Date: Wed, 10 Jul 2002 03:46:29 -0400 From: "sagacious" <sagacious@unixhideout.com> To: <freebsd-questions@freebsd.org> Subject: RE: FYI report: Reflected Distributed Denial of Service Attack Message-ID: <CGEIKJFNGMJHCMFBJGJFKEFKCBAA.sagacious@unixhideout.com> In-Reply-To: <200207100710.g6A7ATA01011@localhost.neotext.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Heh, your just figuring this out now. I got hit with one so hard my isp shut ME off because they were annoyed and couldnt fix it. You cant run, you cant hide. And you cant fix. You cant do anything. This is why i believe they should regulate the internet. Make everyone swipe a smartcard before you go online, all these sleazy porn sites where the fat perverted man behind the monitor wearing greasy wife beater shirts, running windows "NT server", all the little ten year olds with too much time on their hands that are big and macho behind a computer screen, and all the other idiots that are ripping the internet apart, including all the l337 script kiddies as well as the worthless virii writers will disappear. I know this is going to stir up a lot of controversy, what?! government restriction? oh no.. But im just spitting my opinion, and you know if this was put intact, it would work well. The only people who would be bitter about the idea are the fat greasy men, and kiddies, etc. and the ones with something to hide. To put a long story short, the internet is falling apart. You as the sysadmin, can do nothing. You can install packet filtering, you can run a FreeBSD firewall, hardware firewall, ra ra ra.. The packets will still come down the line, and will clog your pipe, because that fancy ass expensive router or Firewalled box still has to inspect the packets, and drop them. Your tube will be clogged. However. I do have a small fix. If this is a simple syn flood where the prick is using up all your sockets i ran this command, "route -n add -host bad-guys-ip-here 192.168.1.99" obviously no quotes. The 192.168.1.99 "machine" is nothing more then a fake ip address on my internal lan. He was syn flooding my web server, i executed that, and i immediately popped back online. take a look at man route, Whenever he tries to go to my website or use any other service he gets "page cannot be displayed" It worked for me, and it may work for you. However if this is like you say, and its an all out DOS, your screwed. And if im wrong, or anyone has a way to stop this, please do let us know. I feel for you more then my attack. My website means a lot to me, but you are a BUSINESS. I feel for you. My site began to get real popular and i had over 300 users in IRC, and some little kiddie got jealous, and did not like how i succeeded and made sure i didnt. You see the similarities? Theres nothing different here. I believe you when you say the other businesses are trying to take you out. I wish you all the luck. Install snort, get the ips and use route. depending on the attack. either that or go on a vacation. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Duncan Patton a Campbell Sent: Wednesday, July 10, 2002 3:10 AM To: security@FreeBSD.ORG Cc: jbrown@indx.ca Subject: FYI report: Reflected Distributed Denial of Service Attack This a report FYI on an ongoing Reflected Distributed Denial of Service attack directed against the domain indx.ca since June 30/02. Background. The system (a website) consist of three FreeBSD 4.3 servers providing a GIS goods and services locator function to the net. Indx.ca is located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, Infoserve.net(cypherkey/aka aebc.com). Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user front-end with a third box (mail.indx.ca) providing support functions. The system is supported remotely from babayaga.neotext.ca (aka ww0.indx.ca) a FreeBSD 4.5 box located in Edmonton Alberta. History. The attack appears to have gradually ramped-up over the weekend of June 29/30 but was first notice by a squid proxy user as an inability to access the web at about 9:30pm Sunday. Nothing special was noted until July 02, when it was realised that an attack was under way -- it was initially thought that a Windos trojan was responsible for the failure, and our initial efforts were directed that way (we are still not certain that the Windos trojan we have on ice isn't one of the zombies used to instigate the attack). By the early am of July 02 responses between ww0 and the rest of the the servers in BC were degraded to performance that resembled a telebit PEP link: 1300 to 1700 milisecond responses to pings and a packet loss rate of > 70%. By afternoon of July 02 we had become convinced that we were under the gun of a reflected DDOS attack similar to that described by Steve Gibson on grc.com. Mail to these guys provoked a peculiarly blase' response, but, oh well. Thats when the fun began. At this point verio (aka NTT) apparently blocked our addresses from going to grc.com. At the same time, Telus blocked communication between neotext.ca and indx.ca (yes, we have traceroutes) so I was forced to use a tertiary server to talk thru. Initially we attempted to contact our immediate service provider by telephone and were met with a "sh!t deflection" response that called into question our competence and sanity. We "clearly" had a malfunctioning server that was causing the problem. By July 03, we had convinced ourselves that it didn't matter what OS was plugged in, and that if anything was plugged into the mail.indx.ca address it would start a storm that would take several hours to die down. We changed all three servers IP addresses and reconfigured our VPN (arghh). Arps from the telus routers serving us (209.53.196.02 and 209.53.196.03) to our defunct mail address (209.53.196.69) continued regarless as they continue even now. By July 06 we had finally received some non-commital nonsense from aebc.com's technical guy telling us that there were a lot of older servers in asia and that maybe we should turn off named mapping on the 209.53.196.69. Bilge. 209.53.196.69 had not existed for days, and the portnames in the tcpdump trace we had supplied are from inetd services, not named. As well, many of the servers/routers involved in the attack were northamerican in origin. At this point the arps continue to come in and I am sure that plugging in a machine to the address would invoke a storm. Maybe I'm being paranoid, but this is not a technical problem at all. Our addressess were blocked by the Telco's in a peculiarly useless and blatant manner, like the folks who did it were operating under really stupid or malicious orders that didn't make sense anyways. As well, our site is seen as stealing much bread from the telcos' managment/sales: it is a highly innovative prototype entirely based on GNU/GPL software and systems that maps goods and services available on the internet to real locations where people can go buy these goods/services from other people. And it does this better than anything the Telco managment could dream up. So, given the finacially stressed nature of the Telcos and the blind rapacity of their management (Telus is currently re-orging again, and blaming their poor $$ performance on unions and over-paid workers, again -- no, I'm not in the union, and have never worked for Telus and after this letter probably never will ;-), it seems to me very likely that some people without too much technical know-how have got a hold of a tool that sets off a reflective DDOS attack and are using it as a weapon to beat down anyone whose business they don't like or want to "absorb". Warning, Warning, Will Robinson!. -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CGEIKJFNGMJHCMFBJGJFKEFKCBAA.sagacious>