote:
Finally someone has found a POSITIVE use of DDoS scripts!
I agree. DOWN WITH ALL IRC NETWORKS!
I can't help but think of that quote "Guns don't kill people, people kill people". If you think IRC makes DOS attacks, you need to check do some serious thinking. Consistantly, attacks have been launched against IRC servers and then later used to attack other entities. But, there is a whole class of network operator out there that would rather just say "Down with IRC" then deal with the actual issues of these attacks. A whole lot of information about the nature of these attacks could be gained if the attacks against the IRC servers were analysed, but alas, everyone seems to just think that if IRC servers go away, DOS attacks will. When they move on to hitting web servers with content they don't like, or mail servers of people they don't like, and one of those happens to be your, we'll see what you have to say. Jason -- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . Interim Team Lead - . Admin - X - NO HTML/RTF in e-mail . Coders . wombat.dal.net / \ - NO Word docs in e-mail . Team Lead - Exploits . DALnet IRC Network
Issues surrounding IRC go back to the days when we invented it (anyone here remember the RELAY network on BITNET?). For some good reading, check out: http://web.inter.nl.net/users/fred/relay/relhis.html And read the section labeled "The Growing Pains" where we ran into problems when we had 30 (thirty) people connected. AlanC {been there, done that, have the NETCON tee-shirt}
participants (11)
-
Alan Clegg -
Ariel Biener -
Brad -
Dan Hollis -
Jason Slagle -
Jeff Workman -
John Fraizer -
Leo Bicknell -
Michael C . Wu -
Timothy Brown -
Vivien M.