From owner-freebsd-security Wed Jul 10 0:10:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DCD337B400 for ; Wed, 10 Jul 2002 00:10:30 -0700 (PDT) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5655D43E52 for ; Wed, 10 Jul 2002 00:10:29 -0700 (PDT) (envelope-from campbell@neotext.ca) Received: from neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.11.6/8.11.0) with SMTP id g6A7ATA01011; Wed, 10 Jul 2002 01:10:30 -0600 (MDT) (envelope-from campbell@neotext.ca) Message-Id: <200207100710.g6A7ATA01011@localhost.neotext.ca> Date: Wed, 10 Jul 2002 07:10:29 -0000 To: Subject: FYI report: Reflected Distributed Denial of Service Attack From: "Duncan Patton a Campbell" X-Mailer: TWIG 2.6.2 Disposition-Notification-To: "Duncan Patton a Campbell" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This a report FYI on an ongoing Reflected Distributed Denial of Service attack directed against the domain indx.ca since June 30/02. Background. The system (a website) consist of three FreeBSD 4.3 servers providing a GIS goods and services locator function to the net. Indx.ca is located in Burnaby B.C. on an ADSL link supplied by a Telus reseller, Infoserve.net(cypherkey/aka aebc.com). Two boxes (ww1.indx.ca and ww2.indx.ca) provide the function's user front-end with a third box (mail.indx.ca) providing support functions. The system is supported remotely from babayaga.neotext.ca (aka ww0.indx.ca) a FreeBSD 4.5 box located in Edmonton Alberta. History. The attack appears to have gradually ramped-up over the weekend of June 29/30 but was first notice by a squid proxy user as an inability to access the web at about 9:30pm Sunday. Nothing special was noted until July 02, when it was realised that an attack was under way -- it was initially thought that a Windos trojan was responsible for the failure, and our initial efforts were directed that way (we are still not certain that the Windos trojan we have on ice isn't one of the zombies used to instigate the attack). By the early am of July 02 responses between ww0 and the rest of the the servers in BC were degraded to performance that resembled a telebit PEP link: 1300 to 1700 milisecond responses to pings and a packet loss rate of > 70%. By afternoon of July 02 we had become convinced that we were under the gun of a reflected DDOS attack similar to that described by Steve Gibson on grc.com. Mail to these guys provoked a peculiarly blase' response, but, oh well. Thats when the fun began. At this point verio (aka NTT) apparently blocked our addresses from going to grc.com. At the same time, Telus blocked communication between neotext.ca and indx.ca (yes, we have traceroutes) so I was forced to use a tertiary server to talk thru. Initially we attempted to contact our immediate service provider by telephone and were met with a "sh!t deflection" response that called into question our competence and sanity. We "clearly" had a malfunctioning server that was causing the problem. By July 03, we had convinced ourselves that it didn't matter what OS was plugged in, and that if anything was plugged into the mail.indx.ca address it would start a storm that would take several hours to die down. We changed all three servers IP addresses and reconfigured our VPN (arghh). Arps from the telus routers serving us (209.53.196.02 and 209.53.196.03) to our defunct mail address (209.53.196.69) continued regarless as they continue even now. By July 06 we had finally received some non-commital nonsense from aebc.com's technical guy telling us that there were a lot of older servers in asia and that maybe we should turn off named mapping on the 209.53.196.69. Bilge. 209.53.196.69 had not existed for days, and the portnames in the tcpdump trace we had supplied are from inetd services, not named. As well, many of the servers/routers involved in the attack were northamerican in origin. At this point the arps continue to come in and I am sure that plugging in a machine to the address would invoke a storm. Maybe I'm being paranoid, but this is not a technical problem at all. Our addressess were blocked by the Telco's in a peculiarly useless and blatant manner, like the folks who did it were operating under really stupid or malicious orders that didn't make sense anyways. As well, our site is seen as stealing much bread from the telcos' managment/sales: it is a highly innovative prototype entirely based on GNU/GPL software and systems that maps goods and services available on the internet to real locations where people can go buy these goods/services from other people. And it does this better than anything the Telco managment could dream up. So, given the finacially stressed nature of the Telcos and the blind rapacity of their management (Telus is currently re-orging again, and blaming their poor $$ performance on unions and over-paid workers, again -- no, I'm not in the union, and have never worked for Telus and after this letter probably never will ;-), it seems to me very likely that some people without too much technical know-how have got a hold of a tool that sets off a reflective DDOS attack and are using it as a weapon to beat down anyone whose business they don't like or want to "absorb". Warning, Warning, Will Robinson!. -- Duncan (Dubh) Campbell ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message