Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet

Ask Security Guru Dave Dittrich About DDoS Attacks 274

Posted by Roblimo from the expert's-mouth-to-your-ear dept.
Yes, this is the University of Washington Dave Dittrich behind the software the FBI is trying to get you to use to help find the people doing the massive DoS attacks that have made headlines all over the place. Learn more about Dave and check out the info about the current brou-hah-hah on his home page, then ask away. We'll send the 10 - 15 highest-moderated questions to Dave Friday evening, and post his answers as soon as he can get them to us in between answering questions from mainstream media types who, as you can imagine, are all over him right now.
This discussion has been archived. No new comments can be posted.

Ask Security Guru Dave Dittrich About DDoS Attacks More

Ask Security Guru Dave Dittrich About DDoS Attacks

Comments Filter:

  • why is it such a memory hog? (Score:1)

    by Anonymous Coward
    what in it makes it chew 200+mb of memory ? there is no warning that it wants so much maybe the FBI doesn't realize that the majority of linux boxes out there dont have gigs and gigs of ram, i have about 15 machines running at 128MB or less. they'd crash if i ran that program, without resource limits. nate aphro@aphroland.org
  • The average citizen probably shouldn't really care, except of course if they're smart enough to see how much they're being had by the so-called "justice" department. What do we know about DoS? It's pretty much all brute force and no finesse. What do we know about the FBI under the Clinton administration? It's about the least competent lineup of loonies in the history of the Bureau. AND they're obsessed about wiretapping, and checking out your private PGP keys. Why big companies? The visibility, period. The culprit: the FBI. The reason: to get us to install software on our servers which will allow THEM to monitor US. We're talking about a Bureau which can't seem to remove its head from its anus in the best of times. How do you think they came up with a tool which can take care of the current wave of attacks within 2 days of their occurrence? I'm not alone in thinking that the only way this is possible is if they were the initiators of that wave of attacks. Wonder why the DoS patch is available as a binary distribution only? Are you aware that it actually seeks out encrypted files on your systems? Other hints are that no one has seriously claimed responsibility for the attacks (hackers do what they do either to threaten and extort, or to boast) and the heightened amount of huffing and puffing from Janet Reno et al. And this is only the beginning.
  • How about this, because the big dollar corporations and Reno will work together to end the 'cyber terrorism', and because their solution might just take another piece out of the free Internet? Attacks such as these work to justify every regulation and restriction the Feds try to impose.
  • How do you circumsize a Whale?

    Send down four skin divers!

  • Various questions (Score:2)

    by Anonymous Coward
    To what extent do you believe that the huge amount of media exposure given to these attacks has provided the perpetrators of these offences with both justification and encouragement for their actions? Do you believe that the attacks would have continued were it not for the fact that so much media attention was given to the original attacks upon Yahoo? If media attention is likely to lead to further attacks by either the original perpetrator/s or others, should the media adopt a policy of silence (as, for example, they might have in the wake of the Littleton incident [back in the real world]) or does such information want to be free? What is the value of such attacks, and of the subsequent media attention they garner, as a wake-up call to those who are still unaware of the potential pitfalls of the Internet and e-commerce? --George.
  • Disregard this post - this is not from VA Linux. This is called FALSE ADVERTISING AND LIBEL.
  • I am at Carnegie Mellon University and I have a Linux box that runs two eggdrop bots for a couple of IRC channels. (For those who don't know what they do - they just keep a channel's operators in proper order).

    A week or two before Yahoo!, CNN, and other big name companies were hit with this denial of service attack, some people (the same ones??) decided to try and take over one of the channels one of my machine's eggdrop bots runs. The attack lasted approximately 6 hours from beginning until end. When all was said and done, the network usage at Carnegie Mellon was 100% saturated and I received an e-mail in the morning that I had tried to crack a computer in the department of energy services (wherever that is).

    Now, the box is usually not under too much of a load, but does have several purposes - it is an FTP server, and a file server (I play my MP3s from it).

    All throughout the attack, my box actually held up against the attack! I was able to keep playing my MP3s, I was also able to continue (at a very slow pace however) my FTP transfers.

    What I want to know is if MY box (and Carnegie Mellon in general) could stand up to the DDoS attack, why shouldn't Yahoo! and CNN and other huge companies have enough network infrastructure to waylay such an attack? Was it just that my box was hit on a very low scale? Or are corporate networks just not up to snuff?

  • Dave, we've seen several reports implicating Solaris and Linux specifically in the DoS attacks, and the tools provided by you and the FBI are aimed at Linux and Linux-like operating systems. Are these OSs representative of the actual clients which are being co-opted as zombies to launch the DoS attacks, or are they merely typical upstream or intermediate systems with sufficiently rich toolsets to allow monitoring and filtering of traffic.

    Information I'd heard from someone who'd experienced an attack was that clients were in fact most typically Windows machines -- which makes sense as they are very common and very easily compromised. The compromising code was described as a windows or Java virus time bomb, pre-set to launch against a specified site at a specified time -- somewhat different from the "master" and "slave" scenario described in the trinoo papers. Several copies of the virus have been retained. How does this fit with your experience?

    What part of "Gestalt" don't you understand?

  • Is a network proof against DDoS possible? (Score:4)

    by Paul Crowley ( 837 ) on Thursday February 10, 2000 @02:03PM (#1287071) Homepage Journal
    Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?
    --
  • OK, it has been obvious for years that TCP/IP is vulnerable to DoS attacks of all kinds. My question is who do you think has the best chance of fixing the DoS issues, hardware people such as Cisco (router makers) or ethernet chipset makers, or software people like kernel and network driver developers, or is it more of an issue of everyone will just have to work togther to take TCP/IP to the next level? ...or is it just an issue of network admins need to learn how to apply existing technologies effectively to keep the skript kiddies under control?
  • Gnerally there are groups that I would think have a better chance to "fend for themselves" so to speak. I think we all could agree that Microsoft is not entitled to such protection because they most likely could easily hire their own private army of assassins to do so form of quasi-legal garbage and just might get away with it.

    Well that's just spanky. At what point do we point to a rich private citizen and say "Okay chum, you're on your own!". Just because they're big and nasty doesn't mean they're not entitled to the protection of the law. What if they started enforcing their own laws? I mean, you're saying the burden of responsibilty is on them, wouldn't they be entitled to do so? I for one shudder at the thought of Microsoft coming up with and enforcing their own laws! :)

    Corporations because like so many of the people here have said are EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL and are akin to the Third Reich in their effect

    Hmm, does this count as a Hitler reference?

  • I could say that if one were to get at least $1,000,000,000 that said person has most likely defrauded some person or done something dishonest in their lives. That is a fact that I am at least 99.9% sure of.

    <sarcasm>Well, I for one will sleep well at night knowing you're the one making these decisions for us.</sarcasm>. What is this, some kind of Slashdot Inquisition?

    ...music...

    I was forced to use the internet to get what I wanted ...

    In the early years of the third millennium, to combat the rising tide of corporate unorthodoxy, the Pope gave Cardinal slashdot-terminal leave to move without let or hindrance throughout the internet, in a reign of violence, terror and torture that makes a smashing post. This was the Slashdot Inquisition...

    I'm no fan of evil corporations either, which is why I support the justice department when it goes after them. I also support privacy groups that look out for our rights. However, I recognize that without corporations we wouldn't have all that we have today... like the Internet! Tell you what, as soon as you figure out a way to send IP over smoke signals you let me know and I'll join your inquisition. ;)

  • I have access to only at 2400bps modem at home does that mean that it is a crime if I don't have a local number for a BBS to E-trade? When you get some technology you become dependent on it. When you chose to live 50 miles from work and relied on your can and it dies do you feel cheated?

    I find it very difficult to belive you can't go work at Burger King for a week to earn enough money to buy a new modem.

    And if some punk kids slash my tires on the way to work, yes I do feel cheated.

  • I just checked, noone's asked this one yet. Which of the proposed improvements in the internet's infrastructure (IPv6 et alia) do you think will actually do something about distributed DOS attacks of this nature?

  • I can think of several ways in which these may be Illegal.

    First of all simply taking down a web site costs a company a huge amount, These web sites are the places where these companies conduct commerce. If they are not online they are loosing money.

    Second, I can see this as being a form of Rackateering. I'm not sure how the law is written, but I can see them being hit under the RECO laws that were ment to hit the mob, They are using an interstate attack to stop a legit biz.

    Third, Stock Fraud, Imagine that the people who did this took a short position on stock in Yahoo, then slamed the server, the stock goes down and they make a fortune. It does not take a big movement of the market to make (or lose) a lot of money for a lot of people. And this is definitly insider trading.

    I'm sure the FBI and the DOJ will find a few others too. I hope they nail whomever did this one to the wall.
  • This is the most likely explanation. I mean, <b>I</b> could write such a tool, if I had enough time on my hands, and wouldn't care for more interesting problems.

    I don't believe all the conspiracy theories for a second. It was a single guy, or a very small group, and they were just trying to show off who's got the longest. It's been going on on IRC for ages.

  • The Constant Fingerprint? (Score:3)

    by Effugas ( 2378 ) on Thursday February 10, 2000 @02:04PM (#1287080) Homepage
    While you've done an excellent job analyzing the various DDoS tools, one thing I think we all realize about DoS tools is that, as time passes, we *are* going to lose the ability to detect whether a packet is fully legitimate or if
    contains a covertly channeled service denial command.

    What's more insidious is that I don't think we're going to even be able to determine the nature of an attack in progress. Given enough compromised clients, it's more than conceivable that enough pseudo-browsers surfing at a humanistic rate could take down at highly database-driven sites, not to even mention overload the maximum number
    of streams a multimedia site can supply. Such an attack would only reflect itself as the attack of the <a href="http://slashdot.org/comments.pl?sid=00/02/08 /1338245&cid=60">Window Shopping Hordes</a>--people who search for everything but buy...nothing at all.

    If we won't always be able to detect the initiation of these attacks, and we won't always be able to detect the commencement of these attacks, would it be fair to say that the only moderately reliable fingerprint of an looming attack is the single packet or set of packets that compromised the OS into loading the attack daemon in the first place?

    If so, how can we use such fingerprints to our advantage? Should arbitrary core routers initiate tracer logs and NOC notification when large scale OS compromise fingerprints are detected?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • Re:Answer: not viable (Score:3)

    by Effugas ( 2378 ) on Thursday February 10, 2000 @03:49PM (#1287081) Homepage
    <i>That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc. </i>

    Nope, Sig. You need stateful analysis when you cross the single packet barrier--for example, when the presence of an outgoing SYN creates a temporary tunnel through the firewall for an incoming ACK of a given Port/ISN+1.

    It's just a comparison of the 32 bit Source Address with the 32 bit Network Address of the physical interface. That kinda thing doesn't even require Store And Forward...it's one or two AND ops. Where you start getting problems is when you have a layer or two of peered networks...but how many universities route packets for eachother?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • Stop Spoofing At The Backbone? (Score:4)

    by Effugas ( 2378 ) on Thursday February 10, 2000 @02:16PM (#1287082) Homepage
    How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

    Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  • Re:Answer: not viable (Score:4)

    by Effugas ( 2378 ) on Thursday February 10, 2000 @05:41PM (#1287083) Homepage
    <i>A switch functions by only analyzing the raw ethernet (or mac) address. </i>

    Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.

    > A router works at a higher level, and CAN do
    > stateful analysis... but for speed you really
    > shouldn't - that's what the firewall is for.
    > Firewalling the backbones would be... umm..
    > very bad.

    For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."

    I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"

    That's not firewalling the backbones. That's managing the access points.

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com


  • I'm currently looking for a job and I am very interested in the security side of System Administration. My question: Could you give a SysAdmin wanna-be some helpful advice, ideas, suggestions, etc. concerning career path? In my particular case, I don't have a CS or MIS degree (Liberal Arts actually) and about a year and a half of experience as an operator. I'm a Linux user and read O'Reilly books aplenty. Any advice would be greatly appreciated.

    ----------------

    "Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein
  • What we're concerned with is the fact that you want us to run precompiled code.

    Not only that, but some of us can't run it even if we wanted to (and without source, I wouldn't want to anyway). Where's my Linux/Sparc executable? What about one for my DGUX/m88k machine? The internet is not just Linux/x86 and Solaris.

  • Re:Other methods? (Score:3)

    by Tet ( 2721 ) <slashdot AT astradyne DOT co DOT uk> on Friday February 11, 2000 @01:08AM (#1287086) Homepage Journal
    From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

    I'm no IPv6 expert, but as I understand it, space is reserved for this information in an IPv6 packet, but it's not mandatory to fill it, it's only recommended. Maybe someone who knows more about IPv6 can confirm this?

  • there is....
    • alt.2600 [2600.com] (www.2600.com) - hacked pages database. Lists sites hacked by the month from what we can presume to be non-secured.

  • According to an article [theage.com.au], US government agengies had warned of such a DDos more than a month ago. Supposedly, a "US Government agency warned more than a month ago that it had information that unidentified "intruders" were preparing for massive denial of service assault in the US."

    What I am curios to know is, say that you have this foresight, that these attacks are likely to come. What could large sites, such as Yahoo!, do to help prepare for the coming onslaught?

  • Another good example is eBay. Imagine you couldn't get in the last two hours to place a higher bid on an item you really wanted. Now you are PO'd, and the guy who was selling the item is out $$$.
  • Are these attacks really illegal?

    Of course. The people were purposely trying to bring a large web site to its knees - malicious intent.

    Furthermore, they illegally employed the use of other people's computers to purpotrate their crime.

    Imagine you did some action to congest the highways of a large city with road blocking thingies. Imagine you got caught. Would you be arrested? I'd bet so... and you'd probably be fined or put in jail for a short while.


  • Okay, we have heard a few.. Geeks trying to "have fun", electronic protest, NSA/Government conspiricy.

    Question: Are all the targets NASDAQ companies?

    Remember when eBay crashed a while back and it's stock took a huge bite over the deal? Imagine if you had a very large investment on a "Sell Short" bet.

    Say I "Sell Short" a million dollars worth of Yahoo! stock, then pound on Yahoo! to cause the stock to drop. However we noticed it did not drop the first day so we have to do it again the next day etc...

    What do you think? Instead of making a DDos sniffer, I would look for a Yahoo! competitor to be purchasing "shorts" of Yahoo stock.

  • I really believe the motive is money via stock price manipulation.

    Taking down a dot.com company is like grounding an airlines fleet.
  • Captain Taco... I like it.. I hope it sticks...

    ( just a little demotion, eh? )


  • This question might be seen as a troll, but it is not.

    Why do you want to help the FBI, Dave?

    The FBI is an apparatus for the Big Brother, the same Big Brother which has taken away so many of our basic rights, and the same Big Brothers which has done a lot to limit our rights online !

    Why are you helping the FBI, Dave?

  • What do you think about setting up an ongoing distributed scanning effort, to identify compromisable machines, and to get the owners to lock them down?

    I would like your opinion both on whether this is doable and whether it would likely prove useful.

    Thanks,
    Ben
  • That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc. Stateful inspection *really* slows down routers and the backbones can barely keep up with the growth rate as is.

    It's just not practical right now at the backbone level - not without a major, major overhaul of the existing system. Besides.. how do you define a DoS attack in the first place? It's easy to spot one now.. but what about 80k queries/sec that all look like legitimate traffic? How do you filter THAT ?

  • A switch functions by only analyzing the raw ethernet (or mac) address.

    A router works at a higher level, and CAN do stateful analysis... but for speed you really shouldn't - that's what the firewall is for. Firewalling the backbones would be... umm.. very bad.

  • Wonder what the response would be if they sent a few billion requests for random pages to their website and did searches..............
  • Maybe not directly related, but it is central to security...

    Why should businesses and individuals trust the government?

    As a business, why should it try to help the FBI? I've seen and heard about "busts" which leave a company high and dry. As a business, I wouldn't want something like what happened to Steve Jackson Games happen to me. If you want the support of both businesses and individuals.. what are you doing to assure them that you won't use heavy-handed tactics like stealing their computers or data? More institutions would come forward with their logfiles and information if they knew the FBI could be a) trusted with that information (there has been rumor that agencies like the NSA give out trade-secrets to shut down competing industry) and b) would not conduct an investigation of a scale or type which would interfere with normal business operations. I don't want to hear about how "illegal" such operations are.. I want to know who's accountable when such abuses are made, what procedures are in place to deal with such a contingency, and how effective these measures are.

    If you want to help national security - drop the pretenses and be honest with us.

  • Doesn't have be a "Yahoo! competitor" -- it can be some lamer day trader with a short position on his ETrade account.

  • Re:Long term solutions? (Score:3)

    by JoeBuck ( 7947 ) on Thursday February 10, 2000 @02:34PM (#1287102) Homepage

    You write:

    Given that IP spoofing is a fundamental flaw in IPv4 ...

    But is that really true? If every router refused to pass packets that clearly lie about their origin, IP spoofing would be a lot harder to do.

  • no, you don't need two cans and a string. you should, however, carry around 35 cents in case your cellphone dies.
  • If we could conclusively determine that the attack originated from within, say, Iraq, we would ask Baghdad to prosecute and we'd give them the tools to do so. If they refused, or denied, we could conceivably label that harboring a terrorist, and take retaliatory/defensive action.

    Of course, I have a very hard time imagining the Clinton Administration taking any kind of for-real action against terrorists. Remember his Great Crusade Against Terrorism in 1998? The one that coincided with impeachment, and dropped off radar in February 1999?

  • Is collateral damage a concern? I mean, if a site like Yahoo! is hit with a gigabit of data per second, won't that take up a lot of the bandwidth between the DoS clients and the target?

    Or are these sites so close to the Internet backbone that the additional traffic is localized?

    --

  • I know you're not a shrink or a sociologist, but I'm still very interested in your opinion: What is it about these smurf attacks that the people find so facinating, or horrible? Do they really pose that serious a threat to network security? Why do the media find it fascinating?

    BTW, the DDoS scanner is a nice hack. Thanks for releasing the source!

  • This is a particularly interesting question. Similar discussion can be found in at least two other places where "bots" are used to replace humans; Quake & get-paid-to-surf systems.

    In Quake, bots can be used to aim and fire weapons, and they're dealy efficient. How do you tell the difference from an exceptional human and a standard aiming bot?

    With the schemes that pay you to surf, they try to make sure that someone is actually at the computer being exposed to the ads. They do this by monitoring mouse and keyboard activity. They claim to be able to detect bots, but I recall a quote from one CompSci professor who said that he'd fail any of his students that couldn't produce an undetectable bot.

    In the real world, you can tell that a traffic jam is artificial when you see the truck parked across the road, but how do you detect a DDoS attack with a low probability of false positives (or false negatives)?

  • Probaly Not, atleast in the area covered by Arin, due to the price of Buying, and Maintaining IPv6 address space with arin.
  • What solutions, suggestions and advice can you offer people designing network systems and technologies to defend against DoS attacks? On what level should this be handled (IP, Application)? How can writers of new protocols (like ip6), servers (like Apache) and operating systems (like BSD or Linux) deal with this?
  • What do you have to say to the idea that this could be a DoS attack launched by computers infected with an Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a syncronized DoS?
  • Heh, now that you mention it, that almost sounds viable... but only when you consider this less a case of "raising more consulting business", as much as it would be to boost John Vranesevich's already overinflated ego.

    Ut-oh. Maybe ole JV will try to sue me now.

  • Antionline: True help? (Score:3)

    by cswiii ( 11061 ) on Thursday February 10, 2000 @03:07PM (#1287112)
    I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?
  • This is the guy who provided the source code to ddos_scan right here [washington.edu]. Even if he is behind the FBI's differently named tool as Roblimo is saying he obviously isn't asking you to run a tool without source code.

    You need to ask whoever it is that is administrating the web site at the FBI why there isn't source code available.

  • Hey, would you put your signature in your signature? I'm getting sick of looking at it.

    Thanks.

  • Sorry, it might be a bit off-topic, but I just have to say that Dave is a great help to the UW group and the linux community in general. I'm glad he's finally getting some great recognition.

    Way to go Dave!
  • <I>A ton of money flows into Amazon every day. In the Oct, Nov, and Dec 1999, they took in about $676 million. So 2 hours of downtime could cost them 676m/90 days/24 hours * 2 hours = $626,000, over $5,000 a minute. </I>

    You can't use math like that. Sure - they expected that revenue during the 2 hours. What happened to those who couldn't buy? They didn't <I>all</I> run to a competitor. Some did what you always do with net trouble: waited, and tried again. Amazon probably had a period with slightly more sales than normal right after the attack, due to people catching up. Sure they lost some, but not all!
  • <I>Considering that the targets of these attacks have been large corporations and such I ask this. </I>

    You might as well ask "why should the average citizen care about shoplifters hitting large supermarket chains, large banks robbed, and so on?"

    The same answers applies.
  • <I>Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?</I>

    This has nothing to do with IP, or even computers. Parts of the phone system get blocked from time to time in the same way - for example when a popular TV show advertises a phone number. "Call inn first to get a prize..."

    So there is no solution as long as thousands of machines are available for breaking in. Fixing that still leaves stuff like "Tomorrow is the day when <I>everybody</I> looks at the MS website" or
    "Lets <I>all</I> call their shitty ordering number simultaneously" The only difference is that the latter two cases require cooperation by an interest group, while the DDOS attack simply require the "cooperation" of crackable machinery.

  • <I>Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet. </I>

    Nope. First, IPV6 don't need to contain any MAC addresses. Second, you would merely track down the compromised systems. You can do that already using IPV4. It doesn't help, unless having a crackable machine becomes illegal. Third, these people are breaking rules already and wouldn't worry a bit about putting fake info in their IPV6 packets. Possibly causing trouble for some third party as well when angry but clueless sysadmins are misled onto them.

  • Filtering doesn't help. The attacker doesn't bother with bouncing strange packets. He simply breaks into tons of systems using an automated tool. He can then make each of those breakable systems attack - from perfectly valid addresses. Tracing back to the broken systems will be trivial, but the attacker doesn't care as it isn't <I>his</I> broken systems. Innocent people who has easily crackable machines gets all the heat.
  • The tools for detection, and your explanations of the clients are great, but could the community get a chance to see some of the logfiles of the floods? You want this fixed real fast, post a few of those and let the brainpower of all the whitehat hackers loose on the problem.

  • Should security research be done in obscurity? (Score:4)

    by crush ( 19364 ) on Thursday February 10, 2000 @02:46PM (#1287129)
    It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

  • Recognizing DoS (Score:4)

    by angst_ridden_hipster ( 23104 ) on Thursday February 10, 2000 @02:59PM (#1287130) Homepage Journal
    I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this, and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

    The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30PM in Los Angeles to be a DoS attack.

    To solve these problems, you have to know what's causing it. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

    In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home email and find out.

    With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the web?
  • Given that this attack could be originated by someone in Europe or Asia, what sense is there in the FBI getting so involved? How will they handle the matter if it turns out that the cracker is in Lybia, or Iran or Iraq? What if he's in China ? What good does it do to try to track the cracker down, when a more productive effort would be to increase security awareness, and get people to configure thier equipment properly?

    Hey Rob, Thanks for that tarball!
  • People who don't know how to drive should stay off the road. Most people feel that way.

    The Internet is being marketed like eye candy and everyone I repeat EVERYONE wants everyone to get on the "NET". These newbies and MSCE dime a dozen sys admins are setting up the whole net for a big crash. There is NOT WAY to protect the stuipd and lazy from crackers. Everyday there is more fresh meat for the crackers to exploit. Secure 3 systems and 20 more hit the net for the first time. I have scanned my subnet on RR and I have found people with their systems wide OPEN, I could have printed on their printers for christs sake.

    This issue is about locking down systems connected to the net. That is where the whole problem started. The best admin can't be expected to keep up with all exploits on all of his systems all the time, but he should have this Internet pointed systems LOCK DOWN and a good firewalling/auditing plan in place to help him out.

    If we can't get admins with big pipes and big iron to keep the lid on their systems how in the world do you think Joe PIII 750 with a DSL is going to fare ?

    A persistant Internet connection is not a toy. People should have to take a class before they
    are giving such a powerfull weapon. People have had to take driving tests for years and everyone is better off for it. I wager that I could cause more damage with my computer then with any type of moter vehical any day, of course nobody would get killed, but we seem to have even put a price tag on that as well.
  • I was going to make an observation along these lines, only with respect to network hardware manufacturers (Nortel, Cisco, Lucent et al.). Their end-user connectivity products (as opposed to backbone products) should not be forwarding spoofable-origin packets to the Internet BY DEFAULT. This would not be unduly burdensome to implement in software or hardware, although of course getting upgrades out to everybody is still an issue. Unfortunately, it seems the old distinctions of bridge vs. router vs. switch vs. gateway have all but disappeared these days in the rush to hook everything to the net....

    #include "disclaim.h"
    "All the best people in life seem to like LINUX." - Steve Wozniak
  • Most network-savvy folks know that IPv4 was never designed for a hostile environment that the Internet has become.

    For the Slashdot community: Is now the time to start pushing IPv6 to the World At Large, since IPv4 now has two large weaknesses (spoofing and small address space)? And what would you say to convince them or unconvice Slashdot readers?

    As you respond to this question, could you please reply in a fashion such that on-looking journalists can quote you to the general public?
  • Lee-nooks

    at least, that's more or less how Linus pronounces it... which is the only thing that really counts...
  • Hmm... I smell a potential conspiracy. I'm not accusing anybody of anything, but what if someone caused all this in the hopes of raising more consulting business (a less-paranoid version of the theory that the NSA is behind all this...)
  • Perhaps you're not exactly the perfect person to answer this question, but it seems to me that many companies claim outlandishly large costs of "damage" running in the millions and hundreds of millions, when these things occur. In your opinion, are these claims justified, or are they just scare tactics?

    (I know sites like eBay and Amazon, for example, do a lot of business, but really, millions of dollers lost? If I really wanted to buy the book, I could wait three hours till the site was back up, and they wouldn't lose any money. Where do these numbers come from?)

    Jazilla.org - the Java Mozilla [sourceforge.net]
  • I believe there's some law about real-life protesting... you're allowed to stand in front of a building and protest, as long as you don't prevent customers from getting into the building. I assume that it's not a huge stretch to extend that law to the 'net.

  • Government (Score:3)

    by interiot ( 50685 ) on Thursday February 10, 2000 @03:10PM (#1287150) Homepage
    If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:
    • Understand the problem well enough
    • Spot good solutions if they come along
    Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

    DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

  • TCP already includes `niceness' tests checking that TCP flows backoff
    correctly rather than flooding the network, at the pain of being
    blacklisted. Could similar traffic analysis tools stop DDoS? How
    might this work, or if not, why not?
  • Why should I as the average net citizen and as a citizen of the United States care that sites are being taken down[?]

    Because it cost the targets a lot of money. And they'll have to make that up. So their prices will go up to make it back. Which means their competitors don't have to cut prices as hard. And Joe Random Consumer ends up footing the bill.

    And that's YOU, friend.

    And meanwhile, the law enforcement people will spend a lot more money hunting down and prosecuting the perpetrators. Paid for by YOUR tax money. And so your taxes go up, or your other services go down. Bucks out of your pocket again, or inconvenience because your road wasn't fixed or whatever.

    And sysadmins at ISPs and thousands of sites all over then internet will spend a bunch of time thrashing around over the issue. They don't work for free. Cost of internet service goes up - or doesn't go down as fast. That gets folded into the price of everything the ISP's customers sell, and into your internet bill. Meanwhile you don't get other fixes as fast.

    I could go on.

    But there's a silver lining:

    The digital anarchy will start patching this set of holes. This kind of DoS attack will get harder, and an unmodified version may become impossible. The net will be more robust.
  • Do we classify the engineers of these DOS attacks as Script Kiddies or Cyber Terrorists? And does the fact that the have only attacked big, commercial sites make them criminal losers or heroic vigilantes protesting the commercialization of the 'net?

    Further, _if_ it is a protest, does it make it any less wrong? Let us assume for a second that a group calling themselves the "Anti-Open Source Brigade" starting shutting down Slashdot regularly, out of the sincere political conviction that Open Source was really a terrible evil? Forget that their logic may be flawed; these are a group of committed, idealistic young men who knock Slashdot off-line quite successfully for hundreds of hours during a two month period. And not just Slashdot: Freshmeat goes down, and all of the Anodover sites, and Redhat, and every important Open Source proponent site on the 'net? Is it okay because their motives were pure?

    Lastly: if this were MS going down, how many cries of jubilation would we be hearing on Slashdot? And would it makes us hypocrites?


  • Short-term, your tools help act as "virus-checker" type solutions. In terms of long-term solutions for DoS+spoofing attacks, the main one I've seen proposed is to convince all ISPs to filter their outbound traffic to prevent outbound spoofing of packets claiming to come from other networks.

    Given that IP spoofing is a fundamental flaw in IPv4, does this rise of spoofing-abetted DoS attacks increase the potential value of moving networks to IPv6 (with its per-packet authentication headers)? What solution would be best from your point of view?

    --LP

  • One would never do this with "every router"; at most, one would do this with routers on the "edge" of your network.

    Even then, you're imposing a burden on routers and more importantly router administrators to configure each router appropriately. And (somewhat like IPv6 adoption), you are requiring everyone on the Internet to adopt a proceedure and process to make up for flawed technology. I'd call that a fundamental flaw.

    --LP

  • On point three, you don't seem to get it. You can't put fake info in their IPv6 packets without detection (and discard) being possible at each router in the network thanks to the authentication header (which acts like a digital signature.) IP spoofing can't be detected at the packet level unless you can make sufficient assumptions about the ever-changing network and program them into each of your routers.

    And back to point two, tracking compromised systems is a huge benefit since it A) speeds up the time to shut down/notify offending sites *much* more rapidly, even if they were hacked, and B) makes things much riskier for the hackers attempting to carry out such attacks.

    --LinuxParanoid
  • There are many ISP's who do this already. The problem, however, is that there is too many who do not. I would assume one of the major problems to be portable IP ranges. If we want Tier 1 ISP's to do this, that is a large problem. Then, when we realize some smaller ISP's should be doing it as well, we realize that it's a big pain to get everyone doing this.

    I'm all for such an initiative, but it would be tons of work and cost a lot of money.
  • With all the WAY inaccurate information in the previous article about the recent DoS attacks (and in the news) and such I'm glad to see /. is going to someone who has some good info and is involved in the whole deal. YAY /. for maybe even raising the bar for the media elsewhere.
  • I did say "maybe" for a reason.
  • Mega dittos. To use a phrase I don't often admit to.

    As part of the wild life and as a lover of the wilderness, I'm so glad to see a post here without the anarchist-paranoid party line. Without the general public's support, both direct and indirect (through firms they patronize as well as through policies adopted by the government), there would probably have been no Internet and certainly there would have been no world wide web.

    If people with good to excellent understanding ignore these net reliability issues, then people of little to no understanding will deal with them. Perhaps ending privacy and annonymity as we know it.

    Personally I suspect that securing 10,000 networks belonging to corporations, universities, and others with big fat pipes would go a LONG ways to denying the average script kiddie any base for these DDoS attacks.
  • We're entirely unworried about someone breakign into your machines and trojannign the code you're distributing. thats what md5 checksums are for, and that's why everyone uses them.

    What we're concerned with is the fact that you want us to run precompiled code. We don't know what this code does, because you won't release the source to it. We don't trust your assurances that it does what you advertise, and we're not about to potentially compromise our machines by installing government software on them.

    What are you hiding? Surely you know that if someone really wants to get around your scanner, they'll take the time to disassemble it and figure out how they're being scanned. The average person responsible for doing actual work, however, doesnt have that type of time at his disposal; Joe Sysadmin is going to laugh at your attempts to get him to run untrusted software.
  • Considering that the targets of these attacks have been large corporations and such I ask this.

    Why should I as the average net citizen and as a citizen of the United States care that sites are being taken down. And since the FBI is involved does this mean this is a serious matter?
  • But I have perfectly functioning DSL, so I sold my modem and can't dial up anymore. What would I do then?

    For how much? A couple of bucks? I am sorry if you can afford DSL I don't think your hurting and if you can access E-trade I would especially say your not hurting at all.

    I have access to only at 2400bps modem at home does that mean that it is a crime if I don't have a local number for a BBS to E-trade? When you get some technology you become dependent on it. When you chose to live 50 miles from work and relied on your can and it dies do you feel cheated?

    I say you made the choice now live with it.
  • Maybe because you'd like to buy something from them?


    Could someone give me a good example where a couple of hours of time really matters in a situation where I could just get off my lazy ass and just get the same item from a "real" store?

    I really wouldn't mind getting some fresh air and still getting what I wanted from the store while not depriving people of freedom because some lazy cracker wants to bomb a site with IP packets.
  • I really believe the motive is money via stock price manipulation.

    So you think that this is a form of sophisticated industrial terrorism? That seems highly unlikely.

    Taking down a dot.com company is like grounding an airlines fleet.

    I surely hope that the internet concept of business is not the dominate form of doing business and that no other could be done to the level that an actual place of business becomes secondary.
  • Pardon my flame, but what an idiotic question.

    Pardon my counter flame but I really was wanting to ask the individual who came up with this information exactly what *HIS* opinion on such things. However I will continue to remain civil throughout this discussion and not get overly excited.

    First of all, corporations are owned and run by citizens. And what exactly does "average" mean? Anyone not like you is automatically a non-citizen and not deserving of protection under the law?

    Gnerally there are groups that I would think have a better chance to "fend for themselves" so to speak. I think we all could agree that Microsoft is not entitled to such protection because they most likely could easily hire their own private army of assassins to do so form of quasi-legal garbage and just might get away with it.

    Corporations because like so many of the people here have said are EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL and are akin to the Third Reich in their effect. Well I guess those widdle ol' corporations can just fend for themselves now that the heat is on or will you just moderate this down and just continue to think that the world is comprised of people who like money and moeny makers.

    I mean average man is not a person who could easily buy a large mansion in southern France and who has real worries and real concerns that do not seem like he belongs to the court of Louis XVI.

    Second, even if the attacks are against corporations not affiliated with you personally, others just might want to use the services they offer. Some of us even like the services they offer. Not to mention that attacks against them cause
    problems for sites in the general subnet vicinity (which might be some non-profit socialist site that you like).

    Nope can't say that I use the internet on a daily basis to satisify my hunger for stuff. I have only bought on the internet 2 times for a total of 3 items and that was only because I couldn't very easily get what I wanted at a store (debian CDs)

    Lastly, the FBI is involved because this is a very serious matter. It was an attack on the economic infrastructure. Maybe it's not a huge deal right now, but the net is becoming more and more important to the economy (particularly
    business-to-business services), and it's time to nip these idiots in the bud, and throw them in jail for twenty years to send a very strong message.

    What that "The Business of America is Business" --Calvin Cooledge 1924. I really hate business and it's related power. That's why I got involved in CS because I didn't want to spend the rest of my life counting someone else's money for the rest of my professional career.

    I can't even now see that a large portion of money is actually being transfered online versus traditional methods I would love some hard data to back up your claims.
  • Uh, and exactly who is supposed to decide who gets protection under the law? Perhaps everyone who has over a certain amount of money should be just thrown in jail, since we know they couldn't have actually earned it. They must
    have stolen it by exploiting "average" citizens.

    I could say that if one were to get at least $1,000,000,000 that said person has most likely defrauded some person or done something dishonest in their lives. That is a fact that I am at least 99.9% sure of.

    Largely to get more money than anyone else infers that you have some very large advantage over others with similar levels of work. I think that parly is bad. One could say that perhaps because I don't cheat people I am making less money than you if you do. That is what is bad.

    In fact, you've convinced me. By your standards, I think you're too rich to deserve protection under the law. I mean, it's pretty darn easy for you with your expensive computer, etc, when people are starving around the world.

    Wish I could show you my computer some time. Incidentally the computer I am writing these posts dosn't even belong to me. I have a piece of shit for a machine. Sure if you want to to condemn me for at least getting something that would work half way decently then perhaps I am guilty of that.

    I would almost bey $1,000,000 dollars that you in fact have bested me in the PC hardware arena any day of the week. However the people who are in other countries are in fact largely there because of policies that their government's took in the past which essentially made their countries less avaible for advancement. I really can't change history and neither can you.

    So all that matters is what's important to you, I see. Yeah, that's a rational outlook.

    It's called desperation I sure you have never heard of it either. Essentially when you have called every retailer or wholesaler in a 200 mile radius for a product you are forced to look to your only other option avaible to you. I was forced to use the internet to get what I wanted it was not a choice that would have resulted in getting the product to work properly without the choice so therefore I made the choice.

    I already stated that it's "not a huge deal right now", but the time to nip it in the bud is when it's not a huge deal.

    I really don't think that using the internet will ever supplant the traditional means of shopping at all. You may think so and others may think so but that would mean that business will crawl to a slow pace and that half of everyone will be going broke if they actually try to run their own business. Eventually this will gain even more power for corporations and take away your power.

    I think I've been probably been taken by a troll.

    Well haven't been moderated to that yet but I think with the sentiment that big business should be helped when things go wrong I guess I will be soon.

    Incidently it is real hipocracy to think that corporations are evil and must be destroyed one minute and the next are the perfect angels of the universe the next. Which one is it? Make up your mind right here and now before you people do even more contradiction and say the Windows is the best and that the moon is composed of cheddar cheese.

  • Pardon my flame, but what an idiotic question.

    First of all, corporations are owned and run by citizens. And what exactly does "average" mean? Anyone not like you is automatically a non-citizen and not deserving of protection under the law?

    Second, even if the attacks are against corporations not affiliated with you personally, others just might want to use the services they offer. Some of us even like the services they offer. Not to mention that attacks against them cause problems for sites in the general subnet vicinity (which might be some non-profit socialist site that you like).

    Lastly, the FBI is involved because this is a very serious matter. It was an attack on the economic infrastructure. Maybe it's not a huge deal right now, but the net is becoming more and more important to the economy (particularly business-to-business services), and it's time to nip these idiots in the bud, and throw them in jail for twenty years to send a very strong message.


    --

  • Gnerally there are groups that I would think have a better chance to "fend for themselves" so to speak. I think we all could agree that Microsoft is not entitled to such protection because they most likely could easily hire their own private army of assassins to do so form of quasi-legal garbage and just might get away with it.

    Uh, and exactly who is supposed to decide who gets protection under the law? Perhaps everyone who has over a certain amount of money should be just thrown in jail, since we know they couldn't have actually earned it. They must have stolen it by exploiting "average" citizens.

    In fact, you've convinced me. By your standards, I think you're too rich to deserve protection under the law. I mean, it's pretty darn easy for you with your expensive computer, etc, when people are starving around the world.

    Nope can't say that I use the internet on a daily basis to satisify my hunger for stuff. I have only bought on the internet 2 times for a total of 3 items and that was only because I couldn't very easily get what I wanted at a store (debian CDs).

    So all that matters is what's important to you, I see. Yeah, that's a rational outlook.

    I can't even now see that a large portion of money is actually being transfered online versus traditional methods I would love some hard data to back up your claims.

    I already stated that it's "not a huge deal right now", but the time to nip it in the bud is when it's not a huge deal.

    I think I've been probably been taken by a troll.


    --

  • Largely to get more money than anyone else infers that you have some very large advantage over others with similar levels of work.

    In my experience, that is simply not true -- on balance. Does it happen? Of course; there will always be bad people in the world. But yes, on balance, those that work the hardest get the biggest rewards. I think where you get off track is in the definition of "hardest". Ditch diggers work very hard, but that doesn't mean they deserve to be millionaires. On the other hand, the president of a large multi-national corporation probably looks to a lot of people like he has a cushy job. However, what he has is the ability to manage a monster organization like that, and not many people can do it. That's an incredibly difficult job.

    However the people who are in other countries are in fact largely there because of policies that their government's took in the past which essentially made their countries less avaible for advancement.

    A surprisingly rational statement. However, it's the unequal distribution of capitalism that keeps their economies down. In other words, the lack of the corporations that you loath.

    I really don't think that using the internet will ever supplant the traditional means of shopping at all.

    Why does it have to be all-or-nothing with you? Even Jeff Bezos says that he doesn't think e-commerce will supplant bricks-and-mortor. But that doesn't mean it won't be huge, particularly for business-to-business. B2B will probably be larger than the consumer space, because that's where linking supply-chains really makes sense.

    Incidently it is real hipocracy to think that corporations are evil and must be destroyed one minute and the next are the perfect angels of the universe the next. Which one is it? Make up your mind right here and now before you people do even more contradiction and say the Windows is the best and that the moon is composed of cheddar cheese.

    Again, why does everything have to be all-or-nothing with you? Corporations are not living entities; they are owned by real people with real lives and real families. Are there evil people in the world that have abused workers or consumers? Of course. But so what? That's why we have laws. What does that have to do with the legal construction known as a corporation?

    And by the way, Windows is the best. Of course, the rub is in the definition of "best". Most consumers define "best" as the platform that supports the most applications, which is where work gets done. And the client end-user applications under Windows are far superior to anything else, particularly Linux. Not one client application under Linux is superior to the ones in Windows. Not one.


    --

  • Couldn't this whole problem be obviated by having ISPs modify their routers not to allow packets out that don't have a legal source address? If you're FlashTechComNet, and your entire network is under the address (say) 127.0.x.x, then if you just make your routers drop outgoing packets that have source addresses not in that netmask, doesn't that prevent this kind of thing? Obviously you can still try and flood someone, but you're going to have to be using IPs from that subnet, which makes you much easier to catch.
  • Are these attacks really illegal? Are companies really loosing money? I see this as a form of protest (possibly) and if you were going to buy a cd from amazon and it was down...you could always come back later or go somewhere else. So what type of individual(s) do you think are responsible...perhaps a profile?

  • A fruitless exercise? (Score:3)

    by john@iastate.edu ( 113202 ) on Thursday February 10, 2000 @02:36PM (#1287222) Homepage
    In other words, my question is:

    Isn't the intersection of the sets:

    • Clueless enough to allow massive DoS out of their network.
    • Yet likely to install this detector.
    pretty darn small?

  • Questions. (Score:3)

    by bons ( 119581 ) on Thursday February 10, 2000 @04:20PM (#1287223) Homepage Journal
    • What decent sites are there that offer security information for a variety of operating systems geared to either the average user or the power user?
    • With the influx of dedicated connections, it becomes more necessary for the end user to put security in place, however the end user does not want to pay for these tools. Is there an easy to use freeware package that can deal with this?
    • Given the following:
      • ISP companies, campus security, and companies that have connected all their machines to the internet tend not to have a good understanding of security.
      • Those that don't have a good understanding take a dim view of their customers that do.
      • It seems like the average security expert is a former "criminal hacker type" (mediaspace: a perception of reality defined by the media)
      What is our best hope for getting out of the dark ages of computer security anytime soon?
    • What would give for odds on this being an attack by the following classifications:an individual, an organized group, or the federal government?

    It strikes me as insanely easy to propogate this type of flood attack using a virus with this little dealie as part of the payload. If the virus kept track of the IP addresses of the machines it tried to infect it could be quite deadly. (send command to ping target IP to all possibly infected IP addresses using forged information then Ping target IP) The worst part is that the system could get recursive. (Machine X knows that it tried to infect machine Y. Machine Y knows that it tried to infect machine X. Commands bounce back and forth between them. Ouch. And tracing that one back would be close to impossible...

    -----

  • Other methods? (Score:4)

    by Dr Caleb ( 121505 ) on Thursday February 10, 2000 @02:13PM (#1287225) Homepage Journal
    Dave,

    There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

    Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

    Thanks.

  • Along the same lines, I always enjoy the copanies who claim they have lost gazillions of dollars due to the hack. I know theres money invloved, but the costs allways seem to be very inflated.
  • Yeah, and I would have gotten away with my evil Dos attack if it wasn't for you and those pesky kids.

    Mr. Harper, the old fairgrounds caretaker

  • Re:Why exactly should the average citizen care? (Score:3)

    by 348 ( 124012 ) on Thursday February 10, 2000 @03:06PM (#1287233) Homepage
    5K a minute is chump change to them.

    I run revenue streams for companies like this and I can tell you the numbers that they attribute to loss are greatly exaggerated. They do it because it is more ecenomical to write it off as bad debt(LIN also includes general corp losses) and take the tax break. The more they report as bad debt, the bigger the tax break. Makes quarterly reports look very good at the top and then they bury it deep inside the report. DoS, Hacking, Fraud, Employee theft etc. all this goed into that line item.

  • How big of a problem do you see these DoSes becoming? Is this just another sway back to the crackers in the larger scheme of the computer security dialectic? Or is the nature of a DoS such that it will never go away?

    -Colbey (Josh Rosenberg)

  • Firewalls for Dummies? (Score:3)

    by hiendohar ( 133407 ) on Thursday February 10, 2000 @02:21PM (#1287242) Journal
    With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?
  • I will say this: The FBI had a working version of their tool over New Years Day weekend, and it detected a stacheldraht daemon running on one of the machines in our network. This allowed me to take early proactive steps to reduce the odds that one of my systems would be part of such childishness.

    SANS and CERT have been on this in a low-key sort of way for a month and a half, and system administrators have been scanning, reading logs, and taking extra steps to secure their systems.

    This has raised awareness, and while I sympathize with the victims of the past few days, it certainly vindicates the amount of time I have spent reading syslogs, installing patches, running scans for illicit activity, and so forth. And I am under no illusions that my systems are immune.
    -----------------------------------------

Slashdot Top Deals

It is easier to write an incorrect program than understand a correct one.

Close