Forgot your password?
typodupeerror
News

Anti-DDOS Alliance In The Works? 145

Posted by timothy
from the defusing-disruption dept.
Rackemup writes: "This article on ZDNET says McAfee and some anti-DDOS vendors are finally teaming up to address DDOS attacks and Code-Red-like network scanning. Seems like they're finally catching on that a purely reactive approach to Internet and virus attacks isn't going to cut it anymore, even after all the media coverage of these latest virus attacks there are still loads of zombie machines out there merrily scanning away, looking for others to infect."
This discussion has been archived. No new comments can be posted.

Anti-DDOS Alliance In The Works?

Comments Filter:
  • by SpanishInquisition (127269) on Monday August 20, 2001 @05:39PM (#2199589) Homepage Journal
    It was called a Mac User group in the 80's, but now, I don't see how it could be relevent.
  • Hmm.. (Score:3, Funny)

    by PopeAlien (164869) on Monday August 20, 2001 @05:43PM (#2199604) Homepage Journal

    For the anti-DDoS vendors, the partnership with McAfee is a golden opportunity to show that their nascent solutions can detect and shut down these attacks before they cripple corporate networks.

    We did it.. Yep, we saved you from a huge attack that would have crippled your network.. No, honestly, we did.. Please see attached invoice.
  • "...and also to discover and eliminate the "zombies" that attackers use to launch their assaults."

    How will they identify the zombies that happen to be WinXP boxes and have their IP addresses spoofed?

    • "How will they identify the zombies that happen to be WinXP boxes and have their IP addresses spoofed?"

      FYI, Steve Gibson has posted his latest explanation of the WinXP Raw Sockets Vulnerability here [grc.com] from whence the concern of "WinXP boxes and ... their [spoofed] IP addresses" evidently first originated.

      Steve & Co. also provide two "quick 'n dirty" FREE programs to download to:

      test your access to "raw sockets" (all Win OS)

      secure NON-SYSTEM "raw sockets" access (Win2K & WinXP) to see that Win2K & WinXP continue to function just fine

      The funny part is that Steve Gibson now uses Microsoft's own MSDN Technical Documentation against Microsoft. Steve provides quotes from the Microsoft MSDN websites and links to the original Microsoft Technical Documentation

      As of 8/13/01 @ 0801 PST, all the links to the Microsoft Technical Documentation PROVING (?) Steve Gibson's points were fully functional.

      BTW, for a "nail biting" (grin - soon to be a motion picture - grin) tale of one man's experience with a Distributed Denial of Service attack read both here [grc.com] and SlashDot commentary [slashdot.org] to learn where Steve's fear of WinXP Raw Sockets originates (i.e. WinXP zombies doing DDOS with the easy to spoof WinXP box IP addresses due to desktop Joe/Jane-consumer user always being "root")

      Funny thing now is that Steve Gibson can now quote chapter and verse back to Microsoft and ask Microsoft "Why are you [microsoft] now contradicting yourself."

      BTW, there is now an "astroturf" (?) website devoted to debunking Steve Gibson here [grcsucks.com] although all the DNS details [networksolutions.com] seem bogus ("How convenient for the astroturf PR agency!!!" says the Church lady)

  • The latest in protecting your networks; Our skilled team of ninjas will stealthily infiltrate data centers where infected machines are running and slice off their network connection.

    McAfee: We have lots of ninjas(TM).
  • Zombies? (Score:3, Funny)

    by Tregod (441880) on Monday August 20, 2001 @05:52PM (#2199640)
    we all know that the only way to kill a zombie machine is to accidentally lose one's hand, therefore, giving one the oppurtunity to replace it with a chainsaw and hack-away (physically) at the undead machines.
    • Yes, I can certainly see it now:

      "Every dead machine that is not exterminated gets up and kills! The machines it kills get up and kill!"

      Or maybe it's just way too early in the morning...

    • we all know that the only way to kill a zombie machine is to accidentally lose one's hand, therefore, giving one the oppurtunity to
      replace it with a chainsaw


      workshed

      and hack-away (physically) at the undead machines.

      groovy
    • "More brains!"
      The Return of the Living Dead (1985)
  • Something like this may be dependent on the ISPs to fully implement. McAfee may release a tool that can sit on a Cisco router on a firewall or something that will watch for possible DDoS data, such as a flood of UDP packets to a port that's rarely accessed, in an effort to protect one of their customer's from being DDoS'd. Given the number of ISPs out there that pay attention to security issues (see Steve Gibson's DDoS Post-Mortem [slashdot.org]), will ISPs actually expel the effort to help the situation with DDoS?

    I suspect not, given how quickly some email viruses spread despite both McAfee and Symantec providing virus scanning products for use on SMTP relay servers.
    • Sorry, try this link instead [slashdot.org]
    • So the next time you begin playing q3 multiplayer your ISP cuts your connection.

      As for the grc.com stuff. He got countless offers of help he just decided that it would be a better article if he ignored them.

      You really don't want the ISP monitoring everything going to/from your computer. Do you really trust them enough for that? A sudden increase of traffic can't be marked as a DDoS attack. It might just be that your site was linked from slashdot.

      If everyone would just patch their systems we would not have these problems. There are too many incompetent system administrators out there.
      • most of the ddos troubles could not be prevented by patching correctly, as some have exploited holes for which there is no patch, hence the isps can help by intelligently disallowing useless incoming traffic. being the company grc is, I'm 100% sure they had all their patches up to date, yet what could they have done ahead of time to prevent being hit with a DDoS?

        I trust my isp with my data. I pay them to transport it from my machine to another. Who knows what they can already do with it? Many blocked tcp port 80 because of code red. I'm on a cable modem, anyone on my cable segment with the right equipment can pickup on my traffic, hence I'm not concerned if someone sees my data, I encrpyt the stuff I dont want others to see. Besides, the isp would be watching the entire network, not just me, and they would be filtering for obvious junk traffic directed at a single IP in a possible ddos attack.

        A site being slashdotted would be allowed because the traffic is from tens of thousands (maybe even millions) of IP addresses (as opposed to a few hundred from the typical ddos attack) all going after tcp port 80 (which is a standard port, as opposed to UDP port 5785, which isn't a standard port for anything afaik)
        • yet what could they have done ahead of time to prevent being hit with a DDoS?
          Bought themselves an AS and multi-homed with two separate ISPs (say, UUNet and Qwest)? Just a thought...
        • being the company grc is, I'm 100% sure they had all their patches up to date

          Not grc need to patch their systems. The people who's boxes were owned and used to attack grc need to patch their systems. zyklone's 100% right. DDoS can happen because so many machines on the Internet are trivial to own. Without all those boxes being fixed, the ISPs and everyone else is at the mercy of the hackers.

          Remember, Code Red only uses an IIS 5 vulnerability. What percentage of Windows boxes on the Internet is that? I'd guess small. What if the next worm uses a general Windows bug instead of just IIS? What if they ALL started flooding? This is the point I think zyklone was trying to make. Until everyone takes responsibility for the security of their own boxes, everyone else is at risk.

          A site being slashdotted would be allowed because the traffic is from tens of thousands (maybe even millions) of IP addresses (as opposed to a few hundred from the typical ddos attack) all going after tcp port 80 (which is a standard port, as opposed to UDP port 5785, which isn't a standard port for anything afaik)

          Heard of Code Red? Read your comment again with that in mind. Doesn't seem so cut and dry now, does it?

          IMHO,
          Michael
    • At least one admin at my ISP has stated (in a local newsgroup) that it is not their job to censor http traffic. This from an ISP that is very good at filtering spam for those who want it.

      Is there some kind of disconnect at work in their thinking? How would you compare the two situations?
      • Filtering spam is one thing. A lot of people demand it of their ISP because it is a problem they are capable of seeing.

        Monitoring http traffic is only the tip of the iceberg, but is not the problem. By their nature, ddos attacks are intentional sendings of junk traffic to a specific IP address in a n attempt to prevent legitimate network traffic from getting through. In Steve Gibson's case (see my link above), a script kiddie assembled 500 compromised Windows 9x machines from broadband connections and had them all fire off a million packets each of 64K in size all at UDP port 666 (along with ICMP ping packets to further fill the pipe), effectively filling grc.com's bandwidth and denying legit connections to/from grc. In a span of several hours on one of the attacks, grc's ISP blocked a total of over 4.3 billion packets. But because the packets were 64K in size, the packets had to be broken apart and reassembled. After the packets were broken apart, this created over 500 billion packet "chunks."

        McAfee is building a firewall product that will be programmed to pick up on this type of activity and filter out that traffic, protecting the network behind that firewall without the human intervention that Steve Gibson required.

        But as someone else pointed out- what about a site being slashdotted? A site getting slashdotted will receive around 1000 hits per minute all at TCP port 80, a standard port, with request packets being less than 1k apiece and a different set of 1000 machines each minute. In grc's DoS attacks, all the attacks were directed at UDP port 666, the packets 64K in size, and all the attacking machines were the same and never changing. After some thought, you can see how this is certainly inordinate in even rare circumstances.

        Hence, while an ISP admin says monitoring http traffic is beyond the scope of their duties, protecting computers on their network is still one, particularly from known attacks like DoS. Many ISPs are blocking TCP port 80 (the standard http port) because of Code Red, meaning those ISPs show interest in protecting their customer's computers. Likewise to ISPs filtering spam. Unfortunately, these ISPs are few in number.

        The reason I bring up the warning in "ISPs may be required to do work" is that in Gibson's situation, he contacted the ISPs (@home, RoadRunner, Earthlink, etc) of where the majority of the compromised computers were attacking him, and they refused to do anything or even listen to him. This was despite Gibson being an expert in firewall technology, meaning he knows what he's talking about. Gibson's own corporate ISP gave him the run-around during the first few attacks (eventually, the support engineers gave him their home contact info). Gibson basically demonstrated that even though ISPs are capable of preventing problems, they wont because it's not in the interest of their bottom line (profits). I make the comment "may require work" because in Gibson's story, we see several ISPs refusing to do anything even out of being good sumaritans. Therefore, how can we expect ISPs to install the McAfee anti-ddos firewall (discussed by that ZDnet article above) on their network?
  • by Ryu2 (89645) on Monday August 20, 2001 @05:54PM (#2199651) Homepage Journal
    Stopping these DDOS attacks in software is a step, but still, you're using bandwidth and CPU cycles you otherwise wouldn't have. Network infrastructure companies like Cisco etc. could probably play a good role.


    Imagine if routers could be dynamically updated to intelligently scan traffic for DDOS attack patterns and block these before any host in the internal network even sees it.


    MIT has done a lot of work in this area of "Active Networking".

  • Recent threats such as the code Red and Leave worms are proof that virus writers and hackers are pooling resources to produce hybrid weapons that can cause tremendous damage.

    Yes, more anti-hacker media hype caused by a couple of retards who just fucked up everyone's day.
  • Finally (Score:5, Funny)

    by Reality Master 101 (179095) <RealityMaster101@NoSpam.gmail.com> on Monday August 20, 2001 @06:00PM (#2199674) Homepage Journal

    Apparently they read my post [slashdot.org] on this subject. :)

    There is no doubt in my mind that ISPs need to take better action. I should be able to report probing and infection to the ISP, and they should investigate the other party. If it's a rogue hacker, they report them to the authorities. If it's a virus, the other party should be notified and their connection pulled until the system is disinfected.

    Having had my Linux box infected/hacked via the WU-FTPd bug, I know that this is not limited to Windows machines.

    In fact, I might even be open to public financing of ISP's investigation departments under a law-enforcement arm. This is a public nuisance issue. Just as you don't want a fire at your neighbor's house setting fire to your house*, we should have "fire fighters" putting out viruses as well.

    *Incidently, to all the Libertarian wackos who think that fire departments should be privately hired by each homeowner, this is why it needs to be under the "promote the general welfare" part of the constitution.

    • I know a few people who are running non-infected Web Servers and they're still getting a fair amount of traffic related to the Code Red (and variants) virus.

      To them this is an annoyance (cuz it smears the access log) at worse and a conversation piece at best. But what actions should be taken to eliminate this? Because most of these people are Windows 2k or XP users and have a web server turned on be default (thanks again MS), they spew out these requests whenever they're online. These users have no idea they're infected and may not even know they were at risk in the first place. It seems pretty harsh to kill their connection just for running a buggy OS. But they should be notified by someone.

      If the ISPs can't or won't notify these users, is there some legal and moral middle ground others could take? We've kicked around the idea of sending winpopups to these users with instructions on how to clean their systems. Someone could write a nice virus that would close this hole for them and reboot their systems.

      Any other suggestions? Have people really been successful at getting support from ISPs regarding this issue?

      • I know a few people who are running non-infected Web Servers and they're still getting a fair amount of traffic related to the Code Red (and variants) virus.



        Yea, verily. While I was waiting for this article to load, I popped out to the shell to grep my Apache logs, and sho nuf I'm still seeing Code Red requests. Last one was, um, about twenty minutes ago. It's quieted down to about one an hour, but still.

      • I know a few people who are running non-infected Web Servers and they're still getting a fair amount of traffic related to the Code Red (and variants) virus.
        http://salfter.dyndns.org/codered.shtml [dyndns.org]

        5877 attempts logged from 2140 hosts as of now. 129 of them are from today. It's tapered off, and a greater proportion is from other service providers, but it's still coming in. My server auto-responds to each attack attempt with a popup on the remote console.

      • If the ISPs can't or won't notify these users, is there some legal and moral middle ground others could take?

        I would like to see a law specifically permitting a response to virus and worm attacks. We could have an agency which identifies ligitimate attacks and grants the world an authorized response to the attack.

        For example, the agency (let's call it the Internet Defense Agency) would identify the Code Red worm as a ligitimate problem. The IDA would define an HTTP request of "GET default.ida..." as an attack event. Any time someone detects the attack event, they would have permission to respond in a certain way (like plugging the hole or notifying the machine's owner). The response would depend on the situation.

        Obviously, this agency would have to follow guidelines (they could not permit someone to erase the attacker's hard drive).

        I would much rather see the IDA than have congress do something totally stupid and ineffective, like requiring all web servers to have a license.

    • I should be able to report probing and infection to the ISP, and they should investigate the other party.

      Don't you read [slashdot.org]? It works like this: You report the probing and infection to the ISP, they contact the FBI, and you're arrested.


      • Don't you read [slashdot.org]? It works like this: You report the probing and infection to the ISP, they contact the FBI, and you're arrested.

        Ugh. That's insane.

        To me, that's akin to being arrested for reporting a drunk driver.

        It's *my* highway, too... (I'd argue more so, since I'm not a luser running AOL on Windows 2000 with IIS running by default; *hell*, I used to have a UUCP e-mail address back in 1988, but I've ranted about that enough already). Don't *my* needs for safety on the Information Superhighway count for anything?

        Prior to this, I'd always attributed intelligence to the FBI. And, I'd still like to hope that there are some Fox Mulders in the department. Unfortunately, it sounds like this guy has become the victim of an overzealous donut-eater of a prosecutor whose computer illiteracy is eclipsed only by the FBI's Keystone Kops.

        Before a brush with the Peel Regional Gestapo where my truck was taken off the road for an alleged safety violation, I had held law enforcement in high regard. I'd always found cops to be friendly, helpful, diplomatic and logical.

        <rant>(The truck was really ugly but the steering, brakes, body and lights were all solid and working perfectly, so they decided that they didn't like the way my battery was held down and yanked my license plates. Interestingly enough, the battery was held down exactly the same way as Chrysler held down the battery on all 149,999 other Dodge Rams they made in 1983. I had two mechanics (one of whom works at a restoration shop where they fix $500,000 Bugattis day in and day out) and a mechanical engineer testify for me that the vehicle was absolutely, perfectly safe; even so, the judge upheld the Peel Regional Gestapo's cop (not a licensed mechanic) was capable of making the decision better than two mechanics and an engineer. I considered sneaking into the USA and claiming refugee status as a publicity stunt in retaliation. I took the cop aside afterwards, asked him if he had children, and then told him that I would attend church that Sunday and pray that his wife and children would both be stricken with inoperable bowel cancer. A man like him has no business procreating.)</rant>

        With news like that, I start to think that it's time for me to overthrow the government of some small South Pacific island and make LawrenceLand, appointing myself head of state and chief of police. Any cop with more donuts in his squad car than measurable IQ points would be executed, by his victims, in front of the teeming masses.

    • Do we really expect business to suddenly save the internet? Codered vigilante [dynwebdev.com] is a java based server that listens on 80 then sends back a message to CR infected computers telling them to get a patch.
  • How is this going ot work ? They are going to "exchange researchs, and researchers". Big deal! A DDOS attack cannot be predicted so how are they going to help stupid sys admin who feel applying patches is "time-consuming" ?

    Any OS can be targetted by a DDOS and a DDOS attack will always exist. You can't force a stupid kid to write a small program that will "only ping random servers, like 1billion time. That's it..."

    You can "help" by teaching sys admins to apply patches when they come out and possibly by running a safer OS. (what's the name again ? pretty sure it ends with "ux".)

    Anyway, i'm not sure this "alliance" is anything more than marketing. On the plus side, those other small cies (with mcafee) are going to see if they can resist a Distribute /.-attack.
  • basicaly -- "Let us scan your network in order to prevent other scanning activities".

    How many firewall will be triggered by this?

    Oh, and usual "Sed Quis Custodiet Ipsos Custodes?"
  • Well, not for the basic DDOS network scanning, but the later item in the story is slated to come out in May. That coupled with a moderately clear description of what the technology does ought to pretty much guarantee that the virus writers will have something developed to evade it by then.
  • by Gordonjcp (186804) on Monday August 20, 2001 @06:02PM (#2199690) Homepage
    ... I wish there was an ethernet "magic packet" I could send to the wee shit that's been trying every NT4 and Win2K exploit against my machine, which would connect his ethernet cable between phase and neutral. A big relay and some logic ought to do it, 240v up his Cat 5 would stop him pissing me off.

    They've been at it all weekend now.
  • I think it'll go like this:
    DDos detectors send reports to central data pool, ISP's pay for acces to said pool (the bandwidth saved may be your own!!) ISP's terminate connections and ask questions later.
    this way MC Crappy can charge for acess to the DDos Zombie list. any bets on if they'll provide this information for free?
    • ...and then the bad guys start spoofing ddos detectors and use the anti-ddos infrastructure itself to deny services.

      even better than a traditional ddos attack!
  • by PopeAlien (164869) on Monday August 20, 2001 @06:05PM (#2199700) Homepage Journal
    ..All this talk of 'hackers' and 'zombies' shutting down websites.. Don't you understand? They're going to shut down Slashdot!! Where else do thousands of hackers gather together to load a single webpage all at one time, blocking 'legitimate' access? Oh! whats to be done! Won't somebody please think of the children!

  • Unfortunatly the idea of being re-active instead of pro-active permiates the whole IT industry currently. This is why we see software being shipped with little or no beta testing resulting in massive patches after release.
    Part of the problem stems from the fact that to often it is A.) Dangerous to report the problem to someone.
    Example [slashdot.org] B.) Against the law to report it Example [slashdot.org] or C.) So common that it would take to much time to shift through it and report it to the apropraite people to have them take no action (I'd make an example of my firewal logs from just today but I suspect I would find out quickly what exactly the maximum size on a post could be as I overload it).
    I don't think we shoudl wait for the manufactures to solve this problem for us, I think we should handle this problem ourselves. If you get a badly tested product return it, no matter how much it may hurt. Maybe we can have something like Earth day where , instead of cleaning the beachs, all the system admins can spend a day collectively informing each other ,without fear of prosecution, about their problems.

    then again I may be just dreaming this all, at my job we cannot even get around to replacing the horribly flaky mail server yet because it has not gone tits up let alone arange a day for the internet community to pick up the litter on the side of the information super highway.

    A final thought, aren't they advocating a DDOS circumvention tool? Isn't that agains the DMCA? Maybe the president of Mcafee needs a couple days in jail to think this one over next to Dmitry Sklyarov.

  • Right now, the wolves (black-hats) have two real advantages over the shepherds (white-hats). The first is that there are just too many damned sheep in the fold for the shepherds to keep track of, and the second is that the sheep farmers are too busy competing with each other to collaborate the way the wolves do.

    This is a baby step towards eliminating two of those. The most important one is that although most folks don't have their ports locked down or update, they do have anti-virus software installed. So by teaming with McAfee to make an anti-trojan solution, a lot more computers are going to be able to be protected, and it'll really take the teeth out of a DDOS attack.

    The second baby step is that by collaborating, the shepherds can now do a better job of keeping tabs on the wolves. It's only a baby step; this looks like it's just an ordinary corporate alliance, not a sign of genuine teamwork. But it's a start, and really cuts into the black-hats' current advantages.
  • Does that mean McAfee is going to try to shut down Slashdot?
  • From the article:
    ... said Vincent Gullatto, senior researcher at McAfee, in Santa Clara, Calif. "We anticipate this problem will only get worse, especially since people seem to be resistant to updating their systems for some reason."
    Considering the fact that: the majority of internet users are using Windows, which has the tendancy to crash horribly whenever something new, particularly security-related, is installed, is it really any wonder? Not to mention the fact that that operating system caters to a mentality where, apparently, security "doesn't really matter." A little user education would go a long way in preventing zombies, but somehow Redmond won't take the initiative, and the rest of the net suffers. This isn't to say that there aren't vulnerabilities on every operating system, just that the total number of unsecured windows machines increases the risk to the population as a whole.
    • You mean like updating to the latest linux kernel and wiping out your file system?
    • If Windows was secure, there would be a lot of jobless IT people. I've plenty of times had to "crack" NT boxes where I worked, when the user did something stupid and locked themselves out of their own machine, deleted a necessary file, or just a general file system error that set permission to an entire volume to "Everyeone - No access".. If Windows was secure, I'd have been fired years ago when some BIG WIG exec finds out I can't break in and get his precious pron.
    • My Windows is at least 99% secure...

      I never upgrade it and never will, until the perceived risk of not upgrading it is greater than the risk of upgrading it.... A) If I don't upgrade it might go pearshaped in future and need the hassle of reinstalling... B)If I do, the upgrade will be hassle (possibly not much), and will probably go pearshaped as I do it, and is probably just as likely to go wrong in future.
      This is how I and I expect most ppl regard windows and so adopt the policy of if it ain't *too* broke don't fix it.

      So I still have win-95 (but spend most of my time using Gnu/Intel/Bsd/Perl/RMS/GOD/Anyone-else-want-credit -here/Linux)

      I deem my windows 99% secure 'cos I use it less than 1 hr every 4 days.

  • by kz45 (175825)
    Wasn't this the name of BE's integrated OS?
  • by fobbman (131816) on Monday August 20, 2001 @06:20PM (#2199765) Homepage

    Here's a list of groups actively working on Anti-DOS projects:

    RedHat [redhat.com]

    Slackware [slackware.com]

    Debian [debian.org]

    One of the first [apple.com]

    Honestly, while I agree that we must stop DOS at all costs, I fail to see why this is news. Hell, it could be argued that even McRosoft [linux-mandrake.com] themselves do a good job at getting people to quit using the product.

  • I heard recently (likely on NPR) about another anti-cracker outfit that was setting up servers with the intent of letting them get cracked so they could watch the invaders in real time to learn their techniques and so forth. apparently they are learning quite a bit. if i find a link to the site or group I'll reply to myself.
    • The keyword you're looking for there is a "honeypot", or when multiple systems/nodes are involved, a "honeynet". A google search on those terms should turn up some good stuff.

      I had some good bookmarks on the subject, but I forgot to bring 'em with me from the last job, I'm afraid.
      • I have my own honeypot on a firewall - it's an OpenBSD system with a Samba share that looks like drive C: on a Windows box:



        Theres a file there called LotsOfPorn.Zip.Exe , that when dowloaded (it's padded to be large) - scans the hard-drive for unlocked files and renames them. After the Samba share has been probed, Samba causes a script to run that waits fifteen minuits (enough time for the file to be downloaded) then pulls down the ethernet connection on the Cisco router and brings it back up - the firewalls IP address changes due to our ISP's DHCP server. It took about a day for me to get everything working right (I was a bit over my head as far as the script was concerned) , but the two or three downloads a month that I see in the logs makes it all worthwile.


        I know I'm evil, but it's fun.

  • I can just see it now:

    McAfee StrikeBack(tm) contains an [ActiveX|DLL] vulnerability, causing [mailcious email|specially formatted string on port XXX] to [crash the box|get root|return false results to unintended targets]. Users are advised to [upgrade|disable until upgrade posted|other].

    Not that I'm against it, as such, but we're talking about the Keystone Kops of security, here.
  • "...there are still loads of zombie machines out there merrily scanning away, looking for others to infect."

    I think there should be a law against this sort of thing. Think about it. You should get 10 days to patch your equipment and after 10 days the owner of the equipment should pay fines for wasting bandwidth and trying to infect other hosts.

    I use a dial-up connection on a class C address and I'm still getting scaned for port 80 about 70 times in one day. I never got traffic like that before.

    It seems to me that people are just running their boxes and not checking up on them or patching them and it irritates me. Oh well....

  • Generally, when something like Code Red shows up, someone asks about exploiting the same flaws to patch up the systems, rather than proliferate the virus. That's when people chime in about how that would be immoral.

    But if virii are opportunistic, and your average internet/Windows user is a babe in the woods, why not do what we do with our real children - innoculate them before they can be harmed?

    Ok, so maybe that's an elitist approach, but the other stance - "don't do anything to their system without their permission" - has brought us Code Red et al.

    If MS won't plug the holes, why shouldn't the internet at large look after it's own?
    • This is probably part of what they will do with whatever they put out. The user will get a notice saying "you have an unpatched Microsoft IIS web server running. Press (OK) to patch it..."
      But they are a company and they are charging for it. Funny out that makes people trust them more.
  • This is not gonna help by far.

    The problem is rooted much deeper than you might think. People are simply not going to upgrade software out of security reasons. They don't care about anything as long as the software keeps working.

    People should be held accountable for bad security, this is the only way to get them to friggin secure their internet connected boxes and thereby dramatically reducing the chance that a worm will ever reach proportions like Code Red II again..

    The first thing people tell me when I try to convince them they need to keep up with security patches is that they "don't have anything interesting for a cracker to find"(TM). But they forget that if their servers get cracked into, the first thing the cracker is going to do is crack other boxes from there. So by not securing your internet connected boxes u are actually helping crackers(or worms) crack more and more boxes without anyone being able to trace them.

    Worms like code red are just the beginning, I have already made a worm concept that will be far worse than Code Red II. Just add some P2P like networking between the compromised systems and u can actually make the worm aware of itself, by making it react if large numbers of hosts are being disconnected by starting to spread again. Even anonymous communication with the worm is possible through means of something like Freenet, and by communicating with the worm someone could feed new ip-ranges to scan or even upgrade the worm to use new exploits. Someone could have (close) to realtime control of hundreds of thousands of internet connected boxes. This is just a simple example of what a well written worm can do, and it will be practically unstoppable.

    So instead of being one step behind all the time maybe it's time for some regulation here. If your box gets cracked using an exploit that has been patched over say... six months ago (whether it be done by a worm *or* a cracker), then you *should* be held accountable for the damage your system causes. It's just plain irresponsible to keep an insecure box connected to the internet, and if people won't use their common sense and thereby cousing problems for other innocent people they deserve getting in trouble.

    pfew... end rant here...

    --
    Heisenberg could have been here...
    • When you say a "security-patch" do you really mean a "security-patch" all by itself or do you mean a SERVICE PACK that might have several "security-patches" in it plus a whole bunch of stuff you don't want, don't need, and know from years of clueful experience will cause harm to your particular system?

      PAUSE ... PAUSE ... PAUSE

      security-patch == security-patch
      If you mean a "security-patch" all by itself that is just and only a "security-patch" then I am with you brother ... 133%!!!!!

      service-pack != security-patch
      If you mean a "security-patch" that is bundled with a slew of other upgrades, modifications, bug fixes, and such that historically lead to headaches, more holes, and expensive hardware upgrades that didn't need to be done but I had to do anyway due to this poorly designed SERVICE PACK then I am going to quite willfully turn around and BLAME THE VENDOR OF THE OS for creating an environment where it is safer not to implement the "NON security-patch" because they never offered a "security-patch" in the first place

  • There is money in antivirus software. The bigger the media coverage, the more money it will generate. But it's the wrong end of the equation. Antivirus outfits will never get enough people to buy in to stop the problem of DDOSs.

    The right place to fix this is by holding ISPs responsible for traffic from their networks with invalid addresses and making them investigate zombie reports and notify people when they've been compromised. (Spoofed addresses makes the latter impossible so we need to make sure we can find the zombies.) There's no money in this though. Could ISPs charge users when they become infected? No, but no ISP will commit resources when their competition isn't doing it. Usually the market will right itself but this is a situation that needs oversight before it will get better.
  • by darf (182630)
    I think a big help to everyone would be if ISPs made sure that packets leaving their networks had a source address that belonged within their network.

    I'm not sure why *I* have to deny all RFC1918 traffic and other garbage on my border router. In my shop, a packet doesn't leave unless its source address is from my network.

    It could be easily done at the ISPs lowest branch routers so it wouldn't be too hard to configure or cost too much in performance.

    Seems to me this would be the responsible thing to do for the entire community. I've never heard a reasonable argument for letting packets out onto the Internet that don't have a source address in your network.

    • Given that most ISPs already block source routed packets, I suspect this would be pretty easy to do. Tell the router: On this interface is w.x.y.0 network; only traffic to and from w.x.y.0 network goes through this interface. Worst case, I fake my address with another on the network, but that should be reasonably easy to track down.

      What problems would it cause, though? I know that blocking source routed packets makes it impossible to ping test a round trip (since there's no reason to assume a packet will come back from, say, Yahoo, the same way it went to, say, Yahoo). That's irritating, but not the end of the world.

    • Likewise, it would seem to be quite easy for Microsoft to ensure that WinXP consumer edition doesn't make it too easy to spoof said packets.

      We are all part of a team, the team can work together to ensure:

      spoofed packets don't leave a team-member's network

      OS's that allow easy IP spoofing are changed to make it difficult to spoof by implementing access controls a la WinNT/Unix/Linux. Evidently WinXP consumer edition has ZERO-DESIRE to be a team-player like its Win95/98/NT cousins.

      FYI, Steve Gibson has posted his latest explanation of the WinXP Raw Sockets Vulnerability here [grc.com] from whence the concern of "WinXP boxes and ... their [spoofed] IP addresses" evidently first originated.

      Steve & Co. also provide two "quick 'n dirty" FREE programs to download to:

      test your access to "raw sockets" (all Win OS)

      secure NON-SYSTEM "raw sockets" access (Win2K & WinXP) to see that Win2K & WinXP continue to function just fine

      The funny part is that Steve Gibson now uses Microsoft's own MSDN Technical Documentation against Microsoft. Steve provides quotes from the Microsoft MSDN websites and links to the original Microsoft Technical Documentation

      As of 8/13/01 @ 0801 PST, all the links to the Microsoft Technical Documentation PROVING (?) Steve Gibson's points were fully functional.

      BTW, for a "nail biting" (grin - soon to be a motion picture - grin) tale of one man's experience with a Distributed Denial of Service attack read both here [grc.com] and SlashDot commentary [slashdot.org] to learn where Steve's fear of WinXP Raw Sockets originates (i.e. WinXP zombies doing DDOS with the easy to spoof WinXP box IP addresses due to desktop Joe/Jane-consumer user always being "root")

      Evidently, Steve Gibson can now quote chapter and verse back to Microsoft and ask Microsoft "Why are you [microsoft] now contradicting yourself."

      BTW, there is now an "astroturf" (?) website devoted to debunking Steve Gibson here [grcsucks.com] although all the DNS details [networksolutions.com] seem bogus ("How convenient for the astroturf PR agency!!!" says the Church lady)

  • How about if ISPs and antivirus outfits make an alliance? If ISPs got a cut whenever one of their users bought antivirus software, they'd be reporting the breakins to their users like nobody's business... then maybe we'd see some progress on the problem.
  • Seems to me like the best way to do this would be to have the next-gen routing protocols be able to propogate 'blocks' in addition to routes.

    Yes, I know this would be massively memory intensive on the routing tables, but how cool would it be if you could set a block on an ip on your border/edge/first router and that block would propogate to the border/edge/first router in front of the offending ip.

    Again, yes,I know there are all sorts of security problems with this, but shouldn't this be the direction of the majority of effort in this regard?

    Oh yeah, they just want to make money, not actually fix things... Sorry.
  • TruSecure corporation started a similar initiative last year during the DDOS scare that was happening then.

    See http://www.trusecure.com/html/partners/alliance.sh tml

  • Never again will I trust them or buy a product from them. They don't understand the meaning of tech support and they want to charge $2.95/minute for some no talent arse clown to sit on the other end of the phone and throw people for a loop.

    It takes quite a bit of research to even find customer service to complain to about the crappy tech support.
  • From the article: The long-term goal of the partnership is to develop and deploy a solution that will enable Internet service providers and data centers to identify when their networks are under a DDoS attack and also to discover and eliminate the "zombies" that attackers use to launch their assaults.

    Okay, so they will eventually have a way to slow and possibly even stop the spread of the garden variety DDoS attack like the packet floods or viral-zombie Code Red types they mention as the detection mechanisms improve. However, the sad truth folks is that it just isn't possible to stop a DDoS attack.

    Don't believe me? Before you warm up your flamethrowers just follow along here for a sec.

    Think for a bit about how the net works. You got your SYN, the SYN_RECV's, the SYN_ACK's. You got packets that have a frame, header and route info, a data payload etc. You got stuff that has to be there in order for this neat internet doohickey to function. In other words there is a framework that makes pattern matching algorithms and heuristics (and other stuff involving math :) possible so you can try to separate good packets from the bad packets.

    Problem is that there's one thing that can't be predicted/recognized/prevented/controlled: where that first SYN is coming from. And that's the reason that DDoS works so well. All the Black Hats have to do is keep coming up with stuff that is harder and harder to crack pattern-wise while having that randomized Ace up their sleeve.

    The perfect DDoS attack tool would be a method that infects thousands of machines and each machine has a unique source or random strain of the tool in such a manner that the only thing they share is the trigger to set it in motion at a target... and the trigger isn't where anti-virus or other client checking stuff could detect it. When you pull the trigger thousands of infected machines attack the target and there's no way the target can tell it's not legit traffic. Basically a code version of the Slashdot Effect. CmdrTaco pulls the trigger with an article link and we "zombies" blast the crap out of the site. :)

    Amoeba

    • As such, any Slashdot article pointing to an external site <i>is</i> a DDOS attack.

      :)
    • Technical measures have been devised to detect and throttle most of the forged-source-address attacks. Those fixes haven't been deployed everywhere, but it's coming, slowly.
      That was the problem back in 1999.


      More recent attacks involve
      takeovers of large numbers of zombie machines, each of which does something seemingly legitimate. But these have identified source addresses, and can be dealt with by fair queuing and similar traffic shaping. Unless the number of attacking clients is large relative to the number of legitimate clients, that should limit the damage. This is independent of how big a pipe the zombies have.

      • Unless the number of attacking clients is large relative to the number of legitimate clients, that should limit the damage.

        Until incoming packets can be torn down, analyzed and determination made to allow/deny at a rate equal or greater than the wire speed at the router device then DDoS will always be possible. Yeah you can throttle forged-source-address attacks just dandy but your site is still screwed if the sheer amount of inbound packets pegs the CPU/memory on your router(s) to where it falls behind in processing the queue.... There are some methods you can put into hardware (ASICs etc) but unlike SSL accelerator cards (like in the F5 or Foundry) and similar approaches, the complexity at that front-end would make the cost of the solution prohibitive or result in still more dedicated devices (load balancers etc) at the network level... and there's always going to be a bottleneck to cause things to jam.

        Amoeba

  • I don't think that many of the ISPs will actually dump the money on some kind of DDOS filtering...

    .. but if they do, how do you know exactly what is a DDOS? how do you know they are not going to filter legit traffic? All I see is another trajedy like the web content filters where tons of 'good' traffic gets dropped because the algorithms suck.

  • For example, Stinger will be able to filter Internet... will also be able to configure TCP/IP ports manually and receive alerts about anomalous network activity.

    Uhh.. isn't that built into the Linux kernel and called IP Tables?

  • If cable operators would stop filtering out silly things like port 80, and start filtering out forged packets, we might actually be able to stop some of these attacks before they start.

    If you see a packet transmitted from a cable modem in your network and it claims to be from outside your network, drop it on the floor, it's not a valid packet.

    If the packet is going to into a cable modem, but its origination claims it came from that cable modem, drop it on the floor, it's not a valid packet.

    If the packet has address 0.0.0.0 as its origin or destination, drop it on the floor, it's not a valid packet.

    Don't think this happens? Get a firewall and you can watch these packets go by all day long.

  • You know what I want? I want a third party database that will allow sysadmins to list their 24/7 telephone number along with blocks of IPs. That way, if someone is being scanned/flooded by my ip, and has paid for access to the database (Keeps idiot h4x0rz from looking up my number.) he can then call me immediatly instead of trying to track me down through whois, and I can pull the machine off-line and deal with it.

    This would be much better than having the box messing with people for a few days because tracking down someone who can shut it off is so damned troublesome. I mean, face it, no matter how good a sysadmin is, at time there will be a box that for whatever reason is online and insecure. We could all benefit from such a service, and most of our companies would probably pay for it.

    Anyone else agree (I know people will happily disagree and flame me for posting this at all...)?
    • "You know what I want? I want a third party database that will allow sysadmins to list their 24/7 telephone number along with blocks of IPs.

      Good God man! Have you considered what that database would be worth in the eyes of a telemarketer/spammer!? Temptation like that (the temptation to sell the list) would be almost too much to bear for any capitalist organization. *shudder*
  • Some people blame Microsoft for the world's computer security problems. After all, if Microsoft cared a whit about security, the virus outbreaks wouldn't be so damn nasty. Others say Microsoft isn't the problem; networks are inherently insecure (see the EROS Project [eros-os.org] for a solution in development). I'm not one to say Microsoft is totally to blame, but I would like to quote Stanley Kubrick's Full Metal Jacket on the issue:

    HARTMAN:
    If it wasn't for dickheads like you, there
    wouldn't be any thievery in this world, would there?
  • As usual, NAI is two years behind the times.

    I don't know what all the fuss is about- there's a little company called Captus [captusnetworks.com] that already has a box that deals with DDoS for you. Been available for a while, i think....I don't know why it's been so slow to catch on, though. It's a screamin' demon....
  • What does everyone have against an old program like Dr. Dos?
  • Assuming responsibility for this problem, also implies that the entity also assume legal liability for the problems created as well should the efforts fail in the future. While it all sounds good to claim that the ISP's are responsible for filtering for certain classes of evil packets, should they accept the responsibility they also must accept the liabilities should their efforts fail sometime in the future.

    Most, if not all, ISP's have strict legal liability disclaimers about their customers activities - used to defend themselves against all 3rd parties that might litigate against their customers actions, or inactions. The legal/business side of any ISP would be wary to set the stage claiming to take responsibility for the actions of packets originating from customer owned/managed facilities. Once they start down that road, then all sorts of claims can be made that they are responible for filtering all kinds of evil packets, including as some might suggest - porn, pirate copyrighted material, all types of virus and trojan outbreaks, ... and a long list down a controversial slope.

    Cable/DSL modems owned/leased/managed/operated by end users should contain any network required manadated filtering to facilitate the mandate that every customer is responsible for packets originating from their facility - intended or not.

    If all these devices were proper NAT devices, and filtered/firewalled well known ports
    which are generally associated with server functions typically not allowed under many of the service plans un-skilled customers subscribe to, then we could see the total number of exposed machines drop by 95% in a few months. The remaining machines would not number enough to realistically mount DDOS attacks of the magnitude we have seen this last month.

    The ISP doesn't need to filter - it just needs to mandate that it's customers do - or risk disconnection. In this case, making firmware patches available for the cable/dsl modems, and setting a deadline for deployment.
  • This ZD article (Eweek) failed to really get technical with the issue.

    I happened to find an interesting company at reactivenetwork.com [reactivenetwork.com].

    It isn't just another dot-bomb or hot-dot. There is a real method behind mitigating DDOS attacks. This methodology certainly isn't suggested by this article, and therefore is fairly senseless chatter about nothing in particular. The companies, Arbor, Asta and Mazu and McAfee talk a lot about Zombie detection, and use an array of industry buzzwords and marketing hype surrounded by code-red to carve a niche in the market for themselves. They want to offer their services and fail to come up with a distributed scheme and proper good traffic bad traffic differentiation.

    I saw a demonstration of the product that reactive networks had. It is certainly a meritorious endeavor that deserves a closer look. It is also interesting because this is far beyond theory and academia; this is laden with applicative value. It is a Linux based detector/actuator distributed schema. It is interesting because it does a few things that could really, really make NSP's lives much better. The first step is to recognize the good traffic from the bad. It tends to learn what network traffic is normal. It knows when a DDOS attack is coming in and mitigates the attack while letting the good traffic come through. What is amazing I have seen this work in a LAN at GigE speeds! I can mitigate a randomly spoofed source address attack while letting "normal" web traffic through. And this product isn't beta, prerelease, etc, its at version 1.0.

    The next time ZD's editors start babbling about something that got into the news or on CNN that had to do with technology, they should look for the real gems of technology, not sift through a pile of marketing hype and whitepapers without seeing some action. You can talk about doing something, or you can do it. AFAIK, reactive is the only company to prove to me whitepaper or not that AT&T, UUNet, Sprint/MCI/WorldCom Verizon, Savvio and others should pick up software like Reactive Network's and not worry about finding and punishing script kiddies and killing zombies. There are too many zombies to count, there are too many IP's to worry about. You have to let the good traffic through and block the evil traffic. The best way of doing this is to have a distributed triggering scheme and to identify good traffic, and to make holes for the typical good traffic and let the customers of a web site through, its not about launching a holy crusade against script kiddies, its fruitless.

    Always look at a problem that addresses a problem. HAS a product that fixes it. And find a company that isn't about marketing buzz but about engineering a new solution that big players would be able to use to nullify the ill effects of script-kiddies.

    Just my two cents

  • Their products work by scanning incoming network traffic and searching for signs of packet floods.

    Won't sniffing all those packets slow your connection to a crawl?

  • The simplest and most effective solution is a clause in the ISP' terms of service reserving the right to disconnect infected machines.

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...